I'm using GAM to force password changes, but about a third of the commands fail with Error 400

215 views
Skip to first unread message

Chris M

unread,
Mar 12, 2014, 11:03:49 AM3/12/14
to google-ap...@googlegroups.com
I needed to reset 655 of the users in our domain.  I made up batch of commands to ripple through with GAM, but I have to send them in small batches to catch errors and then reset those accounts manually through the control panel or with FlashPanel.  Over a third of our accounts (230 of 655) will not take the command, giving an Error 400: Invalid Email where it lists a completely different user's name.  

Here's what it looks like when I run the command:

gam update user user.one changepassword on
updating user user...@ourdomain.com...
Error 400: Invalid Email: Someone Else - invalid

The names seem like they may be related by a supervisory or departmental connection, but there is no one-to-one match in delegation or any other connection that I've found that explains the problem.  If I try to re-run the command for the same account, I consistently get the same error.  I had this in the 3.02 last fall, and in 3.03 and 3.05 today - all 64 bit (I had hoped that the newer versions might magically fix the issue - alas, no).  I just tried 3.05 32 bit (still on my Windows 7 Professional 64 bit system) - same error...

Is there something I'm missing, or is this a bug?  Could FlashPanel's interactions with our account be creating an issue?  I'm not looking forward to playing this game again when reset time rolls around next.  :(






This message is the property of Neenah Enterprises, Inc. It may be confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient or otherwise authorized to view same by the company. If the reader of this message is not the intended recipient or otherwise authorized to view this email, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you.

Chris M

unread,
Mar 12, 2014, 11:48:37 AM3/12/14
to google-ap...@googlegroups.com
I take it back, I think I have found the "missing link" - a quick sampling of the failed accounts suggests they all have a "Manager" listed in their contact information with a name, not an email address.  ("Someone Else" - not someon...@ourdomain.com)

The "Manager" data is populated through FlashPanel (or originally through SherpaTools?) through APIs.  It certainly isn't required to be an email address, but I'm not sure how that would affect things - so I'll give it a try...  Having an email address instead of a name allows GAM to make the change, but why would that interfere with the command?  It seems unrelated...  And the FlashPanel interface wants to populate the field with a name (it suggests members of the directory as you type).

Anyhow, is there a was to issue the command such that the existence of a name (not an email) in this Manager field doesn't break GAM?

Jay Lee

unread,
Mar 13, 2014, 1:31:29 PM3/13/14
to google-ap...@googlegroups.com
That is strange that the API seems to care about the manager attribute when updating the changepassword field but there's nothing GAM can do about this.

The manager attribute definitely should be an email address and that of a current user also. That's the only value the API will accept when updating the field via the Directory API. So this seems to be an issue on the FlashPanel and Google side, not GAM.


Regards,

Jay Lee
Director, Apps Deployments   |  Dito
☎ (267) 712-9533  |  ✉ j...@ditoweb.com

  


--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/66dea3e1-fef8-44c2-9e85-df586488bc10%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Chris Monsma

unread,
Mar 13, 2014, 2:50:21 PM3/13/14
to google-ap...@googlegroups.com
Thank you for taking the time to answer my question.  I'll pass that along to the folks at FlashPanel!


--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/5JY6FRoNpAo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJHSAXaX1BPrgBenovEF8hFrGgaY-8e2uq6D80rQ6ecQSFUACA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Chris Monsma

unread,
Mar 14, 2014, 3:24:17 PM3/14/14
to google-ap...@googlegroups.com
The FlashPanel (BetterCloud) folks are suggesting that the field is for open text, not necessarily an email address.  Are you able to point me to any documentation that defines the requirement for an email address?  Is there more than one "manager" field?

Here's the response they sent me:

Hi,

Looking over this it seems to just be an open text field: https://developers.google.com/google-apps/contacts/v3/reference#gcRelation

Could you please point me to where the API specifies that it should be an email address so I can pass this along the dev team?

Thanks :)

Dylan

Customer Advocate | BetterCloud Support



On Thu, Mar 13, 2014 at 1:31 PM, Jay Lee <j...@ditoweb.com> wrote:

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/5JY6FRoNpAo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJHSAXaX1BPrgBenovEF8hFrGgaY-8e2uq6D80rQ6ecQSFUACA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Dave Kaminsky

unread,
Mar 14, 2014, 3:32:24 PM3/14/14
to google-ap...@googlegroups.com
Jay,

I have seen the sam behavior when trying to hide an entire OU's profile.  If the Manager's Name is set, but there is no email address Gam will error 400.  I can send samples to you as needed.
-Dave
 


Dave Kaminsky
Manager of Alternative Client Systems
IEEE
Office: (732) 562-5422
WWW.IEEE.ORG


On Thu, Mar 13, 2014 at 1:31 PM, Jay Lee <j...@ditoweb.com> wrote:
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJHSAXaX1BPrgBenovEF8hFrGgaY-8e2uq6D80rQ6ecQSFUACA%40mail.gmail.com.

Jay Lee

unread,
Mar 14, 2014, 4:37:18 PM3/14/14
to google-ap...@googlegroups.com
Hey Guys,

  Google seems to be forcing the manager field to be an email address when using the new Directory API. You can see this behavior when running the command:

gam update user jsmith relation manager "George Jones"

it will fail with Google giving an error indicating that the field must be an email address.

However, other APIs that allow updating the manager field (like the old Profiles API which GADS uses and I asuume FlashPanel is using also) don't seem to enforce any requirements on this field.

I'm reaching out to Google with this information and will keep you updated with the status.

@Chris: if you could reach out to BetterCloud with this information also it may be helpful though I suspect the issue needs to be fixed on Google's end.


Regards,

Jay Lee
Director, Apps Deployments   |  Dito
☎ (267) 712-9533  |  ✉ j...@ditoweb.com

  


To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAFGH%2B0OZL5rhOiPrejTV2ubz3RrV9qw5xjo49Mty55L1uNj_0g%40mail.gmail.com.

Chris Monsma

unread,
Mar 14, 2014, 5:17:16 PM3/14/14
to google-ap...@googlegroups.com
Done!  Thank you Jay.


--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Manager" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/5JY6FRoNpAo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJHSAXYq2zboS%2BpAEgm8thrp7wOqTU4cRA-T1XRa4kXz-Yd_NA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages