Users who have not changed their password

[James SEYMOUR]

Is there an easy way to find users who have not changed their passwords (after a specific date)?

At the moment I am looking at running something like this;-

gam report admin event "CHANGE_PASSWORD" start <yyyy-mm-dd> todrive

The using VLOOKUP against a report of all users to filter out the ones who have not changed their passwords.

Not too complicated, but just wondering if this can be acheived in GAM in a single command. And, if possible, run against an OU.

Thanks in advance

James

[Ross Scroggs]

James,

You're on the right track, I don't know of any API that will give to the data directly.

You can add 'ou <OrgUnitPath>' to the command to run the command against a specific OU.

Ross

--

ross.s...@gmail.com

Jerudong International School
https://www.jerudonginternationalschool.com

Follow us on:

    

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/c82cdded-6ee5-4ffd-912b-ebc5bbd6504bn%40googlegroups.com.

[James SEYMOUR]

Hi Ross,

Thanks for confirming. Searching by OU will make the process a lot easier. Cheers.

[Kim Nilsson]

I hope you're not using it to forward an agenda of regular password changes, James.

Maybe you are only trying to find those that never ever changed their passwords. something which shouldn't really be possible, as when you create your users you, of course, only give them a temporary password, which they immediately have to change.

However, when working with the youngest students I'd imagine their passwords are static for a few years, and then you'd would want them to change it at least once.

That would easily be accomplished by pushing something like gam update users ou /Students/TheYoungOnes changepasswordatnextlogin, don't you think?

[James SEYMOUR]

Hi Kim,

Definitely not :) . Our MIS developer is forcing us to change the tool (that they develop) to sync users to our AD. It now has less flexibility so we are having to change the username of all our Secondary students, which necessitates a change in password. So we will issue the students with a new password and ask them to change it (for security reasons). So I am interested in finding out who has not changed it.

I know we can enforce password change on next login, but if this is enabled then users cannot access the Wifi without changing the password. And some users may never need to logon to a PC as they all have laptops. 

And we can't have users change their Google password as this does not sync back to the AD, so they would still have to change their AD password. But I like that command, which could be used for users working remotely, to secure their Google account. 

Cheers

James

[Kim Nilsson]

Ok, so this means that you have a password sync from AD to Google. 

You need to put up a password web portal for AD. Use PWM or Pass Core. Then in the SSO section of Google you link to the portal, making it impossible for users to change their Google passwords, and instead they will be forwarded to the portal.

When you push the changepasswordonnextlogin that shouldn't affect their WiFi connection, because I assume that the WiFi password is actually the AD password, and not really from Google, even if they currently are the same. 

[James SEYMOUR]

At the moment we have a web portal for users to be able to change their password online, which has been in use for ages. We used to be able to redirect users from Google to this, but Google made some changes and this broke. But I think what you are explaining is what I need to do to get this page https://admin.google.com/ac/security/sso/domain-sso-profile working again. I'll add to my list :)