search

taers232c / GAMADV-XTD3

Command line tool to manage Google Workspace
687 stars 86 forks source link

list users that an admin can view/manage #414

Open muzzol opened 1 month ago

muzzol commented 1 month ago

hi,

is there a way to get a list of all users managed by a delegated admin/manager?

I need to filter not by domain but by accounts managed by a single admin.

thanks in advance

taers232c commented 1 month ago

See: https://github.com/taers232c/GAM-Scripts3/blob/master/ShowDelegators.py

Ross

Ross Scroggs @.***

On May 29, 2024, at 5:51 AM, mussol @.***> wrote:

hi,

is there a way to get a list of all users managed by a delegated admin/manager?

I need to filter not by domain but by accounts managed by a single admin.

thanks in advance

— Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/414, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL5ZWMJTVMTMF7V2NFTZEXFL5AVCNFSM6AAAAABIO4DNWWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGMZDGMRVGE3DSMA. You are receiving this because you are subscribed to this thread.

muzzol commented 1 month ago

thanks a lot for the info.

I can't recall where I read that you can impersonate a user so the api responds like it was called from that user. is that an option?

taers232c commented 1 month ago

That's how service account access works, when enabled, GAM impersonates users to manage their drives/email/calendard.

Ross

Ross Scroggs @.***

On May 30, 2024, at 3:28 AM, mussol @.***> wrote:

thanks a lot for the info.

I can't recall where I read that you can impersonate a user so the api responds like it was called from that user. is that an option?

— Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/414#issuecomment-2139252039, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL6WD3CHWEIUAT6MB6DZE35LXAVCNFSM6AAAAABIO4DNWWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZZGI2TEMBTHE. You are receiving this because you commented.

muzzol commented 1 month ago

ok, I need a quick security check so I just want to know if a user can "see" another one.

what would be the easiest way to check that with gam?

I was trying to use something like: gam user delegated.admin@example.com print info user@example.com

but that doesn't work as expected.

do you have any suggestion?

taers232c commented 1 month ago

Only the system admin can see other users, it uses client access. gam info user @.***,com

Ross

Ross Scroggs @.***

On May 30, 2024, at 7:46 AM, mussol @.***> wrote:

ok, I need a quick security check so I just want to know if a user can "see" another one.

what would be the easiest way to check that with gam?

I was trying to use something like: gam user @. print info @.

but that doesn't work as expected.

do you have any suggestion?

— Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/414#issuecomment-2139771087, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL5QZ6BWJ3M72DXIY7DZE43WBAVCNFSM6AAAAABIO4DNWWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZZG43TCMBYG4. You are receiving this because you commented.

muzzol commented 1 month ago

exactly.

if I create a new admin and give it permissions to only two OUs when they log in admin.google.com they can only see users belonging to those OUs.

can I replicate that behavious somehow with gam?

maybe with some filtering?