7.00.13

This reverts commit 38375b1710.

.github/actions/entitlements.plist

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <!-- These are required for binaries built by PyInstaller -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+</dict>
+</plist>

.github/actions/package_exclusions.txt

@@ -2,6 +2,5 @@ oauth2.txt
 nobrowser.txt
 enabledasa.txt
 lastupdatecheck.txt
-*.json
 *.lck
 *.csv

.github/workflows/build.yml

@@ -9,6 +9,7 @@ on:
 permissions:
   contents: read
   id-token: write
+  attestations: write
 
 defaults:
   run:
@@ -16,6 +17,7 @@ defaults:
     working-directory: src
 
 env:
+  SCRATCH_COUNTER: 1
   OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
   OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
   OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
@@ -29,19 +31,17 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             jid: 1
             goal: build
             arch: x86_64
             openssl_archs: linux-x86_64
-            fullGamTest: yes
           - os: [self-hosted, linux, arm64]
             jid: 2
             goal: build
             arch: aarch64
             openssl_archs: linux-aarch64
-            fullGamTest: yes
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             jid: 3
             goal: build
             arch: x86_64
@@ -53,48 +53,40 @@ jobs:
             arch: aarch64
             openssl_archs: linux-aarch64
             staticx: yes
-          - os: macos-12
+          - os: macos-13
             jid: 5
             goal: build
             arch: x86_64
             openssl_archs: darwin64-x86_64
-            fullGamTest: yes
           - os: macos-14
             jid: 6
             goal: build
             arch: aarch64
             openssl_archs: darwin64-arm64
-            fullGamTest: yes
-          - os: macos-14
-            jid: 7
-            goal: build
-            arch: universal2
-            openssl_archs: darwin64-arm64 darwin64-x86_64
           - os: windows-2022
-            jid: 8
+            jid: 7
             goal: build
             arch: Win64
             openssl_archs: VC-WIN64A
-            fullGamTest: yes
-          - os: ubuntu-22.04
+          - os: ubuntu-24.04
             goal: test
-            python: "3.8"
-            jid: 9
+            python: "3.13"
+            jid: 8
             arch: x86_64
-          - os: ubuntu-22.04
+          - os: ubuntu-24.04
             goal: test
             python: "3.9"
-            jid: 10
+            jid: 9
             arch: x86_64
-          - os: ubuntu-22.04
+          - os: ubuntu-24.04
             goal: test
             python: "3.10"
-            jid: 11
+            jid: 10
             arch: x86_64
-          - os: ubuntu-22.04
+          - os: ubuntu-24.04
             goal: test
             python: "3.11"
-            jid: 12
+            jid: 11
             arch: x86_64
 
     steps:
@@ -118,7 +110,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20240210
+          key: gam-${{ matrix.jid }}-20241002
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -199,8 +191,18 @@ jobs:
           bash ./rust.sh -y
           source $HOME/.cargo/env
           # Install needed packages
-          brew update
-          brew install gpg swig
+          #brew update
+          #brew install gpg
+          #brew install swig
+          #brew install ncurses
+
+      - name: MacOS import developer certificates for signing
+        if: runner.os == 'macOS'
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          keychain: signing_temp
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
 
       - name: Windows Configure VCode
         uses: ilammy/msvc-dev-cmd@v1
@@ -222,18 +224,14 @@ jobs:
             GAM_ARCHIVE_ARCH="x86_64"
             WIX_ARCH="x64"
             CHOC_OPS=""
-          elif [[ "${arch}" == "Win32" ]]; then
-            PYEXTERNALS_PATH="win32"
-            PYBUILDRELEASE_ARCH="Win32"
-            GAM_ARCHIVE_ARCH="x86"
-            WIX_ARCH="x86"
-            CHOC_OPS="--forcex86"
           fi
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
             MAKE=make
             MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
             PERL=perl
-            echo "MACOSX_DEPLOYMENT_TARGET=10.15" >> $GITHUB_ENV
+            MACOSX_DEPLOYMENT_TARGET=$(sw_vers -productVersion | awk -F '.' '{print $1 "." $2}')
+            echo "MACOSX_DEPLOYMENT_TARGET=${MACOSX_DEPLOYMENT_TARGET}" >> $GITHUB_ENV
+            echo "We are running on and targetting MacOS ${MACOSX_DEPLOYMENT_TARGET}"
             echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
           elif [[ "${RUNNER_OS}" == "Linux" ]]; then
             MAKE=make
@@ -298,7 +296,8 @@ jobs:
       - name: Rename GNU link on Windows
         if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
         shell: bash
-        run: mv /usr/bin/link /usr/bin/gnulink
+        run: |
+          mv -v /usr/bin/link /usr/bin/gnulink
 
       - name: Make OpenSSL
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -316,7 +315,7 @@ jobs:
               cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
               # install_sw saves us ages processing man pages :-)
               $MAKE install_sw
-              mv "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
+              mv -v "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
             done
             mkdir -vp "${OPENSSL_INSTALL_PATH}/lib"
             mkdir -vp "${OPENSSL_INSTALL_PATH}/bin"
@@ -331,21 +330,34 @@ jobs:
                  -output "${GITHUB_WORKSPACE}/bin/ssl/bin/openssl"
             rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64
             rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64
-            echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
-            echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
-            echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include -arch arm64 -arch x86_64 ${CFLAGS}" >> $GITHUB_ENV
-            echo "ARCHFLAGS=-arch x86_64 -arch arm64" >> $GITHUB_ENV
           else
             cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_archs}"
             # install_sw saves us ages processing man pages :-)
             $MAKE install_sw
           fi
+          if [[ "${RUNNER_OS}" != "Windows" ]]; then
+            echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
+          fi
+          echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
+          case $arch in
+            universal2)
+              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include -arch arm64 -arch x86_64 ${CFLAGS}" >> $GITHUB_ENV
+              echo "ARCHFLAGS=-arch x86_64 -arch arm64" >> $GITHUB_ENV
+              ;;
+            x86_64)
+              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
+              echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
+              ;;
+            aarch64)
+              echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
+              echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
+              ;;
+          esac
 
       - name: Run OpenSSL
         if: matrix.goal == 'build'
         run: |
-          "${OPENSSL_INSTALL_PATH}/bin/openssl" version
-          "${OPENSSL_INSTALL_PATH}/bin/openssl" version -f
+          "${OPENSSL_INSTALL_PATH}/bin/openssl" version -a
           file "${OPENSSL_INSTALL_PATH}/bin/openssl"
 
       - name: Get latest stable Python source
@@ -354,12 +366,7 @@ jobs:
           cd "${GITHUB_WORKSPACE}/src"
           git clone https://github.com/python/cpython.git
           cd "${PYTHON_SOURCE_PATH}"
-          # Pin Windows to 3.11.6 for the moment
-          # if [[ "${RUNNER_OS}" == "Windows" ]]; then
-          #   export LATEST_STABLE_TAG="v3.11.6"
-          # else
           export LATEST_STABLE_TAG=$(git tag --list | grep -v a | grep -v rc | grep -v b | sort -Vr | head -n1)
-          # fi
           git checkout "${LATEST_STABLE_TAG}"
           export COMPILED_PYTHON_VERSION=${LATEST_STABLE_TAG:1} # Trim the "v" prefix
           echo "COMPILED_PYTHON_VERSION=${COMPILED_PYTHON_VERSION}" >> $GITHUB_ENV
@@ -379,7 +386,8 @@ jobs:
                       --with-ensurepip=upgrade \
                       --enable-optimizations \
                       --with-lto \
-                      "${extra_args[@]}"
+                      "${extra_args[@]}" || : # exit 0
+          cat config.log
 
       - name: Windows Get External Python deps
         if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -445,6 +453,7 @@ jobs:
       - name: Run Python
         run: |
           "${PYTHON}" -V
+          "${PYTHON}" -c "import ssl; print(f'Using {ssl.OPENSSL_VERSION}')"
 
       - name: Upgrade pip, wheel, etc
         run: |
@@ -496,23 +505,13 @@ jobs:
           git clone https://github.com/pyinstaller/pyinstaller.git
           cd pyinstaller
           export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
-          #V6.0.0 causes errors on staticx
-          if [[ "${staticx}" == "yes" ]]; then
-            git checkout "v5.13.2"
-          elif [[ "${RUNNER_OS}" == "Windows" ]]; then
-            git checkout "v5.13.2"
-          elif [[ "${RUNNER_OS}" == "macOS" ]]; then
-            git checkout "v5.13.2"
-          else
-            git checkout "${latest_release}"
-          fi
+          # git checkout "${latest_release}"
+          git checkout "v6.9.0"
           # remove pre-compiled bootloaders so we fail if bootloader compile fails
           rm -rvf PyInstaller/bootloader/*-*/*
           cd bootloader
+          export PYINSTALLER_BUILD_ARGS=""
           case "${arch}" in
-            "Win32")
-              export PYINSTALLER_BUILD_ARGS="--target-arch=32bit"
-              ;;
             "Win64")
               export PYINSTALLER_BUILD_ARGS="--target-arch=64bit"
               ;;
@@ -526,43 +525,60 @@ jobs:
       - name: Build GAM with PyInstaller
         if: matrix.goal != 'test'
         run: |
-          if [[ "${staticx}" == "yes" ]]; then
-            export distpath="./dist/gam"
-            export gampath="${distpath}"
-          else
-            export distpath="./dist"
-            export gampath="${distpath}/gam"
-          fi
-          mkdir -p -v "${gampath}"
+          export distpath="./dist/gam"
+          mkdir -p -v "${distpath}"
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            export gampath=$($PYTHON -c "import os; print(os.path.realpath('$gampath'))")
+            # Tell our gam.spec to use our code sign certificate
+            export codesign_identity="Jay Lee"
+            # brew OpenSSL gets picked up by PyInstaller
+            # breaking our self-compiled version
+            brew uninstall --ignore-dependencies openssl
           elif [[ "${RUNNER_OS}" == "Windows" ]]; then
             # Work around issue where PyInstaller picks up python3.dll from other Python versions
             # https://github.com/pyinstaller/pyinstaller/issues/7102
-            export PATH="/usr/bin"
-          else
-            export gampath=$(realpath "${gampath}")
+            export PATH="$(dirname ${PYTHON}):/usr/bin"
           fi
+          #if ([ "${staticx}" != "yes" ] && [ "$RUNNER_OS" != "Windows" ]); then
+          if [[ "$staticx" != "yes" ]]; then
+            export PYINSTALLER_BUILD_ONEDIR=yes
+          fi
+          "${PYTHON}" -m PyInstaller --clean --noconfirm --distpath="${distpath}" gam.spec
+          if [[ "$PYINSTALLER_BUILD_ONEDIR" == "yes" ]]; then
+            mv -v "${distpath}/gam" "${distpath}/gam7"
+            export gampath="${distpath}/gam7"
+          else
+            mv -v "$distpath" "${distpath}7"
+            export gampath="${distpath}7"
+          fi
+          export gampath=$(realpath "$gampath")
+          echo "gampath ${gampath} results:"
+          ls -alRF "$gampath"
+          echo "---- WARNINGS FROM build/gam/warn-gam.txt"
+          cat build/gam/warn-gam.txt
+          echo "---- Analysis FROM build/gam/Analysis-00.toc"
+          cat build/gam/Analysis-00.toc
+          echo "---- EXE data FROM build/gam/EXE-00.toc"
+          cat build/gam/EXE-00.toc
           export gam="${gampath}/gam"
+          if [[ "${RUNNER_OS}" == "Windows" ]]; then
+            export gam=$(cygpath -w "$gam")
+            echo "GAM on Windows at ${gam}"
+          else
+            export gam=$(realpath "$gam")
+          fi
           echo "gampath=${gampath}" >> $GITHUB_ENV
           echo "gam=${gam}" >> $GITHUB_ENV
           echo -e "GAM: ${gam}\nGAMPATH: ${gampath}"
-          # TEMP force everything back to one file.
-          export PYINSTALLER_BUILD_ONEFILE="yes"
-          export distpath="./dist/gam"
-          export gampath="${distpath}"
-          "${PYTHON}" -m PyInstaller --clean --noconfirm --distpath="${distpath}" gam.spec
-          cat build/gam/warn-gam.txt
 
       - name: Copy extra package files
         if: matrix.goal == 'build'
         run: |
-          cp -v cacerts.pem $gampath
-          cp -v LICENSE $gampath
-          cp -v GamCommands.txt $gampath
-          cp -v GamUpdate.txt $gampath
+          cp -v cacerts.pem "$gampath"
+          cp -v LICENSE "$gampath"
+          cp -v GamCommands.txt "$gampath"
+          cp -v GamUpdate.txt "$gampath"
           if [[ "${RUNNER_OS}" == "Windows" ]]; then
-              cp -v gam-setup.bat $gampath
+              cp -v gam-setup.bat "$gampath"
           fi
 
       - name: Install StaticX
@@ -583,9 +599,21 @@ jobs:
               ;;
           esac
           echo "ldlib=${ldlib}"
-          $PYTHON -m staticx -l "${ldlib}" "${gam}" "${gam}-staticx"
-          rm -v "${gam}"
-          mv -v "${gam}-staticx" "${gam}"
+          $PYTHON -m staticx -l "${ldlib}" "$gam" "${gam}-staticx"
+          rm -v "$gam"
+          mv -v "${gam}-staticx" "$gam"
+
+      - name: MacOS send GAM binary for Apple notarization
+        if: runner.os == 'macOS'
+        env:
+          ASP_NOTARIZE: ${{ secrets.ASP_NOTARIZE }}
+        run: |
+          # Apple wants some kind of "package" submitted so just add gam to a .zip
+          # name it something we can track and link in Apple's notarize process
+          zipfilename="./gam-${RUNNER_ARCH}-${GITHUB_RUN_ID}-${GITHUB_RUN_NUMBER}.zip"
+          zip -r "$zipfilename" "$gampath"
+          xcrun notarytool submit --apple-id "jay0lee@gmail.com" --password "$ASP_NOTARIZE" --team-id GZ85H2DRLM "$zipfilename"
+          rm -v "$zipfilename"
 
       - name: Basic Tests all jobs
         id: basictests
@@ -596,31 +624,132 @@ jobs:
           echo "GAM Version ${GAMVERSION}"
           echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV
 
+      - name: Configure service account auth
+        id: configserviceaccount
+        env:
+          PASSCODE: ${{ secrets.PASSCODE }}
+        run: |
+          source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz "${GAMCFGDIR}"
+          mv -v "${GAMCFGDIR}/oauth2.txt-gam-gha-${JID}" "${GAMCFGDIR}/oauth2.txt"
+          rm -v $GAMCFGDIR/oauth2.txt-gam*
+          $gam create signjwtserviceaccount
+
+      - name: Upload gam.exe Windows for signing
+        if: runner.os == 'Windows' && matrix.goal != 'test'
+        run: |
+          export folder_number=$(date +%s)
+          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
+          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$gam" parentid "$folder_id"
+          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
+          export signed_folder="SIGNED ${folder_number}"
+          zero_results="gam-win-signer@pdl.jaylee.us,0"
+          while true; do
+            result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
+            echo "$result_counts"
+            if [[ ! "$result_counts" =~ "$zero_results" ]]; then
+              echo "looks like we have results"
+              break
+            fi
+            echo "no results, sleeping 10..."
+            sleep 10
+          done
+          # download signed gam.exe
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name = 'gam.exe'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$gampath" targetname "signed-gam.exe" overwrite true acknowledgeabuse true
+          # delete signed folder on drive
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
+          # remove unsigned gam.exe and rename signed-gam.exe
+          rm -v -f "${gampath}/gam.exe"
+          mv -v -f "${gampath}/signed-gam.exe" "${gampath}/gam.exe"
+          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$gam"
+
+      - name: Attest gam executable was generated from this Action
+        uses: actions/attest-build-provenance@v1
+        if: matrix.goal == 'build'
+        with:
+          subject-path: ${{ env.gam }}
+
       - name: Linux/MacOS package
         if: runner.os != 'Windows' && matrix.goal == 'build'
         run: |
           if [[ "${RUNNER_OS}" == "macOS" ]]; then
-              GAM_ARCHIVE="gam-${GAMVERSION}-macos-${arch}.tar.xz"
+              GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-macos-${arch}.tar.xz"
           elif [[ "${RUNNER_OS}" == "Linux" ]]; then
-              if [[ "${staticx}" == "yes" ]]; then
-                libver="legacy"
-              else
-                libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
-              fi
-              GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
+            if [[ "${staticx}" == "yes" ]]; then
+              libver="legacy"
+            else
+              libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
+            fi
+            GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
           fi
-          tar -C dist/ --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam
+          echo "GAM Archive ${GAM_ARCHIVE}"
+          tar -C "${gampath}/.." --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam7
 
       - name: Windows package
         if: runner.os == 'Windows' && matrix.goal != 'test'
         run: |
-          cd dist/
-          GAM_ARCHIVE="../gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
-          /c/Program\ Files/7-Zip/7z.exe a -tzip $GAM_ARCHIVE gam "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
-          cd ..
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.11/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.11/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.11/bin/WixUIExtension.dll gam.wixobj -o "gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi" || true;
+          echo "started in $(pwd)"
+          cd "${gampath}/.."
+          echo "moved to $(pwd)"
+          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
+          /c/Program\ Files/7-Zip/7z.exe a -tzip "$GAM_ARCHIVE" gam7 "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
+          cd ../..
+          echo "moved to $(pwd)"
+          export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi"
+          # auto-generate a lib.wxs based on the files PyInstaller created for the lib/ directory
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/heat.exe dir "${gampath}/lib" -ke -srd -cg Lib -gg -dr lib -directoryid lib -out lib.wxs
+          echo "-- begin lib.wxs --"
+          cat lib.wxs
+          echo "-- end lib.wxs --"
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs lib.wxs
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/WixUIExtension.dll gam.wixobj lib.wixobj -b "${gampath}/lib" -o "$MSI_FILENAME" || true;
           rm -v -f *.wixpdb
+          rm -v -f *.wixobj
+          echo "MSI_FILENAME=${MSI_FILENAME}" >> $GITHUB_ENV
+
+      - name: Upload gam MSI Windows for signing
+        if: runner.os == 'Windows' && matrix.goal != 'test'
+        run: |
+          export folder_number=$(date +%s)
+          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
+          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$MSI_FILENAME" parentid "$folder_id"
+          rm -f -v "$MSI_FILENAME"
+          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
+          export signed_folder="SIGNED ${folder_number}"
+          zero_results="gam-win-signer@pdl.jaylee.us,0"
+          while true; do
+            result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
+            echo "$result_counts"
+            if [[ ! "$result_counts" =~ "$zero_results" ]]; then
+              echo "looks like we have results"
+              break
+            fi
+            echo "no results, sleeping 10..."
+            sleep 10
+          done
+          # download signed package
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name contains '.msi'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$GITHUB_WORKSPACE" targetname "$MSI_FILENAME" overwrite true acknowledgeabuse true
+          # delete signed folder on drive
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
+          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$MSI_FILENAME"
+
+      - name: Attest that gam package files were generated from this Action
+        uses: actions/attest-build-provenance@v1
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal == 'build'
+        with:
+          subject-path: |
+            gam*.tar.xz
+            gam*.zip
+            gam*.msi
+
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@v4
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
+        with:
+          name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
+          path: |
+            gam*.tar.xz
+            gam*.zip
+            gam*.msi
 
       - name: Basic Tests build jobs only
         if: matrix.goal != 'test' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -643,13 +772,8 @@ jobs:
           echo "We successfully compiled Python ${this_python} and OpenSSL ${this_openssl}"
 
       - name: Live API tests push only
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.fullGamTest == 'yes'
-        env:
-          PASSCODE: ${{ secrets.PASSCODE }}
+        if: (github.event_name == 'push' || github.event_name == 'schedule')
         run: |
-          source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz "${GAMCFGDIR}"
-          mv -v "${GAMCFGDIR}/oauth2.txt-gam-gha-${JID}" "${GAMCFGDIR}/oauth2.txt"
-          rm -v $GAMCFGDIR/oauth2.txt-gam*
           export gam_user="gam-gha-${JID}@pdl.jaylee.us"
           echo "gam_user=${gam_user}" >> $GITHUB_ENV
           $gam config customer_id "C03uzfv2s" save
@@ -659,7 +783,6 @@ jobs:
           $gam oauth info
           $gam oauth refresh
           $gam config enable_dasa true save 
-          $gam create signjwtserviceaccount
           $gam checkconn
           $gam user "$gam_user" check serviceaccount
           $gam info domain
@@ -695,18 +818,18 @@ jobs:
           done
           driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
           echo "Created shared drive ${driveid}"
-          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random ou "${newou}" recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB-
+          # 9/17/24 - temp create in root due to Google API issues creating users in new OUs
+          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- # ou "${newou}"
+          $gam user $newuser add license workspaceenterpriseplus
           $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
           $gam user $newuser get photo
           $gam user $newuser delete photo
           $gam create alias $newalias user $newuser
           $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
-          $gam user $gam_user sendemail recipient $newuser subject "test message $newbase" message "GHA test message"
-          $gam user $gam_user sendemail recipient exchange@pdl.jaylee.us subject "test ${tstamp}" message "test message"
+          $gam user $gam_user sendemail recipient dev-null@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
           $gam config enable_dasa false save
-          $gam create contact firstname GHA lastname "$JID" email work "${newbase}@example.com" primary
+          #$gam create contact firstname GHA lastname "$JID" email work "${newbase}@example.com" primary
           $gam print contacts
-          $gam user $newuser add license workspaceenterpriseplus
           $gam print privileges
           $gam config enable_dasa true save
           $gam update cigroup $newgroup security memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
@@ -714,7 +837,8 @@ jobs:
           $gam update group $newgroup add owner $gam_user
           $gam update group $newgroup add member $newuser
           $gam config enable_dasa false save
-          $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
+          # 9/17/24 temp disable due to Google API sluggishness to see new users for admin commands
+          # $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
           $gam create admin $newgroup _HELP_DESK_ADMIN_ROLE org_unit "${newou}"
           $gam config csv_output_row_filter "assignedToUser:regex:${newuser}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
           $gam config csv_output_row_filter "assignedToGroup:regex:${newgroup}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
@@ -730,7 +854,7 @@ jobs:
           $gam info group $newgroup
           $gam info cigroup $newgroup membertree
           # confirm mailbox is provisoned before continuing
-          $gam user $newuser waitformailbox
+          $gam user $newuser waitformailbox retries 20
           $gam user $newuser imap on
           $gam user $newuser show imap
           $gam user $newuser show delegates
@@ -744,7 +868,7 @@ jobs:
           $gam user $gam_user insertemail subject "GHA insert $newbase" file gam.py labels INBOX,UNREAD # yep body is gam code
           $gam user $gam_user sendemail subject "GHA send $gam_user $newbase" file gam.py recipient admin@pdl.jaylee.us
           $gam user $gam_user draftemail subject "GHA draft $newbase" message "Draft message test"
-          $gam csvfile sample.csv:email waitformailbox
+          $gam csvfile sample.csv:email waitformailbox retries 20
           $gam user $newuser delegate to "${newbase}-bulkuser-1" || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (delegation failed)
           $gam users "$gam_user $newbase-bulkuser-1 $newbase-bulkuser-2 $newbase-bulkuser-3" delete messages query in:anywhere maxtodelete 99999 doit || if [ $? != 60 ]; then exit $?; fi # expect a 60 return code (no messages)
           $gam users "$newbase-bulkuser-4 $newbase-bulkuser-5 $newbase-bulkuser-6" trash messages query in:anywhere maxtotrash 99999 doit || if [ $? != 60 ]; then exit $?; fi # expect a 60 return code (no messages)
@@ -828,15 +952,17 @@ jobs:
           $gam user $gam_user show shareddrives asadmin
           $gam user $gam_user update shareddrive "${driveid}" ou "aaaGithub Actions" # so we can delete our OU...
           $gam user $gam_user delete shareddrive "${driveid}" nukefromorbit
+          ssoprofile=$($gam config debug_level 1 create inboundssoprofile name "El Goog ${newbase}" loginurl https://www.google.com logouturl https://www.google.com changepasswordurl https://www.google.com entityid ElGoog return_name_only)
+          if [ ${ssoprofile} != 'inProgress' ]; then
+            $gam create inboundssocredential profile "id:${ssoprofile}" generate_key
+            #$gam create inboundssoassignment profile "id:${ssoprofile}" orgunit "${newou}" mode SAML_SSO
+            #$gam delete inboundssoassignment "orgunit:${newou}"
+            $gam delete inboundssoprofile "id:${ssoprofile}"
+          fi
           echo "printer model count:"
-          ssoprofile=$($gam create inboundssoprofile name "El Goog ${newbase}" loginurl https://www.google.com logouturl https://www.google.com changepasswordurl https://www.google.com entityid ElGoog return_name_only)
-          $gam create inboundssocredential profile "id:${ssoprofile}" generate_key
-          #$gam create inboundssoassignment profile "id:${ssoprofile}" orgunit "${newou}" mode SAML_SSO
-          #$gam delete inboundssoassignment "orgunit:${newou}"
-          $gam delete inboundssoprofile "id:${ssoprofile}"
           $gam print printermodels | wc -l
           $gam print printers
-          printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
+          printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by ${gam_user}" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
           $gam info printer "$printerid"
           $gam delete printer "$printerid"
           $gam delete ou "${newou}"
@@ -852,16 +978,6 @@ jobs:
           fi
           tar cJvvf cache.tar.xz $tar_folders
 
-      - name: Archive production artifacts
-        uses: actions/upload-artifact@v4
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
-        with:
-          name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
-          path: |
-            src/*.tar.xz
-            src/*.zip
-            src/*.msi
-
   merge:
     if: (github.event_name == 'push' || github.event_name == 'schedule')
     runs-on: ubuntu-latest
@@ -876,11 +992,6 @@ jobs:
           name: gam-binaries
           pattern: gam-binaries-*
 
-#      - name: Delete Artifacts
-#        uses: geekyeggo/delete-artifact@v4
-#        with:
-#          name: gam-binaries-*
-
   publish:
     if: github.event_name == 'push'
     runs-on: ubuntu-latest

.github/workflows/codeql-analysis.yml

@@ -38,11 +38,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

README.md

@@ -1,6 +1,6 @@
 GAM is a command line tool for Google Workspace admins to manage domain and user settings quickly and easily.
 
-![Build Status](https://github.com/GAM-team/GAM/workflows/Build%20and%20test%20GAM/badge.svg)
+[![Build StatusM](https://github.com/GAM-team/GAM/actions/workflows/build.yml/badge.svg)](https://github.com/GAM-team/GAM/actions/workflows/build.yml)
 
 # Quick Start
 
@@ -32,7 +32,7 @@ There is a public chat room hosted in Google Chat. [Instructions to join](https:
 
 # Author
 
-GAM is maintained by [Jay Lee](mailto:jay0lee@gmail.com). Please direct "how do I?" questions to [Google Groups].
+GAM is maintained by [Jay (James) Lee](mailto:jay0lee@gmail.com) and [Ross Scroggs](mailto:ross.scroggs@gmail.com). Please direct "how do I?" questions to [Google Groups].
 
 [GAM release]: https://github.com/GAM-team/GAM/releases
 [GitHub Releases]: https://github.com/GAM-team/GAM/releases

docs/Administrators.md

@@ -851,11 +851,15 @@ gam delete adminrole <RoleItem>
 ## Display administrative roles
 ```
 gam info adminrole <RoleItem> [privileges]
-gam print adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
+gam print adminroles|roles [todrive <ToDriveAttribute>*]
+        [privileges] [oneitemperrow]
 gam show adminroles|roles [todrive <ToDriveAttribute>*] [privileges]
 ```
 * `privileges` - Display privileges associated with each role
 
+By default, all privileges for a role are shown on one row as a repeating item.
+When `oneitemperrow` is specified, each privilege is output on a separate row/line with the other role fields.
+
 ## Create an administrator
 Add an administrator role to an administrator.
 ```
@@ -877,7 +881,8 @@ gam delete admin <RoleAssignmentId>
 ## Display administrators
 ```
 gam print admins [todrive <ToDriveAttribute>*]
-        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
+        [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition]
+        [privileges] [oneitemperrow]
 gam show admins
         [user|group <EmailAddress>|<UniqueID>] [role <RoleItem>] [condition] [privileges]
 ```
@@ -889,6 +894,9 @@ options to limit the display:
 * `condition` - Display any conditions associated with a role assignment
 * `privileges` - Display privileges associated with each role assignment
 
+By default, all role privileges for an admin are shown on one row as a repeating item.
+When `oneitemperrow` is specified, each role privilege is output on a separate row/line with the other admin fields.
+
 In versions prior to 6.07.01, specification of both `user <UserItem>`
 and `role <RoleItem>` generated no output due to an undocumented API rule that disallows both.
 

docs/Authorization.md

@@ -7,6 +7,7 @@
 - [Definitions](#definitions)
 - [Manage Projects](#manage-projects)
   - [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+  - [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
   - [Authorize GAM to create projects](#authorize-gam-to-create-projects)
   - [Create a new GCP project folder](#create-a-new-gcp-project-folder)
   - [Create a new project for GAM authorization](#create-a-new-project-for-gam-authorization)
@@ -30,6 +31,7 @@
   - [Update an existing Service Account key](#update-an-existing-service-account-key)
   - [Replace all existing Service Account keys](#replace-all-existing-service-account-keys)
   - [Delete Service Account keys](#delete-service-account-keys)
+  - [Upload a Service Account key to a service account with no keys](#upload-a-service-account-key-to-a-service-account-with-no-keys)
   - [Display Service Account keys](#display-service-account-keys)
 - [Manage Service Account access](#manage-service-account-access)
   - [Full Service Account access](#full-service-account-access)
@@ -114,6 +116,11 @@ Verify whether the super admin you'll be using is in an OU where reauthenticatio
 * Click "OVERRIDE"
 * Follow the steps below to mark GAM as a trusted app
 
+Additional steps may be required if errors are encountered.
+* [Authorize a super admin to create projects](#authorize-a-super-admin-to-create-projects)
+* [Authorize Service Account Key Uploads](#authorize-service-account-key-uploads)
+* [Authorize GAM to create projects](#authorize-gam-to-create-projects)
+
 ## Headless computers and Cloud Shells
 With many thanks to Jay, `gam oauth create` now uses a new client access authentication flow
 as required by Google for headless computers/cloud shells; this is required as of February 28, 2022.
@@ -199,8 +206,51 @@ perform these steps and then retry the create project command.
 * Click in the Select a role box
 * Type project creator in the Filter box
 * Click Project Creator
+* Click + Add Another Role
+* Type organization policy administrator in the Filter box
+* Click Orgainzation Policy Administrator
 * Click Save
 
+## Authorize Service Account Key Uploads
+
+If you try to create a project and get an error saying that Constraint `constraints/iam.disableServiceAccountKeyUpload violated for service account projects/gam-project-xxx`,
+perform these steps and then you should be able to authorize and use your project.
+
+* Login as an existing super admin at console.cloud.google.com
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select IAM/Permissions
+* Now you should be at "Permissions for organization ..."
+* Click on Grant Access
+* Enter the new admin address in Principals
+* Click in the Select a role box
+* Type organization policy administrator in the Filter box
+* Click Organization Policy Administrator
+* Click Save
+* In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
+* Under IAM & Admin select IAM
+* Click the down arrow in the box to the right of Google Cloud
+* Click the three dots at the right and select Manage Resources
+* Click the three dots at the end of the line for the GAM project just created
+* Click Settings
+* Click Organization Policies in the left column
+* Now you should be at "Policies for Gam Project"
+* Click in the Filter box
+* Enter iam.disableServiceAccountKeyUpload
+* Click the three dots at the end of the Disable Service Account Key Upload
+* Choose Edit policy
+* Click Override parent's policy
+* Click Add A Rule
+* Select Enforcement/Off
+* Click Done
+* Click Set Policy
+
+Wait a couple of minutes for the policy updates to complete and then do the following to upload the service account key:
+```
+gam upload sakey [admin <EmailAddress>]
+```
+
 ## Authorize GAM to create projects
 If you try to create a project and get an error saying "This app has been blocked on your domain for either being
 insecure or non-edutational"; you'll have to mark the GAM Project Creation app as trusted.
@@ -265,6 +315,10 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
         [projectname <ProjectName>] [parent <String>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)|
+         nokey}
 ```
 * `admin <EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `appname <String>` - Application name, defaults to `GAM`
@@ -276,6 +330,10 @@ gam create project [admin <EmailAddress>] [project <ProjectID>]
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
+Use `nokey` if you do not want a service account key created for the project.
+
 ## Use an existing project for GAM authorization
 Use an existing project to create and download two files: `client_secrets.json` for the Client and `oauth2service.json` for the Service Account.
 
@@ -285,8 +343,11 @@ Use an existing project to create and download two files: `client_secrets.json`
 * `<ServiceAccountDescription>` - `<ServiceAccountDisplayName>`
 
 ### Basic
-Use an existing project with default values for the service account. This is typically used when
-the system administrators have created a basic project and you now want to configure it as a GAM project.
+Use an existing uninitialized/uncredentialed project and configure it to be a GAM project; this typically used when
+the GCP  administrators have created a basic project because project creation is not available for most users.
+
+See Jay's notes about how to do this: https://github.com/GAM-team/GAM/wiki/GAM-with--minimal-GCP-rights
+
 ```
 gam use project [<EmailAddress>] [project <ProjectID>]
 ```
@@ -301,6 +362,9 @@ can not be re-downloaded.
 gam use project [admin <EmailAddress>] [project <ProjectID>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `admin <EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 * `project <ProjectID>` - An existing Google project ID; if omitted, you will be prompted for the ID
@@ -308,6 +372,8 @@ gam use project [admin <EmailAddress>] [project <ProjectID>]
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 ## Update an existing project for GAM authorization
 This command is used when GAM has added new capabilities that require additional APIs to be added to your project.
 ```
@@ -645,6 +711,9 @@ file or define a new section in `gam.cfg` that references a different `oauth2ser
 gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
         [saname <ServiceAccountName>] [sadisplayname <ServiceAccountDisplayName>]
         [sadescription <ServiceAccountDescription>]
+        [(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+         (localkeysize 1024|2048|4096 [validityhours <Number>])|
+         (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]
 ```
 * `<EmailAddress>` - Google Workspace admin/GCP project manager; if omitted, you will be prompted for the address
 
@@ -659,6 +728,8 @@ Use these options to select user-specified values..
 * `sadisplayname <ServiceAccountDisplayName>` - Service account display name
 * `sadescription <ServiceAccountDescription>` - Service account description
 
+You can optionally specify the type of service account key with `algorithm|localkeysize|yubikey`: [Manage Service Account keys](#manage-service-account-keys)
+
 After adding an additional service account, you can select specific access APIs for it.
 [Selective Service Account access](#selective-service-account-access)
 
@@ -715,6 +786,7 @@ There are several methods for generating private keys:
 * `localkeysize 1024` - Gam generates a 1024 bit key; this is not recommended
 * `localkeysize 2048` - Gam generates a 2048 bit key; this is the default
 * `localkeysize 4096` - Gam generates a 4096 bit key
+* `yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]` - [Using GAM7 with a YubiKey](Using-GAM7-with-a-YubiKey)
 
 When `localkeysize` is specified, the optional argument `validityhours <Number>` sets the length of time during which the key will be valid and should be used when the [GCP constraints/iam.serviceAccountKeyExpiryHours organization policy](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#limit_key_expiry) is in use. Note that in order to account for system clock skew, GAM sets the key to be valid two minutes earlier than the current system time and thus it will also expire two minutes earlier.
 
@@ -740,16 +812,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam create sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakey retain_existing
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 To distribute `oauth2service.json` files with unique private keys perform the following steps:
 ```
@@ -770,16 +838,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam update sakey
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
-gam rotate sakey replace_existing
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
+gam rotate sakey replace_current
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 ## Replace all existing Service Account keys
 Create a new Service Account private key; all existing private keys are revoked.
@@ -793,16 +857,12 @@ The two forms of the command are equivalent; the second form is used by Basic Ga
 ```
 gam replace sakeys
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 gam rotate sakeys retain_none
         (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
-        ((localkeysize 1024|2048|4096 [validityhours <Number>])|
-        (yubikey yubikey_pin yubikey_slot AUTHENTICATION 
-         yubikey_serialnumber <Number>
-         [localkeysize 1024|2048|4096])
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
 ```
 ## Delete Service Account keys
 You can delete Service Accounts keys thus revoking access for that key. Generally, you will
@@ -810,10 +870,24 @@ delete a service account key for a distributed copy of an `oauth2service.json` f
 that user's service account access.
 
 You can disable your current Service Account key if you specify the `doit` argument. This is your
-acknowledgement that you will have to manually create a new Service Account key in the Developer's Console.
+acknowledgement that you will have to manually create a new Service Account key in the Developer's Console
+or upload a new key with the `gam upload sakey` command.
 ```
 gam delete sakeys <ServiceAccountKeyList>+ [doit]
 ```
+## Upload a Service Account key to a service account with no keys
+There are two cases where you will use this command:
+* Your workspace is configured to disable service account private key uploads and you are creating a project.
+* All of your service account keys have been deleted, either manually or with the `gam delete sakeys` command.
+
+The `oauth2service.json` file is updated with the new private key. If you had previously distributed
+any `oauth2service.json` file to other users, you must redistribute the updated file with the new key.
+```
+gam upload sakey [admin <EmailAddress>]
+        (algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+        (localkeysize 1024|2048|4096 [validityhours <Number>])|
+        (yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)
+```
 ## Display Service Account keys
 There are system keys and user keys; user keys are what Gam uses; GCP uses system keys.
 
@@ -1014,6 +1088,9 @@ You can limit both client and service account access.
 You can repeat these steps if you want to configure multiple limited users;
 substitute a unique value for `limited` in each of the steps.
 
+In the Admin console, define a new Admin role with the desired privileges,
+assign it to the limited user and indicate whether it is for all Org Units or a specific Org Unit.
+
 On your computer, perform these initial steps:
 
 Make a subdirectory `limited` under the directory specified in `gam.cfg config_dir`

docs/BNF-Syntax.md

@@ -1,7 +1,7 @@
 # Syntax
 
 ## BNF Syntax
-This Wiki describes the GAM command line syntax in modified BNF.
+This Wiki describes the GAM7 command line syntax in modified BNF.
 * https://en.wikipedia.org/wiki/Backus-Naur_Form
 
 Skip the History section and start reading at Introduction.

docs/Basic-Items.md

@@ -222,87 +222,6 @@
         shortcut
 <MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
 <MimeType> ::= <MimeTypeShortcut>|(<MimeTypeName>/<String>)
-<ProductID> ::=
-        nv:<String> |
-        101001 |
-        101005 |
-        101031 |
-        101033 |
-        101034 |
-        101035 |
-        101036 |
-        101037 |
-        101038 |
-        101039 |
-        101040 |
-        101043 |
-        101047 |
-        Google-Apps |
-        Google-Chrome-Device-Management |
-        Google-Drive-storage |
-        Google-Vault
-<SKUID> ::=
-        nv:<String>:<String> |
-        20gb | drive20gb | googledrivestorage20gb | Google-Drive-storage-20GB |
-        50gb | drive50gb | googledrivestorage50gb | Google-Drive-storage-50GB |
-        200gb | drive200gb | googledrivestorage200gb | Google-Drive-storage-200GB |
-        400gb | drive400gb | googledrivestorage400gb | Google-Drive-storage-400GB |
-        1tb | drive1tb | googledrivestorage1tb | Google-Drive-storage-1TB |
-        2tb | drive2tb | googledrivestorage2tb | Google-Drive-storage-2TB |
-        4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
-        8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
-        16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        appsheetcore | 1010380001 |
-        appsheetstandard | appsheetenterprisestandard | 1010380002 |
-        appsheetplus | appsheetenterpriseplus | 1010380003 |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
-        cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
-        geminibiz | 1010470003 |
-        geminient| duetai | 1010470001 |
-        gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
-        gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
-        gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
-        gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        gwlabs | workspacelabs | 1010470002
-        meetdialing | googlemeetglobaldialing | 1010360001 |
-        postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
-        standard | free | Google-Apps |
-        vault | googlevault | Google-Vault |
-        vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsas | plusstorage | 1010430001 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsessplus | workspaceessentialsplus | 1010060005 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 |
-        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031
 ```
 ## Items built from primitives
 ```
@@ -472,6 +391,8 @@
 <Marker> ::= <String>
 <MatterItem> ::= <UniqueID>|<String>
 <MatterState> ::= open|closed|deleted
+<MeetConferenceName> ::= conferenceRecords/<String>
+<MeetSpaceName> ::= spaces/<String> | <String>
 <MessageContent> ::=
         (message|textmessage|htmlmessage <String>)|
         (file|textfile|htmlfile <FileName> [charset <Charset>])|
@@ -538,6 +459,7 @@
 <ResellerID> ::= <String>
 <ResourceID> ::= <String>
 <SchemaName> ::= <String>
+<SchemaNameField> ::= <SchemaName>.<FieldName>
 <Section> ::= <String>
 <SendAsContent> ::=
         (sig|signature|htmlsig <String>)|
@@ -594,6 +516,7 @@
 <Title> ::= <String>
 <ToDriveAttribute> ::=
         (tdaddsheet [<Boolean>])|
+        (tdalert <EmailAddress>)*|
         (tdbackupsheet (id:<Number>)|<String>)|
         (tdcellnumberformat text|number)|
         (tdcellwrap clip|overflow|wrap)|
@@ -601,17 +524,20 @@
         (tdcopysheet (id:<Number>)|<String>)|
         (tddescription <String>)|
         (tdfileid <DriveFileID>)|
+        (tdfrom <EmailAddress>)|
         (tdlocalcopy [<Boolean>])|
         (tdlocale <Locale>)|
         (tdnobrowser [<Boolean>])|
         (tdnoemail [<Boolean>])|
         (tdnoescapechar [<Boolean>])|
+        (tdnotify [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
         (tdretaintitle [<Boolean>])|
         (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
         (tdsheettitle <String>)|
+        (tdsubject <String>)|
         ([tdsheetdaysoffset <Number>] [tdsheethoursoffset <Number>])|
         (tdtimestamp [<Boolean>] [tdtimeformat <String>]
             [tddaysoffset <Number>] [tdhoursoffset <Number>])|

docs/Bulk-Processing.md

@@ -8,6 +8,7 @@
 - [CSV files](#csv-files)
 - [CSV files with redirection and select](#csv-files-with-redirection-and-select)
 - [Automatic batch processing](#automatic-batch-processing)
+- [Process Google Sheet commands and save results](#process-google-sheet-commands-and-save-results)
 
 ## Introduction
 Batch and CSV file processing can improve performance by executing Gam commands in parallel.
@@ -42,6 +43,7 @@ Batch files can contain the following types of lines:
   * GAM prints \<String\> and waits for the user to press any key
   * GAM continues
 * sleep \<Integer\> - Batch processing will suspend for \<Integer\> seconds before the next command line is processed
+  * To be effective, this should immediately follow commit-batch
 * print \<String\> - Print \<String\> on stderr
 * set \<KeywordString\> \<ValueString\>
   * Subsequent lines will have %\<KeywordString\>% replaced with \<ValueString\>
@@ -56,7 +58,7 @@ Tbatch files can also contain the following line:
 * You have a CSV file NewStudents.csv with columns: Email,First,Last,GradYear,Password
 * You have a batch file NewStudents.bat containing these commands:
 ```
-gam csv NewStudents.csv gam create user ~Email firstname ~First lastname ~Last org "/Students/~~GradYear~~" password ~Password
+gam csv NewStudents.csv gam create user "~Email" firstname "~First" lastname "~Last" org "/Students/~~GradYear~~" password "~Password"
 commit-batch
 gam update group seniors sync members ou /Students/2020
 gam update group juniors sync members ou /Students/2021
@@ -119,7 +121,7 @@ Put a space in front of the `~`: `targetfolder " ~/Documents/GamWork"` to avoid
 * You want a note field that shows their email address as name AT domain.com
 * You have a CSV file Users.csv with columns: primaryEmail,Street,City,State,ZIP
 ```
-gam csv Users.csv gam update user ~primaryEmail address type work unstructured "~~Street~~, ~~City~~, ~~State~~ ~~ZIP~~" primary note text_plain "~~primaryEmail~!~^(.+)@(.+)$~!~\1 AT \2~~"
+gam csv Users.csv gam update user "~primaryEmail" address type work unstructured "~~Street~~, ~~City~~, ~~State~~ ~~ZIP~~" primary note text_plain "~~primaryEmail~!~^(.+)@(.+)$~!~\1 AT \2~~"
 ```
 * You want to do the above using a Google Sheet
 ```
@@ -129,25 +131,44 @@ gam csv gsheet <user> <fileID> "<sheetName>" gam update user "~primaryEmail" add
 ## CSV files with redirection and select
 You should use the `multiprocess` option on any redirected files: `csv`, `stdout`, `stderr`.
 ```
-gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
+gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv - multiprocess todrive csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
 ```
 
 If you want to select a `gam.cfg` section for the command, you can select the section at the outer `gam` and save it
 or select the section at the inner `gam`.
 ```
-gam select <Section> save redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
-gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam select <Section> user ~primaryEmail print filelist fields id,title,permissions,owners.emailaddress
+gam select <Section> save redirect csv ./filelistperms.csv multiprocess csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv ./filelistperms.csv multiprocess csv Users.csv gam select <Section> user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam select <Section> save redirect csv - multiprocess todrive csv Users.csv gam user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
+gam redirect csv - multiprocess todrive csv Users.csv gam select <Section> user "~primaryEmail" print filelist fields id,name,mimetype,basicpermissions
 ```
 
 ## Automatic batch processing
 You can enable automatic batch (parallel) processing when issuing commands of the form `gam <UserTypeEntity> ...`.
 In the following example, if the number of users in group sales@domain.com exceeds 1, then the `print filelist` command will be processed in parallel.
 ```
-gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,title,permissions,owners.emailaddress
+gam config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
+gam config auto_batch_min 1 redirect csv - multiprocess todrive group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
 ```
 With automatic batch processing, you should use the `multiprocess` option on any redirected files: `csv`, `stdout`, `stderr`.
 
 If you want to select a `gam.cfg` section for the command, you must select and save it for it to be processed correctly.
 ```
-gam select <Section> save config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,title,permissions,owners.emailaddress
+gam select <Section> save config auto_batch_min 1 redirect csv ./filelistperms.csv multiprocess group sales@domain.com print filelist fields id,name,mimetype,basicpermissions
+```
+
+## Process Google Sheet commands and save results
+You want to process data from a Google Sheet tab and save the results to another tab in the same sheet.
+Make a Google sheet with two tabs: Commands, Results; get the File ID and the two tab IDs.
+Put your command data in the Commands tab.
+
+Run your command, write the results to Results.txt
+```
+gam redirect stdout ./Results.txt multiprocess redirect stderr stdout csv gsheet user@domain.com <FileID> id:<CommandsTabID> gam ... Command
+```
+
+Upload Results.txt to the Results tab of the sheet.
+```
+gam user user@domain.com update drivefile <FileID> localfile Results.txt retainname gsheet id:<ResultsTabID>
 ```

docs/CSV-Input-Filtering.md

@@ -3,6 +3,10 @@
 - [Definitions](#definitions)
 - [Quoting rules](#quoting-rules)
 - [Column row filtering](#column-row-filtering)
+  - [Field names](#field-names)
+  - [Inclusive filters](#inclusive-filters)
+  - [Exclusive filters](#exclusive-filters)
+  - [Matches](#matches)
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)
 - [Validate filters](#validate-filters)
@@ -39,28 +43,30 @@ These filters can be used alone or in conjunction with the `matchfield|skipfield
 
 <FieldNameFilter> :: = <RegularExpression>
 <RowValueFilter> ::=
-        [(any|all):]count<Operator><Number>|
-        [(any|all):]countrange=<Number>/<Number>|
-        [(any|all):]countrange!=<Number>/<Number>|
-        [(any|all):]date<Operator><Date>|
-        [(any|all):]daterange=<Date>/<Date>|
-        [(any|all):]daterange!=<Date>/<Date>|
-        [(any|all):]length<Operator><Number>|
-        [(any|all):]lengthrange=<Number>/<Number>|
-        [(any|all):]lengthrange!=<Number>/<Number>|
-        [(any|all):]text<Operator><String>|
-        [(any|all):]textrange=<String>/<String>|
-        [(any|all):]textrange!=<String>/<String>|
-        [(any|all):]time<Operator><Time>|
-        [(any|all):]timerange=<Time>/<Time>|
-        [(any|all):]timerange!=<Time>/<Time>|
         [(any|all):]boolean:<Boolean>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]count<Operator><Number>|
+        [(any|all):]countrange!=<Number>/<Number>|
+        [(any|all):]countrange=<Number>/<Number>|
+        [(any|all):]data:<DataSelector>|
+        [(any|all):]date<Operator><Date>|
+        [(any|all):]daterange!=<Date>/<Date>|
+        [(any|all):]daterange=<Date>/<Date>|
+        [(any|all):]length<Operator><Number>|
+        [(any|all):]lengthrange!=<Number>/<Number>|
+        [(any|all):]lengthrange=<Number>/<Number>|
+        [(any|all):]notdata:<DataSelector>|
         [(any|all):]notregex:<RegularExpression>|
         [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]data:<DataSelector>|
-        [(any|all):]notdata:<DataSelector>|
+        [(any|all):]regex:<RegularExpression>|
+        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]text<Operator><String>|
+        [(any|all):]textrange!=<String>/<String>|
+        [(any|all):]textrange=<String>/<String>|
+        [(any|all):]time<Operator><Time>|
+        [(any|all):]timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timerange!=<Time>/<Time>|
+        [(any|all):]timerange=<Time>/<Time>|
 <RowValueFilterList> ::=
         "'<FieldNameFilter>:<RowValueFilter>'(,'<FieldNameFilter>:<RowValueFilter>')*"
 <RowValueFilterJSONList> ::=
@@ -77,11 +83,17 @@ Name:value form.
 * Each `<FieldNameFilter>:<RowValueFilter>` pair should be enclosed in `'`.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
 * If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
+* If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
+or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,
 
-Example:
+Examples:
 ```
 csv_input_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 csv_input_row_filter "'email:data:\"csvfile gsheet:email user@domain.com FileID Sheet1\"'"
+Linux and Mac OS
+csv_input_row_filter "'phones.\\\d+.value:regex:(?:^\\\(510\\\) )|(?:^510[- ])\\\d{3}-\\\d{4}'"
+Windows
+csv_input_row_filter "'phones.\\d+.value:regex:(?:^\\(510\\) )|(?:^510[- ])\\d{3}-\\d{4}'"
 ```
 JSON form.
 ```
@@ -156,11 +168,13 @@ In the case of `notregex|notregexcs|notdata`, the filter matches if some (not al
 If neither `any` or `all` is explicitly specified, `any` is the default.
 
 These are the row value filter types:
+* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
 * `count<Operator><Number>` - Used on fields with numbers; a blank field will not match
 * `countrange=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `countrange!=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `<` the left `<Number>` or `>` the right `<Number>`
+* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
 * `date<Operator><Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
 * `daterange=<Date>/<Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
   * The field value must be `>=` the left `<Date>` and `<=` the right `<Date>`
@@ -171,23 +185,25 @@ These are the row value filter types:
   * The field length must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
   * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
+* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
+* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
+* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
+* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
+* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
   * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
 * `textrange!=<String>/<String>` - Used on fields with strings
   * The field value must be `<` the left `<String>` or `>` the right `<String>`
 * `time<Operator><Time>` - Used on fields with times; a blank field will not match
+* `timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `>=` the left `<Hour>:<Minute>` and `<=` the right `<Hour>:<Minute>`
+* `timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `<` the left `<Hour>:<Minute>` or `>` the right `<Hour>:<Minute>`
 * `timerange=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `>=` the left `<Time>` and `<=` the right `<Time>`
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `<` the left `<Time>` or `>` the right `<Time>`
-* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
-* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
 
 ### **Change in behavior.**
 In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;

docs/CSV-Output-Filtering.md

@@ -4,6 +4,10 @@
 - [Quoting rules](#quoting-rules)
 - [Column header filtering](#column-header-filtering)
 - [Column row filtering](#column-row-filtering)
+  - [Field names](#field-names)
+  - [Inclusive filters](#inclusive-filters)
+  - [Exclusive filters](#exclusive-filters)
+  - [Matches](#matches)
 - [Column row limiting](#column-row-limiting)
 - [Saving filters in gam.cfg](#saving-filters-in-gamcfg)
 
@@ -44,28 +48,30 @@ on all platforms.
 <FieldNameFilter> :: = <RegularExpression>
 <ColumnFieldNameFilterList> ::= "<FieldNameFilter>(,<FieldNameFilter>)*"
 <RowValueFilter> ::=
-        [(any|all):]count<Operator><Number>|
-        [(any|all):]countrange=<Number>/<Number>|
-        [(any|all):]countrange!=<Number>/<Number>|
-        [(any|all):]date<Operator><Date>|
-        [(any|all):]textrange=<String>/<String>|
-        [(any|all):]textrange!=<String>/<String>|
-        [(any|all):]daterange=<Date>/<Date>|
-        [(any|all):]daterange!=<Date>/<Date>|
-        [(any|all):]length<Operator><Number>|
-        [(any|all):]lengthrange=<Number>/<Number>|
-        [(any|all):]lengthrange!=<Number>/<Number>|
-        [(any|all):]text<Operator><String>|
-        [(any|all):]time<Operator><Time>|
-        [(any|all):]timerange=<Time>/<Time>|
-        [(any|all):]timerange!=<Time>/<Time>|
         [(any|all):]boolean:<Boolean>|
-        [(any|all):]regex:<RegularExpression>|
-        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]count<Operator><Number>|
+        [(any|all):]countrange!=<Number>/<Number>|
+        [(any|all):]countrange=<Number>/<Number>|
+        [(any|all):]data:<DataSelector>|
+        [(any|all):]date<Operator><Date>|
+        [(any|all):]daterange!=<Date>/<Date>|
+        [(any|all):]daterange=<Date>/<Date>|
+        [(any|all):]length<Operator><Number>|
+        [(any|all):]lengthrange!=<Number>/<Number>|
+        [(any|all):]lengthrange=<Number>/<Number>|
+        [(any|all):]notdata:<DataSelector>
         [(any|all):]notregex:<RegularExpression>|
         [(any|all):]notregexcs:<RegularExpression>|
-        [(any|all):]data:<DataSelector>|
-        [(any|all):]notdata:<DataSelector>
+        [(any|all):]regex:<RegularExpression>|
+        [(any|all):]regexcs:<RegularExpression>|
+        [(any|all):]text<Operator><String>|
+        [(any|all):]textrange!=<String>/<String>|
+        [(any|all):]textrange=<String>/<String>|
+        [(any|all):]time<Operator><Time>|
+        [(any|all):]timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>|
+        [(any|all):]timerange!=<Time>/<Time>|
+        [(any|all):]timerange=<Time>/<Time>|
 <RowValueFilterList> ::=
         "'<FieldNameFilter>:<RowValueFilter>'(,'<FieldNameFilter>:<RowValueFilter>')*"
 <RowValueFilterJSONList> ::=
@@ -83,13 +89,16 @@ Name:value form.
 * If `<FieldNameFilter>` contains a `:` or a space, it should be enclosed in `\"`.
 * If `<RegularExpression>` or `<DataSelector>` in `<RowValueFilter>` contain a space, it should be enclosed in `\"`.
 * If `<FieldNameFilter>` or `<RegularExpression>` in `<RowValueFilter>` contain a `\` to escape a special character
-or enter a special sequence, enter `\\\`.
+or enter a special sequence, enter `\\\` on Linux and Mac OS, `\\` on Windows,
 
-Example:
+Examples:
 ```
 csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
 csv_output_row_filter "'email:data:\"csvfile gsheet:email user@domain.com FileID Sheet1\"'"
+Linux and Mac OS
 csv_output_row_filter "'phones.\\\d+.value:regex:(?:^\\\(510\\\) )|(?:^510[- ])\\\d{3}-\\\d{4}'"
+Windows
+csv_output_row_filter "'phones.\\d+.value:regex:(?:^\\(510\\) )|(?:^510[- ])\\d{3}-\\d{4}'"
 ```
 JSON form.
 ```
@@ -113,7 +122,7 @@ where you get more columns than is desirable.
 * `csv_output_header_filter` - Used to select the column headers to include in the output
 * `csv_output_header_drop_filter` - Used to select the column headers to exclude from the output
 
-Typically, you would use the option that involes typing the fewest column names but both options can be used.
+Typically, you would use the option that involves typing the fewest column names but both options can be used.
 When both options are used, `csv_output_header_drop_filter` is processed first, then `csv_output_header_filter`.
 
 Field names are specified by regular expressions; at its simplest, you specify a complete field name.
@@ -214,11 +223,13 @@ In the case of `notregex|notregexcs|notdata`, the filter matches if some (not al
 If neither `any` or `all` is explicitly specified, `any` is the default.
 
 These are the row value filter types:
+* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
 * `count<Operator><Number>` - Used on fields with numbers; a blank field will not match
 * `countrange=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `countrange!=<Number>/<Number>` - Used on fields with numbers; a blank field will not match
   * The field value must be `<` the left `<Number>` or `>` the right `<Number>`
+* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
 * `date<Operator><Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
 * `daterange=<Date>/<Date>` - Used on fields with dates or times; only the date portion of a time field is compared; a blank field will not match
   * The field value must be `>=` the left `<Date>` and `<=` the right `<Date>`
@@ -229,23 +240,25 @@ These are the row value filter types:
   * The field length must be `>=` the left `<Number>` and `<=` the right `<Number>`
 * `lengthrange!=<Number>/<Number>` - Used on fields with strings; non string fields will not match
   * The field length must be `<` the left `<Number>` or `>` the right `<Number>`
+* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
+* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
+* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
+* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
+* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
 * `text<Operator><String>` - Used on fields with text
 * `textrange=<String>/<String>` - Used on fields with strings
   * The field value must be `>=` the left `<String>` and `<=` the right `<String>`
 * `textrange!=<String>/<String>` - Used on fields with strings
   * The field value must be `<` the left `<String>` or `>` the right `<String>`
 * `time<Operator><Time>` - Used on fields with times; a blank field will not match
+* `timeofdayrange=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `>=` the left `<Hour>:<Minute>` and `<=` the right `<Hour>:<Minute>`
+* `timeofdayrange!=<Hour>:<Minute>/<Hour>:<Minute>` - Used on fields with times; a blank field will not match
+  * The field value must be `<` the left `<Hour>:<Minute>` or `>` the right `<Hour>:<Minute>`
 * `timerange=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `>=` the left `<Time>` and `<=` the right `<Time>`
 * `timerange!=<Time>/<Time>` - Used on fields with times; a blank field will not match
   * The field value must be `<` the left `<Time>` or `>` the right `<Time>`
-* `boolean:<Boolean>` - Used on fields with Boolean values; a blank field is considered False
-* `regex:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case insensitive
-* `regexcs:<RegularExpression>` - Used on fields with text; field value must match `<RegularExpression>`; case sensitive
-* `notregex:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case insensitive
-* `notregexcs:<RegularExpression>` - Used on fields with text; field value must not match `<RegularExpression>`; case sensitive
-* `data:<DataSelector>` - Used on fields with text; field value must match some value in `<DataSelector>`; case sensitive
-* `notdata:<DataSelector>` - Used on fields with text; field value must not match any value in `<DataSelector>`; case sensitive
 
 ### **Change in behavior.**
 In versions prior to `5.12.00`, `regex:<RegularExpression>` and `notregex:<RegularExpression>` were processed in a case sensitive manner;

docs/Calendars-Events.md

@@ -176,8 +176,10 @@ Client access works when accessing Resource calendars.
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative
 
 <EventType> ::=
+        birthday|
         default|
         focustime|
+        fromgmail|
         outofoffice|
         workinglocation
 <EventTypeList> ::= "<EventType>(,<EventType>)*"
@@ -196,6 +198,9 @@ Client access works when accessing Resource calendars.
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
+        (matchfield attendeesdomainlist <DomainNameList>)|
+        (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
         (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
         (matchfield creatoremail <RegularExpression>)|
@@ -216,7 +221,6 @@ Client access works when accessing Resource calendars.
         (event|events <EventIdList> |
         <FileSelector> | <CSVFileSelector> | <CSVkmdSelector> | <CSVSubkeySelector> | <CSVDataSelector>)
         See: https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Items
-
 <EventSelectEntity> ::=
         (<EventSelectProperty>+ <EventMatchProperty>*)
 
@@ -229,6 +233,7 @@ Client access works when accessing Resource calendars.
         lavender|peacock|sage|tangerine|tomato
 <PropertyKey> ::= <String>
 <PropertyValue> ::= <String>
+<TimeZone> ::= <String>
 
 <EventAttribute> ::=
         (allday <Date>)|
@@ -237,6 +242,7 @@ Client access works when accessing Resource calendars.
         (attendee <EmailAddress>)|
         (attendeestatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddress>)|
         available|
+        (birthday <Date>)|
         (color <EventColorName>)|
         (colorindex|colorid <EventColorIndex>)|
         (description <String>)|
@@ -257,7 +263,7 @@ Client access works when accessing Resource calendars.
         (privateproperty <PropertyKey> <PropertyValue>)|
         (range <Date> <Date>)|
         (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
-        (reminder <Number> email|popup))|
+        (reminder <Number> email|popup)|
         (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
         (sequence <Integer>)|
         (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -343,7 +349,7 @@ If none of the following options are selected, all events are selected.
 * `<EventSelectProperty>* <EventMatchProperty>*` - Properties used to select events
 
 The Google Calendar API processes `<EventSelectProperty>*`; you may specify none or multiple properties.
-* `after|starttime|timemin <Time>` - Lower bound (inclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
+* `after|starttime|timemin <Time>` - Lower bound (exclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
 * `before|endtime|timemax <Time>` - Upper bound (exclusive) for an event's start time to filter by. If timeMin is set, timeMax must be greater than timeMin.
 * `eventtypes <EventTypeList>` - Select events based on their type.
 * `query <QueryCalendar>` - Free text search terms to find events that match these terms in any field, except for extended properties
@@ -356,7 +362,15 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
-* `matchfield attendeespattern <RegularExpression>` - Some attendee must match `<RegularExpression>`
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with attendees in specific external domains
+* `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
+  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
     * `<AttendeeAttendance>` - Default is `required`

docs/Chat-Bot.md

@@ -47,6 +47,64 @@ This Wiki page was built directly from Jay Lee's Wiki page; my sincere thanks fo
 <ChatMessageID> ::= client-<String>
         <String> must contain only lowercase letters, numbers, and hyphens up to 56 characters in length.
 ```
+```
+<ChatSpaceFieldName> ::=
+        accesssettings|
+        admininstalled|
+        createtime|
+        displayname|
+        externaluserallowed|
+        importmode|
+        lastactivetime|
+        membershipcount|
+        name|
+        singleuserbotdm|
+        spacedetails|
+        spacehistorystate|
+        spacethreadingstate|threaded|
+        spacetype|type|
+        spaceuri
+<ChatSpaceFieldNameList> ::= "<ChatSpaceFieldName>(,<ChatSpaceFieldName>)*"
+
+<ChatMemberFieldName> ::=
+        createtime|
+        deletetime|
+        groupmember|
+        member|
+        name|
+        role|
+        state|
+<ChatMemberFieldNameList> ::= "<ChatMemberFieldName>(,<ChatMemberFieldName>)*"
+
+<ChatMessageFieldName> ::=
+        accessorywidgets|
+        actionresponse|
+        annotations|
+        argumenttext|
+        attachedgifs|
+        attachment|
+        cards|
+        cardsv2|
+        clientassignedmessageid|
+        createtime|
+        deletetime|
+        deletionmetadata|
+        emojireactionsummaries|
+        fallbacktext|
+        formattedtext|
+        lastupdatetime|
+        matchedurl|
+        name|
+        privatemessageviewer|
+        quotedmessagemetadata|
+        sender|
+        slashcommand|
+        space|
+        text|
+        thread|
+        threadreply
+<ChatMessageFieldNameList> ::= "<ChatMessageFieldName>(,<ChatMessageFieldName>)*"
+```
 
 ## Set up a Chat Bot
 Since GAM 6.04.00, GAM is capable of acting as a Chat Bot and sending messages to Chat Rooms or direct messages to users. You first need to configure your Chat Bot.
@@ -69,6 +127,7 @@ At first you'll have no spaces listed. Try [finding your bot and chatting it](ht
 ### Display information about a specific chat space
 ```
 gam info chatspace space <ChatSpace>
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -77,6 +136,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ### Display information about all chat spaces
 ```
 gam show chatspaces
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -84,11 +144,12 @@ By default, Gam displays the information as an indented list of keys and values.
 
 ```
 gam print chatspaces [todrive <ToDriveAttribute>*]
+        [fields <ChatSpaceFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
-
+`
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
@@ -101,6 +162,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Display information about a specific chat member
 ```
 gam info chatmember member <ChatMember>
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -110,6 +172,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam show chatmembers space <ChatSpace>
         [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -118,6 +181,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam print chatmembers [todrive <ToDriveAttribute>*] space <ChatSpace>
         [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 
@@ -238,6 +302,7 @@ Display the given Chat message.
 
 ```
 gam info chatmessage name <ChatMessage>
+        [fields <ChatMessageFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.

docs/Chrome-Browser-Cloud-Management.md

@@ -130,7 +130,7 @@ If you have a CSV file, UpdateBrowsers.csv with two columns: deviceId,notes
 this command will add a new line of notes to the front of the existing notes:
 
 ```
-gam csv UpdateBrowsers.csv gam update browser ~deviceId updatenotes "~~notes~~\n#notes#"
+gam csv UpdateBrowsers.csv gam update browser "~deviceId" updatenotes "~~notes~~\n#notes#"
 ```
 
 ## Move Chrome browsers from one OU to another
@@ -193,7 +193,8 @@ Select the fields to be displayed:
 * `annotated` - Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default
 * `allfields/full` - Display all fields
-* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Displaya selected list of fields
+* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
 
 By default, Gam displays the information as an indented list of keys and values:
 - `formatjson` - Display the fields in JSON format.
@@ -232,7 +233,8 @@ Select the fields to be displayed:
 * `annotated` - Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default
 * `allfields/full` - Display all fields
-* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Displaya selected list of fields
+* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields
 
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.

docs/Chrome-Installed-Apps.md

@@ -1,12 +1,11 @@
 # Chrome Installed Apps Counts
 
-- [Chrome Policies](#chrome-policies)
-  - [API documentation](#api-documentation)
-  - [Definitions](#definitions)
-  - [Quoting rules](#quoting-rules)
-  - [Display Chrome installed app details](#display-chrome-installed-app-details)
-  - [Display Chrome installed apps counts](#display-chrome-installed-apps-counts)
-  - [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)
+- [API documentation](#api-documentation)
+- [Definitions](#definitions)
+- [Quoting rules](#quoting-rules)
+- [Display Chrome installed app details](#display-chrome-installed-app-details)
+- [Display Chrome installed apps counts](#display-chrome-installed-apps-counts)
+- [Display Chrome devices with a specific installed application](#display-chrome-devices-with-a-specific-installed-application)
 
 ## API documentation
 

docs/ChromeOS-Devices.md

@@ -71,7 +71,7 @@ gam <Command> cros <CrOSEntity> ...
 ```
 The first form allows more powerful selection of devices with `<CrOSTypeEntity>`.
 
-The second form is backwards compatible with Standard GAM and selection with `<CrOSEntity>` is limited.
+The second form is backwards compatible with Legacy GAM and selection with `<CrOSEntity>` is limited.
 
 ## Definitions
 * [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
@@ -105,7 +105,10 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         annotatedlocation|location|
         annotateduser|user|
         autoupdateexpiration|
+        autoupdatethrough|
+        backlightinfo|
         bootmode|
+        cpuinfo|
         cpustatusreports|
         deprovisionreason|
         devicefiles|
@@ -115,6 +118,9 @@ The second form is backwards compatible with Standard GAM and selection with `<C
         dockmacaddress|
         ethernetmacaddress|
         ethernetmacaddress0|
+        extendedsupporteligible|
+        extendedsupportstart|
+        extendedsupportenabled|
         firmwareversion|
         firstenrollmenttime|
         lastdeprovisiontimestamp|
@@ -247,6 +253,9 @@ Enter `id:` as the operator. For example, if you are searching for the serial nu
 
 Partial serial number searches are supported, as long as you enter at least three characters in the serial number.
 
+All serial number searches are partial, be careful that you don't enter a partial serial number by mistake
+when actioning/modifying devices as you will affect multiple devices rather than the single desired device.
+
 ### Status
 To view all provisioned or deprovisioned devices, select the status from the left drop-down, and all of the devices that fit this criterion will appear in the view. Alternatively, you can do the following searches from the All devices view:
 
@@ -358,7 +367,7 @@ If you have a CSV file, UpdateCrOS.csv with two columns: deviceId,notes
 this command will add a new line of notes to the front of the existing notes:
 
 ```
-gam csv UpdateCrOS.csv gam update cros ~deviceId updatenotes "~~notes~~\n#notes#"
+gam csv UpdateCrOS.csv gam update cros "~deviceId" updatenotes "~~notes~~\n#notes#"
 ```
 
 ## Add ChromeOS devices to an organizational unit
@@ -385,7 +394,7 @@ given if invalid CrOS deviceIds are specified.
 ### Example: Add ChromeOS devices to a single OU
 Suppose you have a CSV file cros.csv with a single column: deviceId
 ```
-gam update ou /Students/2022 add cros_csvfile cros.csv:deviceId quickcrosmove
+gam update ou /Students/2022 add croscsvfile cros.csv:deviceId quickcrosmove
 ```
 
 ### Example: Add ChromeOS devices to multiple OUs
@@ -459,7 +468,7 @@ gam getcommand cros <CrOSEntity> commandid <CommandID> [times_to_check_status <I
 ### Action Examples
 Remove user profile data from the device; the device will remain enrolled and connected.
 User data not synced to the Cloud including Downloads, Android app data and Crostini Linux VMs will be permanently lost.
-Commands with issuecommand directly after gam will work with standard GAM & GAMADV-XTD3, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAMADV-XTD3. 
+Commands with issuecommand directly after gam will work with Legacy GAM & GAM7, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAM7. 
 ```
 gam issuecommand cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 command wipe_users doit
 ```
@@ -551,6 +560,7 @@ gam print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
 ```
@@ -593,6 +603,9 @@ otherwise, the remaining field names will appear in the order specified.
 - `timerangeorder descending` - Change the `activetimeranges` order from ascending (oldest to newest) to descending (newest to oldest); this makes it easy to get the `N` most recent values with `timeranges listlimit N timerangeorder descending`.
 - `showdvrsfp` - Display a field `diskVolumeReports.volumeInfo.storageFreePercentage` which is calculated as: `(diskVolumeReports.volumeInfo.storageFree/diskVolumeReports.volumeInfo.storageTotal)*100`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 
 - `formatjson` - Display the fields in JSON format.
@@ -615,6 +628,7 @@ gam <CrOSTypeEntity> print cros [todrive <ToDriveAttribute>*]
         [start <Date>] [end <Date>] [listlimit <Number>]
         [reverselists <CrOSListFieldNameList>]
         [timerangeorder ascending|descending] [showdvrsfp]
+        (addcsvdata <FieldName> <String>)*
         [sortheaders]
         [formatjson [quotechar <Character>]]
 
@@ -643,6 +657,9 @@ otherwise, the remaining field names will appear in the order specified.
 - `timerangeorder descending` - Change the `activetimeranges` order from ascending (oldest to newest) to descending (newest to oldest); this makes it easy to get the `N` most recent values with `timeranges listlimit N timerangeorder descending`.
 - `showdvrsfp` - Display a field `diskVolumeReports.volumeInfo.storageFreePercentage` which is calculated as: `(diskVolumeReports.volumeInfo.storageFree/diskVolumeReports.volumeInfo.storageTotal)*100`
 
+Add additional columns of data from the command line to the output
+* `addcsvdata <FieldName> <String>`
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 
 - `formatjson` - Display the fields in JSON format.
@@ -842,7 +859,7 @@ gam redirect stdout ./CrOSDeviceFiles.out redirect stderr stdout csvkmd cros ./C
 Download the device files in parallel.
 
 ```
-gam redirect stdout ./CrOSDeviceFiles.out multiprocess redirect stderr stdout csv ./CrOSDeviceFiles.csv matchfield deviceFiles.type LOG_FILE gam cros ~deviceId get devicefile select ~deviceFiles.createTime
+gam redirect stdout ./CrOSDeviceFiles.out multiprocess redirect stderr stdout csv ./CrOSDeviceFiles.csv matchfield deviceFiles.type LOG_FILE gam cros "~deviceId" get devicefile select "~deviceFiles".createTime
 ```
 
 Suppose you want only the last device file for each Chromebook.

docs/Classroom-Courses.md

@@ -134,6 +134,7 @@ gam user user@domain.com check|update serviceaccount
         creationtime|
         creator|creatoruserid|
         id|
+        individualstudentsoptions|
         materials|
         scheduledtime|
         state|
@@ -154,6 +155,7 @@ gam user user@domain.com check|update serviceaccount
         creator|creatoruserid|
         description|
         id|
+        individualstudentsoptions|
         materials|
         scheduledtime|
         state|
@@ -179,6 +181,7 @@ gam user user@domain.com check|update serviceaccount
         duedate|
         duetime|
         id|
+        individualstudentsoptions|
         materials|
         maxpoints|
         scheduledtime|
@@ -187,6 +190,7 @@ gam user user@domain.com check|update serviceaccount
         title|
         topicid|
         updatetime|
+        workid|
         worktype
 <CourseWorkFieldNameList> ::= "<CourseWorkFieldName>(,<CourseWorkFieldName>)*"
 
@@ -270,10 +274,14 @@ The options `name <String>` and `teacher <UserItem>` are required when creating
 gam create|add course [id|alias <CourseAlias>] <CourseAttribute>*
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
@@ -284,10 +292,14 @@ gam create|add course [id|alias <CourseAlias>] <CourseAttribute>*
 gam update course <CourseID> <CourseAttribute>+
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
@@ -297,10 +309,14 @@ gam update course <CourseID> <CourseAttribute>+
 gam update courses <CourseEntity> <CourseAttribute>+
         [copyfrom <CourseID>
             [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
             [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
             [workstates <CourseWorkStateList>]
+                [individualstudentcoursework copy|delete|maptoall]
                 [removeduedate [<Boolean>]]
                 [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
             [copymaterialsfiles [<Boolean>]]
             [copytopics [<Boolean>]]
             [markdraftaspublished [<Boolean>]]
@@ -311,12 +327,25 @@ gam update courses <CourseEntity> <CourseAttribute>+
 `copyfrom <CourseID>` allows copying of course announcements, work, topics and members from one course to another.
 * Accouncements - By default, no course announcements are copied
     * `announcementstates <CourseAnnouncementStateList>` - Copy class announcements with the specified states
+        * `individualstudentannouncements copy` - Copy individual student announcements; this is the default. You will get an error if a student is not a member of the course
+        * `individualstudentannouncements delete` - Delete individual student announcements
+        * `individualstudentannouncements maptoall` - Map individual student announcements to all student announcements
 * Materials - By default, no course materials are copied
     * `materialstates <CourseMaterialsStateList>` - Copy class materials with the specified states
+        * `individualstudentmaterials copy` - Copy individual student materials; this is the default. You will get an error if a student is not a member of the course
+        * `individualstudentmaterials delete` - Delete individual student materials
+        * `individualstudentmaterials maptoall` - Map individual student materials to all student materials
 * Work - By default, no course work is copied
     * `workstates <CourseWorkStateList>` - Copy class work with the specified states
+        * `individualstudentcoursework copy` - Copy individual student coursework; this is the default. You will get an error if the student is not a member of the course
+        * `individualstudentcoursework delete` - Delete individual student coursework
+        * `individualstudentcoursework maptoall` - Map individual student coursework to all student coursework
         * `removeduedate false` - Remove due dates before the current time; this is the default
         * `removeduedate|removeduedate true` - Remove all due dates
+* For convenience, setting `individualstudentassignments` sets all the following to the same value:
+    * `individualstudentannouncements`
+    * `individualstudentmaterials`
+    * `individualstudentcoursework`
 * Announcements, Materials and Work Materials files
     * `copymaterialsfiles false` - Copy links to files referenced by materials in the `copyfrom` course; this is the default
     * `copymaterialsfiles|copymaterialsfiles true` - Copy files referenced by materials in the `copyfrom` course
@@ -348,7 +377,7 @@ Drive files with `shareMode` `Each student will get a copy` don't seem to be abl
 
 ## Delete courses
 Classes can only be deleted when they are in the ARCHIVED state; to delete a class, you can update its state to ARCHIVED
-and then delete it or you can specify that it be archived as part of the delete command.
+and then delete it or you can specify that it be archived as parot of the delete command.
 ```
 gam delete course <CourseID> [archived]
 gam delete courses <CourseEntity> [archived]
@@ -466,8 +495,9 @@ gam print course-announcements [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (courseannouncementids <CourseAnnouncementIDEntity>)|(announcementstates <CourseAnnouncementStateList>)*
         (orderby <CourseAnnouncementOrderByFieldName> [ascending|descending])*)
-        [creatoremail] [fields <CourseAnnouncementFieldNameList>] [formatjson [quotechar <Character>]]
+        [creatoremail] [fields <CourseAnnouncementFieldNameList>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-announcements` command displays course announcement information for all courses.
 
@@ -496,6 +526,8 @@ By default, all course announcement fields are displayed; use the following opti
 * `creatoremail` - Display course announcement creator email; requires an additional API call per course announcement.
 * `fields <CourseAnnouncementFieldNameList>` - Select specific fields to display.
 
+Use the `countsonly` option to display the number of announcements in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -511,8 +543,9 @@ gam print course-materials [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (materialids <CourseMaterialIDEntity>)|(materialstates <CourseMaterialStateList>)*
         (orderby <CourseMaterialOrderByFieldName> [ascending|descending])*)
-        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>] [formatjson [quotechar <Character>]]
+        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-materials` command displays course materials information for all courses.
 
@@ -542,6 +575,8 @@ By default, all course materials fields are displayed; use the following options
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseMaterialsFieldNameList>` - Select specific fields to display.
 
+Use the `countsonly` option to display the number of course materials in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -556,8 +591,8 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 gam print course-topics [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (coursetopicids <CourseTopicIDEntity>)
-        [formatjson [quotechar <Character>]]
         [timefilter updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-topics` command displays course topic information for all courses.
 
@@ -582,6 +617,8 @@ To get information about course topics updated within a particular time frame, u
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
 For the filter to apply, `timefilter` and at least one of `start|starttime` and `end|endtime` must be specified.
 
+Use the `countsonly` option to display the number of topics in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -597,8 +634,10 @@ gam print course-work [todrive <ToDriveAttribute>*]
         (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
         (workids <CourseWorkIDEntity>)|(workstates <CourseWorkStateList>)*
         (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
-        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>] [formatjson [quotechar <Character>]]
+        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>]
+        [showstudentsaslist [<Boolean>]] [delimiter <Character>]
         [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-work` command displays course work information for all courses.
 
@@ -619,7 +658,7 @@ To get information about course work created/updated/scheduled within a particul
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
 For the filter to apply, `timefilter` and at least one of `start|starttime` and `end|endtime` must be specified.
 
-By default, all pub`lished course work for a course is displayed; use the following options to select specific course work.
+By default, all published course work for a course is displayed; use the following options to select specific course work.
 * `workids <CourseWorkIDEntity>` - Display course work with the IDs specified in `<CourseWorkIDEntity>`.
 * `workstates <CourseWorkStateList>` - Display course work with any of the specified states.
 
@@ -628,6 +667,11 @@ By default, all course work fields are displayed; use the following options to m
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseWorkFieldNameList>` - Select specific fields to display.
 
+By default, when course work is assigned to individual students, the student IDs are displayed in multiple indexed columns.
+Use options `showstudentsaslist [<Boolean>]` and `delimiter <Character>` to display the student IDs is a single column as a delimited list.
+
+Use the `countsonly` option to display the number of course works in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -644,8 +688,9 @@ gam print course-submissions [todrive <ToDriveAttribute>*]
         (workids <CourseWorkIDEntity>)|(workstates <CourseWorkStateList>)*
         (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
         (submissionids <CourseSubmissionIDEntity>)|(submissionstates <CourseSubmissionStateList>)*) [late|notlate]
-        [fields <CourseSubmissionFieldNameList>] [showuserprofile] [formatjson [quotechar <Character>]]
+        [fields <CourseSubmissionFieldNameList>] [showuserprofile]
         [timefilter creationtime|updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-submissions` command displays course submission information for all course work for all courses.
 
@@ -670,7 +715,7 @@ By default, all course submissions for a course work is displayed; use the follo
 * `late` - Display course submissions marked late.
 * `notlate` - Display course submissions not marked late.
 
-To get information about course submissionss created/updated within a particular time frame, use the following options.
+To get information about course submissions created/updated within a particular time frame, use the following options.
 * `timefilter creationtime|updatetime` - select which event to filter
 * `start|starttime <Date>|<Time>` - specify the start of the time frame; if not specified, the time frame will be open ended at the start
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
@@ -683,6 +728,8 @@ By default, only the numeric userId is displayed; use the `showuserprofile` opti
 You can only get profile information if the scope `https://www.googleapis.com/auth/classroom.profile.emails` is enabled
 for service account access; verify with `gam <UserTypeEntity> update serviceaccount`.
 
+Use the `countsonly` option to display the number of submissions in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 

docs/Classroom-Invitations.md

@@ -69,7 +69,7 @@ gam redirect stdout ./Invites.out redirect stderr stdout csvkmd users CourseStud
 ```
 This command will invite all students to their courses in parallel
 ```
-gam redirect stdout ./Invites.out multiprocess redirect stderr stdout multiprocess csv CourseStudent.csv gam user ~Student create classroominvitation role student course ~Course
+gam redirect stdout ./Invites.out multiprocess redirect stderr stdout multiprocess csv CourseStudent.csv gam user "~Student" create classroominvitation role student course "~Course"
 ```
 ## Accept classroom invitations by user
 Accept classroom invitations for users.

docs/Cloud-Identity-Groups-Membership.md

@@ -237,10 +237,10 @@ seniors@domain.org,/Students/ClassOf2018
 juniors@domain.org,/Students/ClassOf2019
 ...
 ```
-This allows you to do: `gam csv GradeOU.csv gam update cigroup ~Grade sync members ou ~OU`
+This allows you to do: `gam csv GradeOU.csv gam update cigroup "~Grade" sync members ou "~OU"`
 But suppose that at each grade level there are additional group members that are groups of faculty/staff; e.g., senioradvisors@domain.org.
 In this scenario, you can't do the `update cigroup sync` command as the members that are groups will be deleted; the `usersonly` option allows
-the `update cigroup sync` command to work: `gam csv GradeOU.csv gam update cigroup ~Grade sync members usersonly ou ~OU`
+the `update cigroup sync` command to work: `gam csv GradeOU.csv gam update cigroup "~Grade" sync members usersonly ou "~OU"`
 The users from the OU are matched against the user members of the group and adds/deletes are done as necessary to synchronize them;
 the group members of the group are unaffected.
 

docs/Collections-of-ChromeOS-Devices.md

@@ -50,6 +50,8 @@
 
 <UserGoogleDoc> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
 <UserGoogleSheet> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
 

docs/Collections-of-Items.md

@@ -200,12 +200,17 @@ Data fields identified in a `csvkmd` argument.
         all_shortcuts |
         all_3p_shortcuts |
         all_items |
+        my_docs |
         my_files |
         my_folders |
         my_forms |
         my_google_files |
         my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
         my_shortcuts |
+        my_slides |
         my_3p_shortcuts |
         my_items |
         my_top_files |

docs/Collections-of-Users.md

@@ -55,6 +55,8 @@
 
 <UserGoogleDoc> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
 <UserGoogleSheet> ::=
         <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
 ```
@@ -88,8 +90,6 @@
         <SharedDriveIDEntity> |
         <SharedDriveNameEntity>
 
-<SheetEntity> ::= <String>|id:<Number>
-
 <UserTypeEntity> ::=
         (all users|users_ns|users_susp|users_ns_susp)|
         (user <UserItem>)|

docs/Command-Logging-Progress.md

@@ -35,7 +35,7 @@ The log file being written to is always `gam.log`. When this log file is filled,
 
 Commands are logged at completion with a timestamp, return code and the command line
 ```
-2021-08-01T19:350:30.777-07:00,0,/Users/admin/bin/gamadv-xtd3/gam info domain
+2021-08-01T19:350:30.777-07:00,0,/Users/admin/bin/gam7/gam info domain
 ```
 
 Commands that generate sub-commands, `gam batch|tbatch|csv|loop`, log the initial command with a return code of `*`,
@@ -44,14 +44,14 @@ the sub-command lines and the initial command with a numeric return code.
 $ gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv gam info user "~primaryEmail" quick name
 2021-08-01T19:50:38.151-07:00,0/6,Using 6 processes...
 $ more ~/.gam/gam.log
-2021-08-01T19:50:38.120-07:00,*,/Users/admin/bin/gamadv-xtd3/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user ~primaryEmail quick name
+2021-08-01T19:50:38.120-07:00,*,/Users/admin/bin/gam7/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
 2021-08-01T19:50:39.144-07:00,0,gam info user testuser2 quick name
 2021-08-01T19:50:39.358-07:00,0,gam info user testuser3 quick name
 2021-08-01T19:50:39.358-07:00,0,gam info user testuser1 quick name
 2021-08-01T19:50:39.401-07:00,0,gam info user testuser5 quick name
 2021-08-01T19:50:39.459-07:00,56,gam info user testuserx quick name
 2021-08-01T19:50:39.470-07:00,0,gam info user testuser4 quick name
-2021-08-01T19:50:39.483-07:00,0,/Users/admin/bin/gamadv-xtd3/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user ~primaryEmail quick name
+2021-08-01T19:50:39.483-07:00,0,/Users/admin/bin/gam7/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
 ```
 
 ## Command Progress

docs/Context-Aware-Access-Levels.md

@@ -23,7 +23,7 @@ gam update project
 ```
 
 ## API documentation
-* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies/list
+* https://cloud.google.com/access-context-manager/docs/reference/rest/v1/accessPolicies
 
 ## Grant Service Account Rights to Manage CAA
 In order for GAM to manage CAA access levels, you need to grant your service account a special role for your GCP organization.

docs/Domains.md

@@ -5,8 +5,10 @@
 - [Promote a domain to be primary](#promote-a-domain-to-be-primary)
 - [Delete a domain](#delete-a-domain)
 - [Display domains](#display-domains)
+- [Display domains count](#display-domains-count)
 - [Create and delete domain aliases](#create-and-delete-domain-aliases)
 - [Display domain aliases](#display-domain-aliases)
+- [Display domain aliases count](#display-domain-aliases-count)
 
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/domains
@@ -30,15 +32,18 @@ gam delete domain <DomainName>
 ```
 ## Display domains
 ```
-gam info domain [<DomainName>] [formatjson]
-gam show domains [formatjson]
+gam info domain [<DomainName>]
+        [formatjson]
+gam show domains
+        [formatjson]
 ```
 For `info`, if `<DomainName>` is omitted, information about the primary domain will be displayed.
 
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam print domains [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]
+gam print domains [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields.
 * `formatjson` - Display the fields in JSON format.
@@ -49,6 +54,13 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display domains count
+Display the number of domains.
+```
+gam print|show domains
+        showitemcountonly
+```
+
 ## Create and delete domain aliases
 ```
 gam create domainalias|aliasdomain <DomainAlias> <DomainName>
@@ -56,13 +68,16 @@ gam delete domainalias|aliasdomain <DomainAlias>
 ```
 ## Display domain aliases
 ```
-gam info domainalias|aliasdomain <DomainAlias> [formatjson]
-gam show domainaliases|aliasdomains [formatjson] [formatjson [quotechar <Character>]]
+gam info domainalias|aliasdomain <DomainAlias>
+        [formatjson]
+gam show domainaliases|aliasdomains
+        [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam print domainaliases|aliasdomains [todrive <ToDriveAttribute>*] [formatjson [quotechar <Character>]]
+gam print domainaliases|aliasdomains [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields.
 * `formatjson` - Display the fields in JSON format.
@@ -73,3 +88,9 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+## Display domain aliases count
+Display the number of domain aliases.
+```
+gam print|show domainaliases|aliasdomains
+        showitemcountonly
+```

docs/Downloads-Installs-GAM7.md

@@ -0,0 +1,56 @@
+# Downloads-Installs-GAM7
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
+Choose one of the following:
+
+* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
+  - Start a terminal session and execute one of the following commands:
+  - New install, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install)`
+  - New install, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -d <Path>`
+  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
+  - Update to latest version, do not create project or authorizations, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
+
+By default, a folder, `gam7`, is created in the default or specified path and the files are downloaded into that folder.
+Add the `-s` option to the end of the above commands to suppress creating the `gam7` folder; the files are downloaded directly into the default or specified path.
+
+* Executable Archive, Manual, Linux/Google Cloud Shell
+  - `gam-7.wx.yz-linux-x86_64-glibc2.35.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-legacy.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
+  - `gam-7.wx.yz-linux-aarch-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-aarch-legacy.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
+  - `gam-7.wx.yz-macos-aarch.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
+  - `gam-7.wx.yz-macos-x86_64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.zip`
+  - Download the archive, extract the contents into some directory.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+* Source, all platforms
+  - `Source code(zip)`
+  - `Source code(tar.gz)`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal/Command Prompt/PowerShell session.

docs/Downloads-Installs.md

@@ -1,5 +1,5 @@
-# Downloads
-You can download the current GAMADV-XTD3 release from the [GitHub Releases](https://github.com/taers232c/GAMADV-XTD3/releases) page. Choose one of the following:
+# Downloads-Installs
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/taers232c/GAMADV-XTD3/releases) page. Choose one of the following:
 
 * Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
   - Start a terminal session and execute one of the following commands:
@@ -23,52 +23,42 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
   - `gamadv-xtd3-6.wx.yz-linux-x86_64-glibc2.19.tar.xz`
   - `gamadv-xtd3-6.wx.yz-linux-x86_64-legacy.tar.xz`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a terminal session.
 
 * Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
   - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.31.tar.xz`
   - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.27.tar.xz`
   - `gamadv-xtd3-6.wx.yz-linux-arm64-glibc2.23.tar.xz`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a terminal session.
 
 * Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
   - `gamadv-xtd3-6.wx.yz-macos-arm64.tar.xz`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a terminal session.
 
 * Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
   - `gamadv-xtd3-6.wx.yz-macos-x86_64.tar.xz`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Archive, Manual, Mac OS, versions prior to Big Sur
-  - `gamadv-xtd3-6.wx.yz-macos-x86_64-legacy.tar`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a terminal session.
 
 * Executable Archive, Manual, Windows 64 bit
   - `gamadv-xtd3-6.wx.yz-windows-x86_64.zip`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
+  - Start a Command Prompt/PowerShell session.
 
 * Executable Installer, Manual, Windows 64 bit
   - `gamadv-xtd3-6.wx.yz-windows-x86_64.msi`
   - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session and cd to the install directory.
-
-* Executable Archive, Manual, Windows 32 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86.zip`
-  - Download the archive, extract the contents into some directory.
-  - Start a terminal session and cd to the install directory.
-
-* Executable Installer, Manual, Windows 32 bit
-  - `gamadv-xtd3-6.wx.yz-windows-x86.msi`
-  - Download the installer and run it.
-  - Start a Command Prompt/PowerShell session and cd to the install directory.
+  - Start a Command Prompt/PowerShell session.
 
+* Winget
+  - `winget install taers232c.GAMADV-XTD3 --location C:\GAMADV-XTD3`
+  - Specify an alternate location if desired
+  - Start a Command Prompt/PowerShell session.
+  
 * Source, all platforms
   - `Source code(zip)`
   - `Source code(tar.gz)`
   - Download the archive, extract the contents into some directory.
-  - Start a terminal/Command Prompt/PowerShell session and cd to the install directory.
+  - Start a terminal/Command Prompt/PowerShell session.

docs/Drive-File-Selection.md

@@ -55,12 +55,17 @@
         all_shortcuts |
         all_3p_shortcuts |
         all_items |
+        my_docs |
         my_files |
         my_folders |
         my_forms |
         my_google_files |
         my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
         my_shortcuts |
+        my_slides |
         my_3p_shortcuts |
         my_items |
         my_top_files |
@@ -78,7 +83,7 @@
 
 <SharedDriveID> ::= <String>
 <SharedDriveName> ::= <String>
-<SharedDriveIDEntity> ::= (teamdriveid <DriveFileItem>) | (teamdriveid:<DriveFileItem>)
+<SharedDriveIDEntity> ::= (teamdriveid <SharedDriveID>) | (teamdriveid:<SharedDriveID>)
 <SharedDriveNameEntity> ::= (teamdrive <SharedDriveName>) | (teamdrive:<SharedDriveName>)
 <SharedDriveFileNameEntity> ::= (teamdrivefilename <DriveFileName>) | (teamdrivefilename:<DriveFileName>)
 
@@ -182,7 +187,7 @@ gam user testuser show fileinfo anydrivefilename "Test File"
 gam user testuser show fileinfo anydrivefilename:"Test File"
 ```
 ## Select file ownership
-By default, files the user owns are sisplayed; you can select the ownership characteristic.
+By default, files the user owns are displayed; you can select the ownership characteristic.
 ```
 anyowner|(showownedby any|me|others)
 ```
@@ -214,7 +219,7 @@ By default, all types of files and folders are displayed; you can specify a list
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
 ```
 This is the mapping from `<MimeTypeShortcut>` to MIME type.
-* `gdoc|gdocument` - 'application/vnd.google-apps.document
+* `gdoc|gdocument` - application/vnd.google-apps.document
 * `gdrawing` - application/vnd.google-apps.drawing
 * `gfile` - application/vnd.google-apps.file
 * `gfolder|gdirectory` - application/vnd.google-apps.folder
@@ -246,30 +251,37 @@ The options combine ownership and broad MIME type selections.
 ```
 <DriveFileQueryShortcut> ::=
         all_files | all_folders | all_google_files | all_non_google_files | all_items |
-        my_files | my_folders | my_google_files | my_non_google_files | my_items |
+        my_docs | my_files | my_folders | my_forms | my_google_files | my_non_google_files | my_items |
+        my_presentations | my_publishable_items | my_sheets | my_slides |
         my_top_files | my_top_folders | my_top_items |
         others_files | others_folders | others_google_files | others_non_google_files | others_items |
         writable_files
 ```
-* all_files - "mimeType != application/vnd.google-apps.folder"
-* all_folders - "mimeType = application/vnd.google-apps.folder"
-* all_google_files - "mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* all_files - "mimeType != 'application/vnd.google-apps.folder'"
+* all_folders - "mimeType = 'application/vnd.google-apps.folder'"
+* all_google_files - "mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * all_non_google_files - "not mimeType contains 'vnd.google'"
 * all_items - "" (An empty query specifies all files and folders)
-* my_files - "'me' in owners and mimeType != application/vnd.google-apps.folder"
-* my_folders - "'me' in owners and mimeType = application/vnd.google-apps.folder"
-* my_google_files - "'me' in owners and mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* my_docs - "'me' in owners and mimeType = 'application/vnd.google-apps.document'"
+* my_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder'"
+* my_folders - "'me' in owners and mimeType = 'application/vnd.google-apps.folder'"
+* my_forms - "'me' in owners and mimeType = 'application/vnd.google-apps.form'"
+* my_google_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * my_non_google_files - "'me' in owners and not mimeType contains 'vnd.google'"
+* my_presentations - "'me' in owners and mimeType = 'application/vnd.google-apps.presentation'"
+* my_publishable_items - "'me' in owners and (mimeType = 'application/vnd.google-apps.document' or mimeType = 'application/vnd.google-apps.form' or mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet')"
+* my_sheets - "'me' in owners and mimeType = 'application/vnd.google-apps.spreadsheet'"
+* my_slides - "'me' in owners and mimeType = 'application/vnd.google-apps.presentation'"
 * my_items - "'me' in owners"
-* my_top_files - "'me' in owners and mimeType != application/vnd.google-apps.folder and 'root' in parents"
-* my_top_folders - "'me' in owners and mimeType = application/vnd.google-apps.folder and 'root' in parents"
+* my_top_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder' and 'root' in parents"
+* my_top_folders - "'me' in owners and mimeType = 'application/vnd.google-apps.folder' and 'root' in parents"
 * my_top_items - "'me' in owners and 'root' in parents"
-* others_files - "not 'me' in owners and mimeType != application/vnd.google-apps.folder"
-* others_folders - "not 'me' in owners and mimeType = application/vnd.google-apps.folder"
-* others_google_files - "not 'me' in owners and mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* others_files - "not 'me' in owners and mimeType != 'application/vnd.google-apps.folder'"
+* others_folders - "not 'me' in owners and mimeType = 'application/vnd.google-apps.folder'"
+* others_google_files - "not 'me' in owners and mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * others_non_google_files - "not 'me' in owners and not mimeType contains 'vnd.google'"
 * others_items - "not 'me' in owners"
-* writable_files - "'me' in writers and mimeType != application/vnd.google-apps.folder"
+* writable_files - "'me' in writers and mimeType != 'application/vnd.google-apps.folder'"
 
 ## Select based on file size
 For these filters, GAM processes then after the list of files is downloaded. You can combine these
@@ -291,7 +303,7 @@ Use [Permission matches](#permission-matches) to limit the display to files with
 ### Examples
 ```
 gam user testuser show fileinfo query "name='Test File'"
-gam user testuser show fileinfo query:"name='Test Folder' and mimeType=application/vnd.google-apps.folder"
+gam user testuser show fileinfo query:"name='Test Folder' and mimeType='application/vnd.google-apps.folder'"
 gam user testuser print filelist my_non_google_files
 ```
 ## Select root folder
@@ -353,9 +365,9 @@ See: [Drive Query](https://developers.google.com/drive/api/v3/search-files)
         all_files | all_folders | all_google_files | all_non_google_files | all_items
 ```
 Keyword to query mappings for `<DriveFileQueryShortcut>`:
-* all_files - "mimeType != application/vnd.google-apps.folder"
-* all_folders - "mimeType = application/vnd.google-apps.folder"
-* all_google_files - "mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* all_files - "mimeType != 'application/vnd.google-apps.folder'"
+* all_folders - "mimeType = 'application/vnd.google-apps.folder'"
+* all_google_files - "mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * all_non_google_files - "not mimeType contains 'vnd.google'"
 * all_items - "" (An empty query specifies all files and folders)
 

docs/Drive-REST-API-v3.md

@@ -4,7 +4,7 @@ Many of the changes are internal to Gam and have no visible effect. Google has m
 A variable, `drive_v3_native_names` (default value is True), has been added to `gam.cfg` to control the field names on output: when True, the v3 native field names are used; when False, the v3 native field names are mapped to the v2 field names.
 
 If you have scripts that process the output from these print commands, you may have to make modifications to your scripts.
-Run your print/show commands with a version of Standard Gam and save the output.
+Run your print/show commands with a version of Legacy Gam and save the output.
 With drive_v3_native_names = False, run your print/show commands with this version of Gam and compare the output to that saved in the previous run;
 modify your scripts that process the output as appropriate.
 

docs/Find-File-Owner.md

@@ -47,7 +47,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 
 ## Display File Ownership for Old files
 If the above commands fail, you can try to loop through all accounts, however this might take a long time if you are on a large Google Workspace Account.
-
+If any lines are displayed, the file owner is in the `owners.0.emailAddress` column.
 ```
 gam config auto_batch_min 1 multiprocessexit rc=0 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select id <DriveFileID> fields id,name,owners.emailaddress norecursion showownedby any
 gam config auto_batch_min 1 multiprocessexit rc=0 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select name <DriveFileName> fields id,name,owners.emailaddress norecursion showownedby any

docs/GAM-Return-Codes.md

@@ -1,6 +1,6 @@
 # GAM Return Codes
 
-These are the return codes used by GAMADV-XTD3.
+These are the return codes used by GAM7.
 
 ```
 SUCCESS_RC = 0
@@ -32,6 +32,7 @@ ENTITY_IS_A_USER_ALIAS_RC = 21
 ENTITY_IS_A_GROUP_RC = 22
 ENTITY_IS_A_GROUP_ALIAS_RC = 23
 ENTITY_IS_AN_UNMANAGED_ACCOUNT_RC = 24
+ORGUNIT_NOT_EMPTY_RC = 25
 CHECK_USER_GROUPS_ERROR_RC = 29
 ORPHANS_COLLECTED_RC = 30
 # Warnings/Errors
@@ -61,4 +62,14 @@ TARGET_DRIVE_SPACE_ERROR_RC = 74
 USER_REQUIRED_TO_CHANGE_PASSWORD_ERROR_RC = 75
 USER_SUSPENDED_ERROR_RC = 76
 NO_CSV_DATA_TO_UPLOAD_RC = 77
+NO_SA_ACCESS_CONTEXT_MANAGER_EDITOR_ROLE_RC = 78
+ACCESS_POLICY_ERROR_RC = 79
+YUBIKEY_CONNECTION_ERROR_RC = 80
+YUBIKEY_INVALID_KEY_TYPE_RC = 81
+YUBIKEY_INVALID_SLOT_RC = 82
+YUBIKEY_INVALID_PIN_RC = 83
+YUBIKEY_APDU_ERROR_RC = 84
+YUBIKEY_VALUE_ERROR_RC = 85
+YUBIKEY_MULTIPLE_CONNECTED_RC = 86
+YUBIKEY_NOT_FOUND_RC = 87
 ```

docs/GAM7-on-Android-Devices.md

@@ -0,0 +1,16 @@
+# GAM7 on Android Devices
+GAM7 now runs on 64-bit Android devices such as Google's Pixel phones. The installation requires an app that adds the Linux environment to Android such as [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US).
+
+_Note: Chromebooks / Chrome OS devices should install GAM7 using [these instructions](GAM7-on-Chrome-OS-Devices)._
+
+1. Install the [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US) app.
+2. Click Debian to install a Debian environment.
+3. Set a username and password.
+4. Choose SSH for connection type.
+5. Once setup, login with the password to get to a Linux shell.
+6. Run the following commands to install prerequisites:
+```
+    sudo apt update
+    sudo apt install curl python3
+```
+7. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)

docs/GAM7-on-Chrome-OS-Devices.md

@@ -0,0 +1,14 @@
+# GAM7 on Chrome OS Devices
+Chrome OS devices that [support Linux apps](https://support.google.com/chromebook/answer/9145439?hl=en) can run GAM7. This includes Intel/AMD x86_64 Chromebooks as well as ARM-based Chromebooks with Mediatek or Rockchip 64-bit CPUs.
+
+1. [Set up Linux on your Chromebook](https://support.google.com/chromebook/answer/9145439?hl=en).
+1. From the Terminal app, run the following commands:
+```
+    sudo apt update
+    sudo apt install xz-utils
+```
+3. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
+
+# Google cloud shell
+
+Note that from a Chrome OS device, it might be just as easy to use [Google Cloud Shell](https://cloud.google.com/shell). Especially if you are concerned about network connectivity and/or bandwidth, using a shell instance within Google's server infrastructure is always going to be less resource intensive than sending data back and forth between a Google API and your local machine on your local network.

docs/GamUpdates.md

@@ -1,14 +1,921 @@
-# Update GAMADV-XTD3 to latest version
+# Update GAM7 to latest version
 Automatic update to the latest version on Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS:
 - Do not create project or authorizations, default path `$HOME/bin`
-  - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l`
+  - `bash <(curl -s -S -L https://git.io/gam-install) -l`
 - Do not create project or authorizations, specify a path
-  - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l -d <Path>`
+  - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
 
-By default, a folder, `gamadv-xtd3`, is created in the default or specified path and the files are downloaded into that folder.
-Add the `-s` option to the end of the above commands to suppress creating the `gamadv-xtd3` folder; the files are downloaded directly into the default or specified path.
+By default, a folder, `gam7`, is created in the default or specified path and the files are downloaded into that folder.
+Add the `-s` option to the end of the above commands to suppress creating the `gam7` folder; the files are downloaded directly into the default or specified path.
 
-See [Downloads](https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads) for Windows or other options, including manual installation
+See [Downloads-Installs-GAM7](https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads-Installs) for Windows or other options, including manual installation
+
+### 7.00.13
+
+Version bump in order to confirm MSI installs are operating properly
+
+### 7.00.12
+
+Updated option `showlastmodification` to `gam <UserTypeEntity> print|show filecounts` to handle
+the case where all users owning files are suspended. In this case the `lastModifyingUser` column
+will show the user's display name as the API doesn't return the user's email address.
+
+Updated support for `Folders with limited access`; this is a work in progress.
+
+Windows builds now use PyInstaller's onedir config for improved performance. You may notice a lib
+folder now exists underneath the GAM install path. GAM commands should start significantly faster.
+
+### 7.00.11
+
+Updated to Python 3.12.7 where possible.
+
+### 7.00.10
+
+Handled the following error that occurs when `gam create user` is immediateley followed by `gam update user`.
+```
+ERROR: 412: conditionNotMet - User creation is not complete.
+```
+
+Updated support for `Folders with limited access`; this is a work in progress.
+
+### 7.00.09
+
+Added initial support for `Folders with limited access`; you must be enrolled in the Beta preview.
+
+Updated `api_call_tries_limit` variable to `gam.cfg` that limits the number of tries
+for Google API calls that return an error that indicates a retry should be performed.
+The default value is 10 and the range of allowable values is 3-30.
+
+### 7.00.08
+
+Fixed bug in `gam <UserTypeEntity> delete groups` that caused the command to fail when `enable_dasa = true` in `gam.cfg`.
+
+### 7.00.07
+
+Updated `<PeopleContactAttribute>` fields `address,email,phone,url` to allow an empty type field.
+```
+address "" formatted "My Address" primary
+email "" user@gmail.com primary
+phone "" "510-555-1212" primary
+url "" "https://www.domain.com" primary
+```
+
+### 7.00.06
+
+Updated `gam <UserTypeEntity> create|update chatspace` to support the new permissions settings
+for Chat spaces that are in Developer Preview.
+
+* See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces#Space.FIELDS.predefined_permission_settings
+
+### 7.00.05
+
+Fixed bug that caused an error when creating a calendar birthday event.
+
+### 7.00.04
+
+Improved performance of `gam report users orgunit <OrgUnitPath>` when `showorgunit` is not specified.
+
+Added option `birthday <Date>` to `gam <UserTypeEntity> create event <UserCalendarEntity>` that adds
+an annual recurring event to the calendar.
+
+Added `birthday` to `<EventType>` for use in various calendar event commands.
+
+### 7.00.03
+
+Updated `gam delete ou` and `gam print admins` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+### 7.00.02
+
+Added option `showlastmodification` to `gam <UserTypeEntity> print|show filecounts` that adds
+the following fields to the output: `lastModifiedFileId,lastModifiedFileName,lastModifyingUser,lastModifiedTime`;
+these are for the most recently modified file.
+
+Added option `keepforever [<Boolean>]` to `gam <UserTypeEntity> update filerevisions` that allows setting
+`Keep forever` in revisions.
+
+Upgraded to Python 3.12.6 where possible.
+
+### 7.00.01
+
+Added option `shownames` to `gam <UserTypeEntity> print|show sheet` that causes GAM
+to make an additional API call to get and display the sheet file name that is not supplied by the Sheets API.
+
+### 7.00.00
+
+Merged GAM-Team version
+
+### 6.81.02
+
+Updated `gam update group postmaster@domain.com` to handle the error that is generated.
+
+### 6.81.01
+
+Fixed bug in `gam <UserTypeEntity> create meetspace` that caused errors
+due to Developer Preview options being included.
+
+### 6.81.00
+
+Added support for groups when defining Chrome policies.
+
+Added support for the Meet API.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Meet
+
+Added option `countsonly` to the following course commands that displays
+the number of items in a course but not the details of the items.
+```
+gam print course-announcements
+gam print course-materials
+gam print course-submissions
+gam print course-topics
+gam print course-work
+```
+
+### 6.80.21
+
+Updated `gam <UserTypeEntity> archive messages` to handle the following error:
+```
+googleapiclient.errors.MediaUploadSizeError: Media larger than: 26214400
+```
+
+### 6.80.20
+
+Updated `gam report usage user` and `gam report users`  to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+### 6.80.19
+
+Fixed bug in `gam create inboundssoprofile` that caused a trap due to
+an unexpected API result.
+
+Updated `gam create inboundssoprofile ... returnnameonly` to return `inProgress` if the API
+does not return a complete result.
+
+Upgraded to OpenSSL 3.3.2 where possible.
+
+### 6.80.18
+
+Updated `gam print|show admins` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+
+### 6.80.17
+
+Updated `gam <UserTypeEntity> modify messages` to improve error handling.
+
+### 6.80.16
+
+Fixed bug in `gam print vaultcounts` that caused a trap.
+
+### 6.80.15
+
+Fixed bug in `gam <UserTypeEntity> print filelist ... countsrowfilter` that caused a trap.
+
+Added option `continueoninvalidquery [<Boolean>]` to `gam <UserTypeEntity> print filelist|filecounts` that can be used
+in special cases where a query  of the form `query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels"
+causes Google to issue an error saying that the query is invalid when, in fact, it is but the user does not have a
+license that suppprts drive file labels. When `continueoninvalidquery` is true, GAM prints an error message and
+proceeds to the next user rather that terminating as it does now. Of course, if the query really is invalid, you will
+get the message for every user.
+
+### 6.80.14
+
+Updated `gam <UserTypeEntity> print messages|threads` to display all default headers
+even if no messages are to be displayed. This eliminates error messages of the following form
+that occurred because only the headers `User,threadId,id` were displayed.
+```
+WARNING: csv_output_row_filter column "^Date$" does not match any output columns
+```
+
+### 6.80.13
+
+Added `my_publishable_items` to `<DriveFileQueryShortcut>` that can be used in
+`gam <UserTypeEntity> print filerevisions` to select only those items that can be
+published to the web: documents, forms, presentations(slides), spreadsheets. With row filtering,
+this allows identification of files that have been published outside your domain.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Files-Display#display-files-published-to-the-web
+
+### 6.80.12
+
+Updated `gam print vaultcounts` to correctly display accounts with errors.
+
+### 6.80.11
+
+Updated `gam <UserTypeEntity> delete|purge|trash|untrash <DriveFileEntity> shortcutandtarget`
+that when `<DriveFileEntity` is a shortcut, to have GAM validate that the shortcut and target can be
+successfully processed before proceeding.
+
+### 6.80.10
+
+Added option `followshortcuts [<Boolean>]` to `gam <UserTypeEntity> print|show fileinfo|filepath <DriveFileEntity>`
+that when true and `<DriveFileEntity` is a shortcut, causes GAM to display information about the target of the shortcut rather than the shortcut itself.
+
+Added option `shortcutandtarget [<Boolean>]` to `gam <UserTypeEntity> delete|purge|trash|untrash <DriveFileEntity>`
+that when true and `<DriveFileEntity` is a shortcut, causes GAM to process the shortcut and the target of the shortcut.
+
+### 6.80.09
+
+Added options `allschemas|(schemas|custom|customschemas <SchemaNameList>)` to `gam print group-members`
+that display any custom schema values for the group members.
+
+### 6.80.08
+
+Updated `gam print|show oushareddrives` to display the Shared Drive ID, name and orgUnitPath as
+individual, separate entities in the output.
+
+### 6.80.07
+
+Updated `dateheaderformat iso` in `gam <UserTypeEntity> info|print|show messages` to include a colon
+between the hours and minutes in the timezone portion of the string as in all other time strings.
+
+### 6.80.06
+
+Added option `tdreturnidonly [<Boolean>]` to `<ToDriveAttribute>` that when true (the default), causes GAM to display
+only the uploaded file ID to stdout. This can be captured and used in subsequent commands, `tdfileid <DriveFileID>` that will update the same file.
+
+### 6.80.05
+
+Added  option `individualstudentcoursework copy|delete|maptoall` to `gam create|update course ... copyfrom`
+that controls how individual student coursework in the `copyfrom` course is processed.
+* `individualstudentcoursework copy` - Copy individual student coursework; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentcoursework delete` - Delete individual student coursework
+* `individualstudentcoursework maptoall` - Map individual student coursework to all student coursework
+
+For convenience, setting `individualstudentassignments` sets all of the following to the same value:
+* `individualstudentannouncements`
+* `individualstudentmaterials`
+* `individualstudentcoursework`
+
+### 6.80.04
+
+Cleaned up progress messages in `gam create|update course ... copyfrom`.
+
+### 6.80.03
+
+Added option `stripcrsfromname` to `gam <UserTypeEntity> print driveactivity` that causes carriage returns,
+linefeeds and nulls to be stripped from file names.
+
+### 6.80.02
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print filecounts` that adds
+additional columns of data to the CSV file output.
+
+Added  options `individualstudentannouncements copy|delete|maptoall` and `individualstudentmaterials copy|delete|maptoall`
+to `gam create|update course ... copyfrom` that controls how individual student announcements and materials in the `copyfrom` course are processed.
+* `individualstudentannouncements copy` - Copy individual student announcements; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentannouncements delete` - Delete individual student announcements
+* `individualstudentannouncements maptoall` - Map individual student announcements to all student announcements
+* `individualstudentmaterials copy` - Copy individual student materials; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentmaterials delete` - Delete individual student materials
+* `individualstudentmaterials maptoall` - Map individual student materials to all student materials
+
+### 6.80.01
+
+Added options `showstudentsaslist [<Boolean>]` and `delimiter <Character>` to `gam print course-work`.
+By default, when course work is assigned to individual students, the student IDs are displayed in multiple indexed columns.
+Use these options to display the student IDs in a single column as a delimited list.
+
+Updated `gam <UserTypeEntity> vacation [<Boolean>]` to make `<Boolean>` optional; this allows changes
+to other fields without affecting the current responder state.
+
+Updated `gam <UserTypeEntity> print|show vacation` to avoid a trap when invalid start or end dates
+have been entered in the Gmail user interface. Invalid dates are represented as `1970-01-01`.
+
+### 6.80.00
+
+Fixed bug in `gam <UserTypeEntity> print users ... license ... formatjson` that caused a trap.
+
+Upgraded to Python 3.12.5 where possible.
+
+### 6.79.12
+
+Fixed bug in `gam user admin@domain.com print chatspaces asadmin` that caused the following error:
+```
+Chat Admin: admin@domain.com(asadmin), Print Failed: This method doesn't support non-admin user authentication. Authenticate with an admin account.
+```
+
+### 6.79.11
+
+Fixed bug in `gam <UserItem> print|show chatmembers` where the `filter <String>` was not applied.
+
+### 6.79.10
+
+Updated commands to handle a trap that occurs when oauth2service.json specifies a YubiKey but the YubiKey is not inserted.
+
+### 6.79.09
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print teamdriveacls` that adds
+additional columns of data to the CSV file output. This can be used when ACLs for selected users are to be
+replaced with a different user email address.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Shared-Drives#bulk-change-user1-shared-drive-access-to-user2
+
+### 6.79.08
+
+Clarified action to perform messages when creating/deleting/updating licenses.
+
+### 6.79.07
+
+Added option `totalonly` to `gam <UserTypeEntity> print|show groups` that displays
+the user email address and the total number of groups to which it belongs. This is in
+contrast to `countsonly` that has to make an additional API call per group per user to get the user's role.
+When `countsonly` is specified, an additional column `Total` is displayed that is the sum
+of the role counts.
+
+### 6.79.06
+
+Fixed bug in `gam calendars <CalendarEntity> update event ... removeattendee <EmailAddress>` that caused a trap
+if the event had no attendees.
+
+### 6.79.05
+
+Updated `gam <UserTypeEntity> empty drivetrash <SharedDriveEntity>` to handle this error that
+occurs when the user is not a Manager of the Shared Drive.
+```
+ERROR: 403: insufficientFilePermissions - The user does not have sufficient permissions for this file.
+```
+
+### 6.79.04
+
+Added options `filename <FileName>` and `movetoou <OrgUnitItem>` to `gam check ou <OrgUnitItem>`
+that causes GAM to create a batch file of GAM commands that will move any remaining items
+in `ou <OrgUnitItem>` to `movetoou <OrgUnitItem>`; executing the batch file will then allow
+`ou <OrgUnitItem>` to be deleted if desired.
+
+### 6.79.03
+
+Added column|field `assignedToUnknown` to `gam print|show admins` that will be True when
+the API `assignedTo` value can not be converted to an email address; it will be False when
+the email address is determinable.
+
+### 6.79.02
+
+Updated `gam print admins` to handle the following error that occurs when a service account admin no longer exists.
+```
+ERROR: 404: notFound - Requested entity was not found.
+```
+
+### 6.79.01
+
+Updated commands that take `<RoleItem>` as an argument to take the value in any case,
+e.g., _SEED_ADMIN_ROLE or _seed_admin_role.
+
+### 6.79.00
+
+Updated code to work around a Cryptography library change that caused service account private key creation to fail.
+
+### 6.78.00
+
+Added command to check if an OU contains items; this is useful when tryng to delete an OU
+as it must not contain any items in order to be deleted.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Organizational-Units#check-organizational-unit-for-contained-items
+
+### 6.77.18
+
+Added option `showitemcountonly` to `gam print domainaliases` that causes GAM to display the
+number of domain aliasess on stdout; no CSV file is written.
+
+### 6.77.17
+
+Added option `showitemcountonly` to `gam print domains` that causes GAM to display the
+number of domains on stdout; no CSV file is written.
+	 
+### 6.77.16
+
+Fixed bug in `gam <UserTypeEntity> print filelist` that caused a trap.
+
+### 6.77.15
+
+Updated `gam calendars <CalendarEntity> import event icaluid <iCalUID> json <JSONdata>` to handle API
+constraints on recurring events.
+
+### 6.77.14
+
+Fixed bug in `gam calendars <CalendarEntity> import event icaluid <iCalUID> json <JSONdata>` that caused an error.
+
+### 6.77.13
+
+Updated `gam <UserTypeEntity> print|show filecounts` to reflect that Shared Drives now
+have a capacity of 500000 files/folders/shortcuts.
+
+
+### 6.77.12
+
+Fixed bug in `gam <UserTypeEntity> print chatspaces todrive` that caused an error.
+
+### 6.77.11
+
+Added option `convertmbtogb` to `gam report usage customer|user` and
+`gam report customer|user` that causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
+### 6.77.10
+
+Fixed bug in `gam <UserTypeEntity> get profilephoto` where data written to stdout, e.g. `> filename`,
+was not properly base64 encoded.
+
+### 6.77.09
+
+Added option `usertokencounts` to `gam <UserTypeEntity> print|show tokens` that causes GAM to display
+each user and their number of access tokens; there are no details.
+
+### 6.77.08
+
+Fixed bugs in `gam <UserTypeEntity> delete chatmember <ChatSpace> ... group <GroupItem>`
+and `gam <UserTypeEntity> sync chatmember <ChatSpace> ... groups <GroupEntity>` that caused an error.
+
+### 6.77.07
+
+Fixed bug in `gam <UserTypeEntity> create chatmember <ChatSpace> ... group <GroupItem>` that caused an error.
+
+### 6.77.06
+
+Updated `gam update ou <OrgUnitItem> ... parent <OrgUnitItem>` to handle the following error
+that occurs when `parent <OrgUnitItem>` is the same as or a sub-OU of `ou <OrgUnitItem>`.
+```
+ERROR: 412: conditionNotMet - OrgUnit hierarchy has cycle
+```
+
+### 6.77.05
+
+Added option `onlyusers <UserTypeEntity>` to `gam <UserTypeEntity> claim ownership <DriveFileEntity>`
+that causes GAM to only claim ownership of files/folders owned by `onlyusers <UserTypeEntity>`.
+This option is multually exclusive with `skipusers <UserTypeEntity>`.
+
+### 6.77.04
+
+Fixed bug in `gam report users ... range <Date> <Date>` where an extraneous API call
+was made if a date was reached where no API data was available.
+
+### 6.77.03
+
+Thanks to jay, added the following Colab License SKUs:
+```
+1010500001 - Colab Pro
+1010500002 - Colab Pro+
+```
+
+Thanks to Jay, updated `gam print|show admins` to properly display addresses
+of service accounts with admin role assignments.
+
+Added option `limitdatechanges <Integer>` to `gam report users|customers`.
+
+If no report is available for the specified date, can an earlier date be used?
+* `limitdatechanges -1' - Back up to earlier dates to find report data; this is the default.
+* `limitdatechanges 0 | nodatechange' - Do not report on an earlier date if no report data is available for the specified date.
+* `limitdatechanges N' - Back up to earlier dates to find report data; do not back up more than N times.
+
+By default, when `gam report user user <UserItem>` is specified and no report data is available, there is no output.
+If `csv_output_users_audit = true` in `gam.cfg`, then a row with columns `email,date` will be displayed
+where `date` is the earliest date for which report data was requested.
+
+### 6.77.02
+
+Cleaned up problems with some of the new Chat API asadmin commands.
+Some remaining problems may require a Google fix.
+
+### 6.77.01
+
+Thanks to Jay, added column `verificationCodesCount` to `gam <UserTypeEntity> print backupcodes`
+that displays the number of available backup codes in addtion to the codes.
+
+Added option `countsonly` that displays only the number of available backup codes but not the codes themselves.
+
+Thanks to Jay, added option `nokey` to `gam create project` that creates a project with no service account key, `oauth2service.json`.
+
+### 6.77.00
+
+Added option `individualstudentassignments copy|delete|maptoall` to `gam create|update course ... copyfrom`
+that controls how individual student assignments in the `copyfrom` course are processed.
+* `individualstudentassignments copy` - Copy individual student assignments; this is the default. You will get an error if the student is not a member of the course.
+* `individualstudentassignments delete` - Delete individual student assignments
+* `individualstudentassignments maptoall` - Map individual student assignments to all student assignments
+
+Upgraded to Python 3.12.4 where possible.
+
+Added option `asadmin` to the following Chat commands that allows admin access.
+These commands are in Developer Preview, your project must have Developer Preview enabled for the Chat API
+in order to use these commands.
+```
+gam <UserItem> delete chatspace asadmin
+gam <UserItem> update chatspace asadmin
+gam <UserItem> info chatspace asadmin
+gam <UserItem> print|show chatspaces asadmin
+gam <UserItem> create chatmember asadmin
+gam <UserItem> delete|remove chatmember asadmin
+gam <UserItem> update|modify chatmember asadmin
+gam <UserItem> sync chatmembers asadmin
+gam <UserItem> info chatmember asadmin
+gam <UserItem> print|show chatmembers|asadmin
+```
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#developer-preview-admin-access
+
+Added `use_chat_admin_access` Boolean variable to `gam.cfg`. 
+```
+* When False, GAM uses user access when making all Chat API calls. For calls that support admin access,
+    this can be overridden with the asadmin command line option.
+* When True, GAM uses admin access for Chat API calls that support admin access; other calls will use user access.
+* Default: False
+```
+
+### 6.76.15
+
+Fixed bug in `gam <UserTypeEntity> print|show filesharecounts summary only summaryuser <String>`
+that printed an erroneous row if `<UserTypeEntity>` specified a single user and `<String>` matched
+the user's email address.
+
+### 6.76.14
+
+Added the following Gemini License SKUs:
+```
+1010470004 - Gemini Education
+1010470005 - Gemini Education Premium
+```
+
+### 6.76.13
+
+Updated `gam <UserTypeEntity> show fileinfo ... showlabels` and `gam <UserTypeEntity> print filelist ... showlabels`
+to retry these errors that occur when trying to get the drive labels for a file/folder.
+```
+ERROR: 500: unknownError - Unknown Error.
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+Upgraded to OpenSSL 3.3.1 where possible.
+
+### 6.76.12
+
+Fixed bug in `gam <UserTypeEntity> print|show chatspaces` that caused the following error:
+```
+ERROR: Got an unexpected keyword argument orderBy
+```
+
+### 6.76.11
+
+Thanks to Jay, added `gam report vault`.
+
+Thanks to Jay, added the following Gemini SKUs:
+```
+1010470006 - AI Security
+1010470007 - AI Meetings and Messaging
+```
+
+Updated `gam <UserTypeEntity> print filelist ... showshareddrivepermissions` to display
+progress messages to stderr as a separate API call must be made for every file/folder on the Shared Drive
+to get its permissions. As this can take a long time, the progress messages indicate that progress is being made.
+
+### 6.76.10
+
+Added `fromgmail` to `<EventType>` that can be used in `gam calendars <CalendarEntity> print|show events ... eventtype fromgmail`.
+
+* See: https://workspaceupdates.googleblog.com/2024/05/google-calendar-api-event-type-fromgmail.html
+
+### 6.76.09
+
+Updated `gam update|delete|info adminrole` to handle the following error:
+```
+ERROR: 400: failedPrecondition - Precondition check failed.
+```
+
+### 6.76.08
+
+Updated `<SchemaNameList>` to `"<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"`
+that allows `schemas <SchemaNameList>` in `gam info user` and `gam print users` to display all fields or selected fields
+of the specified custom schemas.
+
+### 6.76.07
+
+Fixed bug where control-C was not recognized when GAM had processed all rows in a CSV file
+and was `Waiting for N running processes to finish before terminating`.
+
+### 6.76.06
+
+Fixed bug in `gam <UserTypeEntity> print messages ... positivecountsonly` where message counts with value 0 were deiplayed.
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print|messages` that adds
+additional columns of data to the CSV file output.
+
+Added option `showusagebytes` to `gam <UserTypeEntity> print|show drivesettings` that displays
+the following fields in bytes ```usageBytes,usageInDriveBytes,usageInDriveTrashBytes```
+in addition to the fields in their formatted form with units: ```usage,usageInDrive,usageInDriveTrash```.
+This will be most useful with `print` as the rows can be sorted based on the `usagexxxBytes` columns.
+
+### 6.76.05
+
+Added options `deletefromoldowner`, `addtonewowner <CalendarAttribute>*` and `nolistmessages`
+to `gam <UserTypeEntity> transfer calendars <UserItem>` that allow manipulation of the
+source and target user's calendar lists.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Calendars-Access#transfer-calendar-ownership
+
+### 6.76.04
+
+Added the following fields to `<CrOSFieldName>`:
+```
+autoupdatethrough
+extendedsupporteligible
+extendedsupportstart
+extendedsupportenabled
+```
+
+### 6.76.03
+
+Added option `folderpathonly [<Boolean>]` to the following commands that causes GAM
+to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+```
+gam <UserTypeEntity> info drivefile ... filepath|fullpath
+gam <UserTypeEntity> show fileinfo ... filepath|fullpath
+gam <UserTypeEntity> print|show filepath
+gam <UserTypeEntity> print filelist ... filepath|fullpath
+```
+
+### 6.76.02
+
+Updated `gam update group` to handle the following error:
+```
+ERROR: 400: invalidArgument - Failed request validation in update settings: WHO_CAN_VIEW_MEMBERSHIP_CANNOT_BE_BROADER_THAN_WHO_CAN_SEE_GROUP
+```
+
+### 6.76.01
+
+Fixed bug in `gam create vaulthold matter <MatterItem> ... corpus calendar` that caused a trap.
+
+### 6.76.00
+
+Updated versions of `gam create|use project` that use keyword options to also accept the following options
+to define non-default Service Account key characteristics.
+```
+(algorithm KEY_ALG_RSA_1024|KEY_ALG_RSA_2048)|
+(localkeysize 1024|2048|4096 [validityhours <Number>])|
+(yubikey yubikey_pin yubikey_slot AUTHENTICATION yubikey_serialnumber <String>)
+```
+
+### 6.75.05
+
+Added option `csv [todrive <ToDriveAttribute>*]` to `gam <UserTypeEntity> archive|delete|modify|spam|trash|untrash messages|threads`
+that causes GAM to display the command results in CSV form.
+
+### 6.75.04
+
+Added a command to print user counts by OrgUnit. By default, all users in the workspace are counted;
+you can specify a domain to only count users in that domain.
+```
+gam print usercountsbyorgunit [todrive <ToDriveAttribute>*]
+        [domain <String>]
+```
+
+Added option `uploadattachments [<DriveFileParentAttribute>]` to `gam <UserTypeEntity> show messages|threads` that
+causes GAM to upload all message attachments to the user's `My Drive`, the default, or to a specific folder.
+The existing option `attachmentnamepattern <RegularExpression>` can be used to select attachments to upload.
+
+### 6.75.03
+
+Fixed bug in `gam batch|tbatch` where the line `sleep <Integer>` in the batch file caused the error:
+```
+ERROR: Invalid argument: Expected <gam|commit-batch|print>
+```
+
+### 6.75.02
+
+Updated `gam report  <ActivityApplictionName>` to retry/handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+### 6.75.01
+
+Added option `admin <EmailAddress>` to  `gam upload sakey`.
+
+### 6.75.00
+
+Updated `gam create project` to simplify handling the situation where your workspace is configured to disable service account private key uploads.
+
+Added command `gam upload sakey` to aid in this process.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Authorization#upload-a-service-account-key-to-a-service-account-with-no-keys
+
+### 6.74.02
+
+Fixed bug in `gam <UserTypeEntity> print shareddrives ... formatjson` that caused a trap.
+
+### 6.74.01
+
+Updated `gam create|update drivefileacl <DriveFileEntity> ... expiration <Time>` to handle
+the following error caused by tryig to add an expiration time to a member of a Shared Drive.
+```
+ERROR: 403: expirationDateNotAllowedForSharedDriveMembers - Expiration dates are not allowed for shared drive members.
+```
+
+### 6.74.00
+
+Added `truncate_client_id` Boolean variable to `gam.cfg`. Prior to version 6.74.00, GAM stripped
+'.apps.googleusercontent.com' from `client_id` in `oauth2.txt` and passed the truncated value in API calls.
+At Jay's suggestion this is no longer performed by default; setting `truncate_client_id = true` restores the previous behavior.
+
+Do `gam oauth delete` and `gam oauth create` to set the untruncated value of `client_id` in `oauth2.txt`.
+
+### 6.73.00
+
+The Google Chat API has been updated so that chat members can now have their role set to manager.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#manage-chat-members
+
+### 6.72.16
+
+Updated `emailaddressList <EmailAddressList>` and `domainlist|notdomainlist <DomainNameList>`
+in `<PermissionMatch>` to perform case-insensitive matches as the API is returning mixed case
+ACL email addresses in some cases.
+
+### 6.75.15
+
+Updated all commands that display tasks to display the due date in GMT as the time portion
+is not supported by the API and converting the due date to local time may display the wrong date.
+
+Renamed license SKU `1010400001` from `Beyond Corp Enterprise` to `Chrome Enterprise Premium`.
+
+### 6.72.14
+
+Upgraded to Python 3.12.3 where possible.
+
+### 6.72.13
+
+Added the following option to `<EventMatchProperty>` that can be used to select
+events based on the domains of the attendees.
+```
+matchfield attendeesonlydomainlist <DomainNameList>
+```
+This returns true if all attendee's email addresses are in a domain in `<DomainNameList>`;
+for example this lets you look for events with attendees only in your internal domains.
+
+### 6.72.12
+
+Added the following options to `<EventMatchProperty>` that can be used to select
+events based on the domains of the attendees.
+```
+matchfield attendeesdomainlist <DomainNameList>
+matchfield attendeesnotdomainlist <DomainNameList>
+```
+The first returns true if any attendee's email address is in a domain in `<DomainNameList>`;
+for example this lets you look for events with attendees in specific external domains.
+
+The second returns true if any attendee's email address is in a domain other than those in `<DomainNameList>`;
+for example this lets you look for events with attendees not in your internal domains.
+
+### 6.72.11
+
+Added option `oneitemperrow` to 'gam print vaultholds` to have each of a
+hold's accounts displayed on a separate row with all of the other hold fields.
+
+### 6.72.10
+
+Added `timeofdayrange=<HH:MM>/<HH:MM>` and `timeofdayrange!=<HH:MM>/<HH:MM>` to `<RowValueFilter>` that allows
+CSV row filtering based on time-of-day.
+
+### 6.72.09
+
+Updated `countsonly` option of `gam <UserTypeEntity> print|show notes` to additionally display the total number of notes.
+
+### 6.72.08
+
+Added option `countsonly` to `gam <UserTypeEntity> print|show notes` that displays
+the number of notes a user owns and the number of notes a user can edit.
+
+### 6.72.07
+
+Updated commands that send emails to not downshift `'First Last<firstlast@domain.com>'` to `'first last<firstlast@domain.com>'`.
+
+### 6.72.06
+
+Updated the following commands to properly handle emailaddress lists containing addresses of the form: `'First Last<firstlast@domain.com>'`.
+```
+gam <UserTypeEntity> sendemail recipient|to <RecipientEntity> [cc <RecipientEntity>] [bcc <RecipientEntity>] [singlemessage]
+gam create|update user ... notify <EmailAddressList>
+```
+
+### 6.72.05
+
+Cleaned up code for all commands that display Chat objects.
+
+### 6.72.04
+
+Added commands to display Chat events.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Chat#display-chat-events
+
+### 6.72.03
+
+Fixed bug in `gam <UserTypeEntity> create chatspace` that caused a trap.
+
+### 6.72.02
+
+Updated `gam delete admin <RoleAssignmentId>` to handle the following error that
+occurs when `<RoleAssignmentId>` references a user that has been deleted.
+```
+ERROR: 404: resourceNotFound - Does not exist
+```
+
+### 6.72.01
+
+Improved commands to display drive file comments.
+
+### 6.72.00
+
+Added commands to display drive file comments.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Comments
+
+### 6.71.18
+
+Updated `<CrOSFieldName>` to include `cpuinfo` and `backlightinfo`.
+
+### 6.71.17
+
+Added `depth` column to output of `gam <UserTypeEntity> print diskusage <DriveFileEntity>` that can
+be used to filter the depth of the folders displayed. Depth `-1` is the top level folder, depth `0`
+are its immediate children, depth `2` are the children of depth `1` and so forth.
+```
+gam config csv_output_row_filter "depth:count<1" user organizer@domain.com  print diskusage teamdriveid <TeamDriveID>
+```
+
+### 6.71.16
+
+Updated `gam <UserTypeEntity> create|update sendas <EmailAddress> ... replyto <EmailAddress>`
+to allow uppercase letters in `sendas <EmailAddress>` and `replyto <EmailAddress>`.
+
+### 6.71.15
+
+Updated `gam create project` to handle the following error:
+```
+ERROR: 403: permissionDenied - Authentication error: 7; Error Details: User not allowed to access GCP services.
+```
+This error occurs when the Google Workspace admin or GCP project manager email address used in the command
+is in an OU where Google Cloud Platform is not enabled in Apps/Additional Google services.
+
+### 6.71.14
+
+Added a command to update a Gmail label's settings by specifying it's ID rather than it's name.
+```
+gam <UserTypeEntity> update labelid <LabelID> [name <String>]
+        [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
+        [backgroundcolor <LabelColorHex>] [textcolor <LabelColorHex>]
+```
+
+### 6.71.13
+
+Updated `<UserMultiAttribute>.location.buildingid <String>` to allow non-validated building IDs
+by specifying `nv:` at the beginning of `<String>`; e.g., `nv:Building X' sets the building ID to `Building X`.
+
+### 6.71.12
+
+Added option `showmimetype category <MimeTypeNameList>` to `gam <UserTypeEntity> print|show filecounts|filelist|filetree`
+```
+<MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
+
+gam user user@domain.com print filelist fields id,name,mimetype showmimetype prefixes audio,video
+```
+
+### 6.71.11
+
+Added option `addcsvdata <FieldName> <String>` to `gam print cros` that adds
+additional columns of data to the CSV file output. Typically, you would read CSV file of device IDs/serial numbers
+to generate a CSV file of results and copy data from the input CSV to the outout CSV.
+
+### 6.71.10
+
+Reverted change made in 6.71.09 to `gam <UserTypeEntity> print filelist` when `showmimetype` and `filepath|fullpath`
+were both specified. The change improved the performance when `showmimetype` selected a small number of files;
+the information for just those files was downloaded and then additional API calls were made to construct the file paths.
+However, if a large number of files were selected, the additional APIs calls decreased performance.
+
+Added option `mimetypeinquery` can be used when you expect the query to return a small number of files
+relative to the total number of files.
+
+### 6.71.09
+
+Improved the performance of `gam <UserTypeEntity> print filelist` when `showmimetype` and `filepath|fullpath`
+are both specified.
+
+### 6.71.08
+
+Added option `oneitemperrow` to 'gam print admins|adminroles` to have each of a
+roles privileges displayed on a separate row with all of the other admin/role fields.
+This produces a CSV file that can be used in subsequent commands without further script processing.
+
+### 6.71.07
+
+Added command to upload changes to Google Docs.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Files-Manage#upload-changes-to-google-documents
 
 ### 6.71.06
 
@@ -4377,7 +5284,7 @@ converting `<SMTPDateHeader>` values to the `gam.cfg timezone`.
 
 Updated option `dateheaderformat iso|rfc2822|<String>` to `gam <UserTypeEntity> print|show messages|threads` that allows
 reformatting of the message `Date` header value from RFC2822 format to the the following:
-* `iso` - Format is `%Y-%m-%dT%H:%M:%S%z`
+* `iso` - Format is `%Y-%m-%dT%H:%M:%S%:z`
 * `rfc2822` - Format is `%a, %d %b %Y %H:%M:%S %z`
 * `<String>` - Format according to: https://docs.python.org/3/library/datetime.html#strftime-and-strptime-format-codes
 

docs/Groups-Membership.md

@@ -1,5 +1,6 @@
  Groups - Membership
 - [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function
 - [Definitions](#definitions)
 - [Collections of Users](#collections-of-users)
@@ -18,8 +19,30 @@
 ## API documentation
 * https://developers.google.com/admin-sdk/directory/v1/reference/members
 
+## Query documentation
+* https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
+* https://cloud.google.com/identity/docs/reference/rest/v1/groups#dynamicgroupquery
+
 ## Definitions
 See [Collections of Items](Collections-of-Items)
+
+* [Command data from Google Docs/Sheets/Storage](Command-Data-From-Google-Docs-Sheets-Storage)
+```
+<StorageBucketName> ::= <String>
+<StorageObjectName> ::= <String>
+<StorageBucketObjectName> ::=
+        https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
+        gs://<StorageBucketName>/<StorageObjectName>|
+        <StorageBucketName>/<StorageObjectName>
+
+<UserGoogleDoc> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
+<UserGoogleSheet> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
+```
 ```
 <DeliverySetting> ::=
         allmail|
@@ -131,6 +154,11 @@ gam update group|groups <GroupEntity> create|add [<GroupRole>]
         [preview] [actioncsv]
         <UserItem>|<UserTypeEntity>
 ```
+To add a group as a memmber of another group, just specify its email address.
+```
+gam update group group1@domain.com add member group2@domain.com
+```
+
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are added
 * `groupsonly` - Only the group members from the specified groups are added
@@ -182,6 +210,11 @@ gam update group|groups <GroupEntity> delete|remove [<GroupRole>]
 ```
 `<GroupRole>` is ignored, deletions take place regardless of role.
 
+To remove a group as a memmber of another group, just specify its email address.
+```
+gam update group group1@domain.com remove group2@domain.com
+```
+
 When `<UserTypeEntity>` specifies a group or groups:
 * `usersonly` - Only the user members from the specified groups are deleted
 * `groupsonly` - Only the group members from the specified groups are deleted
@@ -274,6 +307,7 @@ If `actioncsv` is specified, a CSV file with columns `group,email,role,action,me
 that shows the actions performed when updating the group.
 
 The option `additionalmembers [<GroupRole>] <EmailAddressEntity>` can be used to specify members in addition to those specified with `<UserTypeEntity>`.
+If a <GroupRole> is specified, it must match the same role as the one used for the group sync.
 
 For example,
 ```
@@ -299,10 +333,10 @@ seniors@domain.org,/Students/ClassOf2023
 juniors@domain.org,/Students/ClassOf2024
 ...
 ```
-This allows you to do: `gam csv GradeOU.csv gam update group ~Grade sync members ou ~OU`
+This allows you to do: `gam csv GradeOU.csv gam update group "~Grade" sync members ou "~OU"`
 But suppose that at each grade level there are additional group members that are groups of faculty/staff; e.g., senioradvisors@domain.org.
 In this scenario, you can't do the `update group sync` command as the members that are groups will be deleted; the `usersonly` option allows
-the `update group sync` command to work: `gam csv GradeOU.csv gam update group ~Grade sync members usersonly ou ~OU`
+the `update group sync` command to work: `gam csv GradeOU.csv gam update group "~Grade" sync members usersonly ou "~OU"`
 The users from the OU are matched against the user members of the group and adds/deletes are done as necessary to synchronize them;
 the group members of the group are unaffected.
 
@@ -581,6 +615,7 @@ gam print group-members [todrive <ToDriveAttribute>*]
         [types <GroupTypeList>]
         [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
         [userfields <UserFieldNameList>]
+        [allschemas|(schemas|custom|customschemas <SchemaNameList>)]
         [(recursive [noduplicates])|includederivedmembership] [nogroupemail]
         [peoplelookup|(peoplelookupuser <EmailAddress>)]
         [unknownname <String>] [cachememberinfo [Boolean]]
@@ -645,7 +680,10 @@ these options specify which fields to display:
 * `<MembersFieldName>*` - Individual field names
 * `fields <MembersFieldNameList>` - A comma separated list of field names
     * `delivery|deliverysettings` - Specify this field to get delivery information; an additional API call per member is required
-* `userfields <UserFieldNameList>` - For members that are users, display these user fields; an additional API call per member is required
+
+For members that are users, you can specify additional information to display; an additional API call per member is required
+* `userfields <UserFieldNameList>` - Display specific user fields
+* `allschemas|(schemas|custom|customschemas <SchemaNameList>)` - Display all or specific custom schema values
 
 The additional API calls can be reduced with the `cachememberinfo` option; a single API call is made for each user/group
 and the data is cached to eliminate to need to repeat the API call; this consumes more memory but dramatically reduces the number of API calls.

docs/Groups.md

@@ -10,6 +10,7 @@
 - [Definitions](#definitions)
 - [GUI API Group settings mapping](#gui-api-group-settings-mapping)
 - [GUI API Group access type settings mapping](#gui-api-group-access-type-settings-mapping)
+- [whoCanViewMembership and whoCanDiscoverGroup interactions](#whocanviewmembership-and-whocandiscovergroup-interactions)
 - [Manage groups](#manage-groups)
 - [Update a group's settings with JSON data](#update-a-groups-settings-with-json-data)
 - [Display information about specific groups](#display-information-about-specific-groups)
@@ -25,7 +26,7 @@
 * https://cloud.google.com/identity/docs/reference/rest/v1/groups
 
 ## Name guidelines
-* https://support.google.com/a/answer/9193374?hl=en
+* https://support.google.com/a/answer/9193374
 
 ## Query documentation
 * https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
@@ -303,6 +304,46 @@ Restricted
   whoCanViewMembership ALL_MEMBERS_CAN_VIEW
 ```
 
+## whoCanViewMembership and whoCanDiscoverGroup interactions
+Some combinations of these two settings are not allowed:
+```
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ANYONE_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ALL_IN_DOMAIN_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_IN_DOMAIN_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: WHO_CAN_VIEW_MEMBERSHIP_CANNOT_BE_BROADER_THAN_WHO_CAN_SEE_GROUP
+
+gam update group group@domain.com whoCanViewMembership ALL_OWNERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Update Failed: Failed request validation in update settings: DONT_USE_OR_ELSE_WHO_CAN_MANAGE_MEMBERS_CANNOT_BE_BROADER_THAN_WHO_CAN_VIEW_MEMBERSHIP
+
+gam update group group@domain.com whoCanViewMembership ALL_MANAGERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Updated
+
+gam update group group@domain.com whoCanViewMembership ALL_MEMBERS_CAN_VIEW whoCanDiscoverGroup ALL_MEMBERS_CAN_DISCOVER
+Group: group@domain.com, Updated
+```
+
 ## Manage groups
 
 These commands allow you to create, update and delete groups.
@@ -343,7 +384,7 @@ Getting Group Settings for testgroup4@domain.com (4/4)
 ```
 Perform your experiments and then restore the original settings.
 ```
-$ gam csv ./groups.csv quotechar "'" gam update group ~email json ~JSON-settings
+$ gam csv ./groups.csv quotechar "'" gam update group "~email" json "~JSON-settings"
 Using 4 processes...
 Group: testgroup1@domain.com, Updated
 Group: testgroup2@domain.com, Updated
@@ -543,7 +584,7 @@ gam print grouptree <GroupEntity> [todrive <ToDriveAttribute>*]
 ```
 By default, the group parent emails and names are displayed in multiple indexed columns.
 Use options `showparentsaslist [<Boolean>]` and `delimiter <Character>` to display
-the group parent emails and names in two columns as delimited lists .
+the group parent emails and names in two columns as delimited lists.
 
 #### Examples
 ```

docs/Home.md

@@ -1,70 +1,61 @@
 - [Introduction](#introduction)
 - [Requirements](#requirements)
-- [Installation - First time GAM installation](#installation---first-time-gam-installation)
-- [Installation - Upgrading from a GAM version other than a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3](#installation---upgrading-from-a-gam-version-other-than-a-prior-version-of-gamadv-x-or-gamadv-xtd-or-gamadv-xtd3)
-- [Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3](#installation---upgrading-from-a-prior-version-of-gamadv-x-or-gamadv-xtd-or-gamadv-xtd3)
+- [Installation - First time GAM7 installation](#installation---first-time-gam7-installation)
+- [Installation - Upgrading from Legacy GAM](#installation---upgrading-from-legacy-gam)
 
 # Introduction
-GAMADV-XTD3 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.
+GAM7 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.
 
-GAMADV-XTD3 is built with Python 3; as Python 2 support ends on 2020-01-01, this is the version of Advanced GAM that new/existing users should install.
+This page provides simple instructions for downloading, installing and starting to use GAM7.
 
-This page provides simple instructions for downloading, installing and starting to use GAMADV-XTD3.
+GAM7 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.
 
-GAMADV-XTD3 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.
+GAM7 is a rewrite/extension of Jay Lee's [Legacy GAM], without his efforts, this version wouldn't exist.
 
-GAMADV-XTD3 is a rewrite/extension of Jay Lee's [GAM], without his efforts, this version wouldn't exist.
-
-GAMADV-XTD3 is backwards compatible with [GAM], meaning that if your command works with regular GAM, it will also work with GAMADV-XTD3. There may be differences in output, but the syntax is compatible.
+GAM7 is backwards compatible with [Legacy GAM], meaning that if your command works with Legacy GAM, it will also work with GAM7. There may be differences in output, but the syntax is compatible.
 
 # Documentation
-Basic GAM documentation is hosted in the [GitHub Wiki]. Documentation specifically for GAMADV-XTD3 is hosted in the [GitHub GAMADV-XTD3 Wiki] and in Gam*.txt files.
+Documentation for GAM7 is hosted in the [GitHub GAM7 Wiki] and in Gam*.txt files.
+Legacy GAM documentation is hosted in the [GitHub Legacy Wiki].
 
 # Mailing List / Discussion group
 The GAM mailing list / discussion group is hosted on [Google Groups].  You can join the list and interact via email, or just post from the web itself.
 
 # Source Repository
-The official GAMADV-XTD3 source repository is on [GitHub] in the master branch.
+The official GAM7 source repository is on [GitHub] in the master branch.
 
 # Author
-GAMADV-XTD3 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
+GAM7 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
 
 # Requirements
-To run all commands properly, GAMADV-XTD3 requires three things:
-* An API project which identifies your install of GAMADV-XTD3 to Google and keeps track of API quotas.
+To run all commands properly, GAM7 requires three things:
+* An API project which identifies your install of GAM7 to Google and keeps track of API quotas.
 * Authorization to act as your Google Workspace Administrator in order to perform management functions like add users, modify group settings and membership and pull domain reports.
 * A special service account that is authorized to act on behalf of your users in order to modify user-specific settings and data such as Drive files, Calendars and Gmail messages and settings like signatures.
 
-# Installation - First time GAM installation
+# Installation - First time GAM7 installation
 Use these steps if you have never used any version of GAM in your domain. They will create a GAM project
 and all necessary authentications.
 
-* Download: [Downloads](Downloads)
-* Configuration: [GAM Configuration](gam.cfg)
+* Download: [Downloads-Installs](Downloads-Installs)
+* Configuration: [GAM7 Configuration](gam.cfg)
 * Install: [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
 
-# Installation - Upgrading from a GAM version other than a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3
-Use these steps if you have used any version of GAM in your domain. They will update your GAM project
+# Installation - Upgrading from Legacy GAM
+Use these steps if you have used any version of Legacy GAM in your domain. They will update your GAM project
 and all necessary authentications.
 
-* Download: [Downloads](Downloads)
-* Configuration: [GAM Configuration](gam.cfg)
-* Upgrade: [How to Upgrade from Standard GAM](How-to-Upgrade-from-Standard-GAM)
+* Download: [Downloads-Installs](Downloads-Installs)
+* Configuration: [GAM7 Configuration](gam.cfg)
+* Upgrade: [How to Upgrade from Legacy GAM](How-to-Upgrade-from-Legacy-GAM)
 
-# Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3
-Use these steps if you already use GAMADV-X or GAMADV-XTD or GAMADV-XTD3. The updates may tell you to update your GAM project
-or authentications because new features have been included.
+You can install multiple versions of GAM and GAM7 in different parallel directories.
 
-* Updates: [GAM Updates]
-* Download: [Downloads](Downloads)
-
-You can install multiple versions of GAM and GAMADV-XTD3 in different parallel directories.
-
-[GAM]: https://github.com/GAM-team/GAM
-[GitHub Releases]: https://github.com/taers232c/GAMADV-XTD3/releases
-[GitHub]: https://github.com/taers232c/GAMADV-XTD3/tree/master
-[GitHub Wiki]: https://github.com/GAM-team/GAM/wiki/
-[GitHub GAMADV-XTD3 Wiki]: https://github.com/taers232c/GAMADV-XTD3/wiki/
+[Legacy GAM]: https://github.com/GAM-team/GAM/releases?q=6.58&expanded=true
+[GAM7]: https://github.com/GAM-team/GAM
+[GitHub Releases]: https://github.com/GAM-team/GAM/releases
+[GitHub]: https://github.com/GAM-team/GAM/tree/master
+[GitHub Legacy Wiki]: https://github.com/GAM-team/GAM/wiki/
+[GitHub GAM7 Wiki]: https://github.com/taers232c/GAMADV-XTD3/wiki/
 [Google Groups]: https://groups.google.com/group/google-apps-manager
 [GAM Updates]: https://github.com/taers232c/GAMADV-XTD3/wiki/GamUpdates
-

docs/How-to-Install-Advanced-Gam.md

@@ -2,10 +2,10 @@
 Use these steps if you have never used any version of GAM in your domain. They will create your GAM project
 and all necessary authentications.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -25,6 +25,11 @@ probably want to select a non-hidden location. This example assumes that the GAM
 configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
 substitute that value in the directions.
 
+Make the directory:
+```
+mkdir -p /Users/admin/GAMConfig
+```
+
 Add the following line:
 ```
 export GAMCFGDIR="/Users/admin/GAMConfig"
@@ -37,14 +42,7 @@ to one of these files based on your shell:
 ~/.profile
 ```
 
-You need to enable this setting in the environment. The easiest way is probably to close your terminal and open a new session. This will load the environment variables, including the one you just added. Test this by issuing this command:
-```
-echo $GAMCFGDIR
-```
-
-This should print the name of the directory you used above.
-
-Alternatively, without starting a new session, load the new variable in this session directly: issue the following command replacing `<Filename>` with the name of the file you edited:
+Issue the following command replacing `<Filename>` with the name of the file you edited:
 ```
 source <Filename>
 ```
@@ -54,11 +52,6 @@ You need to make sure the GAM configuration directory actually exists. Test that
 ls -l $GAMCFGDIR
 ```
 
-If this gives you an error, make the directory:
-```
-mkdir -p $GAMCFGDIR
-```
-
 ### Set a working directory
 
 You should establish a GAM working directory; you will store your GAM related
@@ -66,7 +59,11 @@ data in this folder and execute GAM commands from this folder. You should not us
 /Users/admin/bin/gamadv-xtd3 or /Users/admin/GAMConfig for this purpose.
 This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
 another directory, substitute that value in the directions.
-* Make the /Users/admin/GAMWork directory before proceeding.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMWork
+```
 
 ### Set an alias
 You should set an alias to point to /Users/admin/bin/gamadv-xtd3/gam so you can operate from the /Users/admin/GAMWork directory.
@@ -98,31 +95,33 @@ ln -s "/Users/admin/bin/gamadv-xtd3/gam" /usr/local/bin/gam
 
 ### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
 ```
-admin@server:~$ cd /Users/admin/bin/gamadv-xtd3
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config drive_dir /Users/admin/GAMWork verify
+admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
 Created: /Users/admin/GAMConfig
 Created: /Users/admin/GAMConfig/gamcache
 Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  cache_dir = /Users/admin/GAMConfig/gamcache
+  ...
+  config_dir = /Users/admin/GAMConfig
+  ...
+  drive_dir = /Users/admin/GAMWork
   ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Verify initialization, this was a successful installation.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 48
 -rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
 drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
 -rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Create your project with local browser
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam create project
+admin@server:/Users/admin$ gam create project
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
 
@@ -186,12 +185,12 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Create your project without local browser (Google Cloud Shell for instance)
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam create project
+admin@server:/Users/admin$ gam config no_browser true save
+admin@server:/Users/admin$ gam create project
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
 
@@ -254,7 +253,7 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Enable GAMADV-XTD3 client access
 
@@ -262,7 +261,7 @@ You select a list of scopes, GAM uses a browser to get final authorization from
 writes the credentials into the file oauth2.txt.
 
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
+admin@server:/Users/admin$ gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
@@ -343,14 +342,14 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 
 If clicking on the link in the instructions does not work (i.e. you get a 404 or 400 error message, instead of something about 'unable to connect') the URL in the link is too long. Most likely, you have selected all scopes. Try again with fewer scopes until it works. (there is no harm in repeatedly trying)
 
 ### Enable GAMADV-XTD3 service account access.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 $ gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
@@ -405,7 +404,7 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -415,7 +414,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
@@ -459,14 +458,14 @@ All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam info domain
+admin@server:/Users/admin$ gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -474,15 +473,18 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config customer_id C01234567 domain domain.com timezone local save verify
+admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: /Users/admin/GAMConfig/gam.cfg, Saved
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the data you specified]
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
   ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 
 ## Windows
@@ -538,22 +540,24 @@ At this point, you should restart Command Prompt so that it has the updated path
 
 ### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
 ```
-C:>cd C:\GAMADV-XTD3
-C:\GAMADV-XTD3>gam config drive_dir C:\GAMWork verify
+C:\>gam config drive_dir C:\GAMWork verify
 Created: C:\GAMConfig
 Created: C:\GAMConfig\gamcache
 Config File: C:\GAMConfig\gam.cfg, Initialized
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  cache_dir = C:\GAMConfig\gamcache
+  ...
+  config_dir = C:\GAMConfig
+  ...
+  drive_dir = C:\GAMWork
   ...
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Verify initialization, this was a successful installation.
 ```
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -566,12 +570,12 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
 03/03/2017  10:15 AM                 0 oauth2.txt.lock
                2 File(s)         15,769 bytes
                3 Dir(s)  110,532,562,944 bytes free
-C:\GAMADV-XTD3>
+C:\>
 ```
 
 ### Create your project with local browser
 ```
-C:\GAMADV-XTD3>gam create project
+C:\>gam create project
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
 
@@ -635,12 +639,12 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Create your project without local browser (headless server for instance)
 ```
-C:\GAMADV-XTD3>gam config no_browser true save
-C:\GAMADV-XTD3>gam create project
+C:\>gam config no_browser true save
+C:\>gam create project
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
 WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
 
@@ -703,7 +707,7 @@ Enter your Client Secret: CLIENTSECRET
 6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
 That's it! Your GAM Project is created and ready to use.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Enable GAMADV-XTD3 client access
 
@@ -711,7 +715,7 @@ You select a list of scopes, GAM uses a browser to get final authorization from
 writes the credentials into the file oauth2.txt.
 
 ```
-C:\GAMADV-XTD3>gam oauth create
+C:\>gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
@@ -792,11 +796,11 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Enable GAMADV-XTD3 service account access.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication
@@ -850,7 +854,7 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -860,7 +864,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
@@ -904,14 +908,14 @@ All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-C:\GAMADV-XTD3>gam info domain
+C:\>gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -919,13 +923,16 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-C:\GAMADV-XTD3>gam config customer_id C01234567 domain domain.com timezone local save verify
+C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: C:\GAMConfig\gam.cfg, Saved
 Section: DEFAULT
-  activity_max_results = 100
   ...
-  [long list of all config settings that should match the directories you specified]
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
   ...
 
-C:\GAMADV-XTD3>
+C:\>
 ```

docs/How-to-Install-GAM7.md

@@ -0,0 +1,938 @@
+# Installing GAM7
+Use these steps if you have never used any version of GAM in your domain. They will create your GAM project
+and all necessary authentications.
+
+- [Downloads-Installs](Downloads-Installs)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+- [GAM Configuration](gam.cfg)
+
+## Linux and MacOS and Google Cloud Shell
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions.
+
+### Set a configuration directory
+
+The default GAM configuration directory is /Users/admin/.gam; for more flexibility you
+probably want to select a non-hidden location. This example assumes that the GAM
+configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMConfig
+```
+
+Add the following line:
+```
+export GAMCFGDIR="/Users/admin/GAMConfig"
+```
+to one of these files based on your shell:
+```
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+You need to make sure the GAM configuration directory actually exists. Test that like this:
+```
+ls -l $GAMCFGDIR
+```
+
+### Set a working directory
+
+You should establish a GAM working directory; you will store your GAM related
+data in this folder and execute GAM commands from this folder. You should not use
+/Users/admin/bin/gam7 or /Users/admin/GAMConfig for this purpose.
+This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMWork
+```
+
+### Set an alias
+You should set an alias to point to /Users/admin/bin/gam7/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
+
+Add the following line:
+```
+alias gam="/Users/admin/bin/gam7/gam"
+```
+to one of these files based on your shell:
+```
+~/.bash_aliases
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+### Set a symlink
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
+```
+ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
+```
+
+### Initialize GAM7; this should be the first GAM7 command executed.
+```
+admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
+Created: /Users/admin/GAMConfig
+Created: /Users/admin/GAMConfig/gamcache
+Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
+Section: DEFAULT
+  ...
+  cache_dir = /Users/admin/GAMConfig/gamcache
+  ...
+  config_dir = /Users/admin/GAMConfig
+  ...
+  drive_dir = /Users/admin/GAMWork
+  ...
+
+admin@server:/Users/admin$
+```
+### Verify initialization, this was a successful installation.
+```
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
+total 48
+-rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
+drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
+-rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
+admin@server:/Users/admin$ 
+```
+### Create your project with local browser
+```
+admin@server:/Users/admin$ gam create project
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?client_id=CLI...response_type=code
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: /Users/admin/GAMConfig/oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+admin@server:/Users/admin$ 
+```
+### Create your project without local browser (Google Cloud Shell for instance)
+```
+admin@server:/Users/admin$ gam config no_browser true save
+admin@server:/Users/admin$ gam create project
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?re... m&prompt=consent
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: /Users/admin/GAMConfig/oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+admin@server:/Users/admin$ 
+```
+### Enable GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+admin@server:/Users/admin$ gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
+
+admin@server:/Users/admin$ 
+```
+
+If clicking on the link in the instructions does not work (i.e. you get a 404 or 400 error message, instead of something about 'unable to connect') the URL in the link is too long. Most likely, you have selected all scopes. Try again with fewer scopes until it works. (there is no harm in repeatedly trying)
+
+### Enable GAM7 service account access.
+```
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
+$ gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.go...huser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+admin@server:/Users/admin$
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+admin@server:/Users/admin$ 
+```
+### Update gam.cfg with some basic values
+* `customer_id` - Having this data keeps Gam from having to make extra API calls
+* `domain` - This allows you to omit the domain portion of email addresses
+* `timezone local` - Gam will convert all UTC times to your local timezone
+```
+admin@server:/Users/admin$ gam info domain
+Customer ID: C01234567
+Primary Domain: domain.com
+Customer Creation Time: 2007-06-06T15:47:55.444Z
+Primary Domain Verified: True
+Default Language: en
+...
+
+admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
+Config File: /Users/admin/GAMConfig/gam.cfg, Saved
+Section: DEFAULT
+  ...
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
+  ...
+
+admin@server:/Users/admin$
+```
+
+## Windows
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+### Set a configuration directory
+
+The default GAM configuration directory is C:\Users\<UserName>\.gam; for more flexibility you
+probably want to select a non user-specific location. This example assumes that the GAM
+configuration directory will be C:\GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+* Make the C:\GAMConfig directory before proceeding.
+
+### Set a working directory
+
+You should extablish a GAM working directory; you will store your GAM related
+data in this folder and execute GAM commands from this folder. You should not use
+C:\GAM7 or C:\GAMConfig for this purpose.
+This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+* Make the C:\GAMWork directory before proceeding.
+
+### Set system path and GAM configuration directory
+You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If C:\GAM7 is already on the Path, skip the next three steps
+  Click New
+  Enter C:\GAM7
+  Click OK
+Click New
+Set Variable name: GAMCFGDIR
+Set Variable value: C:\GAMConfig
+Click OK
+Click OK
+Click OK
+Exit Control Panel
+```
+
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
+### Initialize GAM7; this should be the first GAM7 command executed.
+```
+C:\>gam config drive_dir C:\GAMWork verify
+Created: C:\GAMConfig
+Created: C:\GAMConfig\gamcache
+Config File: C:\GAMConfig\gam.cfg, Initialized
+Section: DEFAULT
+  ...
+  cache_dir = C:\GAMConfig\gamcache
+  ...
+  config_dir = C:\GAMConfig
+  ...
+  drive_dir = C:\GAMWork
+  ...
+
+C:\>
+```
+### Verify initialization, this was a successful installation.
+```
+C:\>dir %GAMCFGDIR%
+ Volume in drive C has no label.
+ Volume Serial Number is 663F-DA8B
+
+ Directory of C:\GAMConfig
+
+03/03/2017  10:16 AM    <DIR>          .
+03/03/2017  10:16 AM    <DIR>          ..
+03/03/2017  10:15 AM             1,125 gam.cfg
+03/03/2017  10:15 AM    <DIR>          gamcache
+03/03/2017  10:15 AM                 0 oauth2.txt.lock
+               2 File(s)         15,769 bytes
+               3 Dir(s)  110,532,562,944 bytes free
+C:\>
+```
+
+### Create your project with local browser
+```
+C:\>gam create project
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oaut...pe=code
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: C:\GAMConfig\oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+C:\>
+```
+### Create your project without local browser (headless server for instance)
+```
+C:\>gam config no_browser true save
+C:\>gam create project
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: C:\GAMConfig\oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+C:\>
+```
+### Enable GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+C:\>gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
+
+C:\>
+```
+### Enable GAM7 service account access.
+```
+C:\>gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwide...thuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+C:\>
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+C:\>gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+C:\>
+```
+### Update gam.cfg with some basic values
+* `customer_id` - Having this data keeps Gam from having to make extra API calls
+* `domain` - This allows you to omit the domain portion of email addresses
+* `timezone local` - Gam will convert all UTC times to your local timezone
+```
+C:\>gam info domain
+Customer ID: C01234567
+Primary Domain: domain.com
+Customer Creation Time: 2007-06-06T15:47:55.444Z
+Primary Domain Verified: True
+Default Language: en
+...
+
+C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
+Config File: C:\GAMConfig\gam.cfg, Saved
+Section: DEFAULT
+  ...
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
+  ...
+
+C:\>
+```

docs/How-to-Uninstall-GAM7.md

@@ -0,0 +1,127 @@
+# Uninstalling GAM7
+
+- [Get Project Info](#get-project-info)
+- [Remove Client API access](#remove-client-api-access)
+- [Remove Service Account API access](#remove-service-account-api-access)
+- [Delete GAM Project](#delete-gam-project)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+
+## Get Project Info
+```
+gam version
+```
+
+Note the `Config File:` path to `gam.cfg`. In that folder will be a file `oauth2service.json`; look at its contents.
+You want these two lines:
+```
+"client_id": "123691089974044844789"
+"project_id": "gam-project-123-456-789"
+```
+
+## Remove Client API access
+```
+gam oauth delete
+```
+
+## Remove Service Account API access
+In a browser, go to `https://admin.google.com`, login and go to the Security/API Controls/Domain-wide Delegation page.
+Find the `Client ID` that matches the `client_id` value from `oauth2service.json`, hover over it and click `Delete`.	
+
+## Delete GAM Project
+In a browser, go to `https://console.cloud.google.com/cloud-resource-manager`, login. Find the `ID` that matches
+the `project_id` value from `oauth2service.json`; click the three dots at the right end of the line and click `Delete`.
+In the box that pops up, put the `project_id` value in ther `Project ID*` field and click `SHUT DOWN`
+
+## Linux and MacOS and Google Cloud Shell
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions.
+
+### Delete executable directory
+
+```
+rm -fr /Users/admin/bin/gam7
+```
+
+### Delete configuration directory
+
+The default GAM configuration directory is /Users/admin/.gam; for more flexibility you
+probably want to select a non-hidden location. This example assumes that the GAM
+configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+```
+rm -fr /Users/admin/GAMConfig
+```
+
+### Delete  working directory
+
+This example assumes that the GAM working directory is be /Users/admin/GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+```
+rm -fr /Users/admin/GAMConfig
+```
+
+### Remove executable alias and GAM configuration export
+
+Remove the following line:
+```
+alias gam="/Users/admin/bin/gam7/gam"
+export GAMCFGDIR="/Users/admin/GAMConfig"
+```
+from these files based on your shell:
+```
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+## Windows
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+### Delete executable directory
+
+In File Explorer, delete the `C:\GAM7` folder.
+
+### Delete configuration directory
+
+The default GAM configuration directory is C:\Users\<UserName>\.gam; for more flexibility you
+probably want to select a non user-specific location. This example assumes that the GAM
+configuration directory will be C:\GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+
+In File Explorer, delete the `C:\GAMConfig` folder.
+
+### Delete working directory
+
+This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+
+In File Explorer, delete the `C:\GAMWork` folder.
+
+### Reset system path and GAM configuration directory
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If C:\GAM7 is not on the Path, click Cancel and skip the next three steps
+  Click C:\GAM7
+  Click Delete
+  Click OK
+If GAMCFGDIR is not in System variables, skip the next two steps
+  Click GAMCFGDIR
+  Click Delete
+Click OK
+Click OK
+Exit Control Panel
+```
+

docs/How-to-Update-Advanced-GAM-to-GAM7.md

@@ -0,0 +1,120 @@
+# Installation - Update Advanced GAM to GAM7
+
+- [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+
+## Linux and MacOS and Google Cloud Shell
+
+This example assumes that GAMADV-XTD3 was installed in /Users/admin/bin/gamadv-xtd3.
+If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
+
+Rename install directory.
+```
+mv /Users/admin/bin/gamadv-xtd3 /Users/admin/bin/gam7
+```
+
+See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page. Choose one of the following:
+
+* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
+  - Start a terminal session and execute one of the following commands:
+  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
+  - Update to latest version, do not create project or authorizations, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+### Update gam  alias
+You should set an alias to point to /Users/admin/bin/gam/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
+
+Change the following line:
+```
+alias gam="/Users/admin/bin/gamadv-xtd3/gam"
+```
+to
+```
+alias gam="/Users/admin/bin/gam7/gam"
+```
+in one of these files based on your shell:
+```
+~/.bash_aliases
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+### Set a symlink if desired
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
+```
+ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
+```
+
+### Test
+```
+gam version
+```
+
+## Windows
+
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
+
+This example assumes that GAMADV-XTD3 was installed in C:\GAMADV-XTD3.
+If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+Rename install directory.
+```
+ren C:\GAMADV-STD3 C:\GAM7
+```
+
+See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+
+* Executable Archive, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.zip`
+  - Download the archive, extract the contents into C:\GAM7.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+### Update system path
+You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If you have an existing entry referencing GAMADV-XTD3:
+  Click that entry
+  Click Delete
+If C:\GAM7 is already on the Path, skip the next three steps
+  Click New
+  Enter C:\GAM7
+  Click OK
+Click OK
+Click OK
+Exit Control Panel
+```
+
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
+### Test
+```
+gam version
+```

docs/How-to-Update-Advanced-Gam.md

@@ -1,10 +1,10 @@
 # Updating GAMADV-XTD3
 Use these steps to update your version of GAMADV-XTD3.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -13,7 +13,7 @@ Use these steps to update your version of GAMADV-XTD3.
 This example assumes that GAMADV-XTD3 has been installed in /Users/admin/bin/gamadv-xtd3.
 If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions when downloading.
 
-See: [Downloads](Downloads)
+See: [Downloads-Installs](Downloads-Installs)
 
 In these examples, your Google Super admin is shown as admin@domain.com; replace with the
 actual email adddress.
@@ -301,7 +301,7 @@ admin@server:/Users/admin/bin/gamadv-xtd3$
 This example assumes that GAMADV-XTD3 has been installed in C:\GAMADV-XTD3.
 If you've installed GAMADV-XTD3 in another directory, substitute that value in the directions when downloading.
 
-See: [Downloads](Downloads)
+See: [Downloads-Installs](Downloads-Installs)
 
 In these examples, your Google Super admin is shown as admin@domain.com; replace with the
 actual email adddress.

docs/How-to-Update-GAM7.md

@@ -0,0 +1,581 @@
+# Updating GAM7
+Use these steps to update your version of GAM7.
+
+- [Downloads-Installs](Downloads-Installs)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+- [GAM Configuration](gam.cfg)
+
+## Linux and MacOS and Google Cloud Shell
+
+### Download the latest version
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions when downloading.
+
+See: [Downloads-Installs](Downloads-Installs)
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+### Update your project with local browser to include the additional APIs that GAM7 uses.
+This step may be omitted if you are updating from a recent version.
+```
+admin@server:/Users/admin/bin/gam7 gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+admin@server:/Users/admin/bin/gam7
+```
+### Update your project without local browser (Google Cloud Shell for instance) to include the additional APIs that GAM7 uses
+This step may be omitted if you are updating from a recent version.
+```
+admin@server:/Users/admin/bin/gam7 gam config no_browser true save
+admin@server:/Users/admin/bin/gam7 gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+admin@server:/Users/admin/bin/ga7
+```
+### Update GAM7 client access
+
+You select a list of scopes, GAM7 uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+admin@server:/Users/admin/bin/gam7 ./gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
+
+admin@server:/Users/admin/bin/gam7 
+```
+### Update GAM7 service account access.
+```
+admin@server:/Users/admin/bin/gam7 ./gam user admin@domain.com check serviceaccount
+$ gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=SVCACCTID&overwriteClientId=true&dn=domain.com&authuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+admin@server:/Users/admin/bin/gam7
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+admin@server:/Users/admin/bin/gam7 ./gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+admin@server:/Users/admin/bin/gam7 
+```
+
+## Windows
+
+### Download the latest version
+
+This example assumes that GAM7 has been installed in C:\GAM7.
+If you've installed GAM7 in another directory, substitute that value in the directions when downloading.
+
+See: [Downloads-Installs](Downloads-Installs)
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+### Update your project with local browser to include the additional APIs that GAM7 uses.
+This step may be omitted if you are updating from a recent version.
+```
+C:\GAM7>gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+C:\GAM7>
+```
+### Update your project without local browser (headless server for instance) to include the additional APIs that GAM7 uses
+This step may be omitted if you are updating from a recent version.
+```
+C:\GAM7>gam config no_browser true save
+C:\GAM7>gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+C:\GAM7>
+```
+### Update GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+C:\GAM7>gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
+
+C:\GAM7>
+```
+### Update GAM7 service account access.
+```
+C:\GAM7>gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=SVCACCTID&overwriteClientId=true&dn=domain.com&authuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+C:\GAM7>
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+C:\GAM7>gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+C:\GAM7>
+```

docs/How-to-Upgrade-from-GAMADV-X-or-GAMADV-XTD.md

@@ -2,10 +2,10 @@
 Use these steps if you have used any version of GAMADV-X or GAMADV-XTD in your domain.
 They will update your GAM project and all necessary authentications.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -23,29 +23,32 @@ GAMADV-XTD3 uses the same configuration directory and gam.cfg file as GAMADV-X a
 ### Update your alias
 You should update your alias to point to /Users/admin/bin/gamadv-xtd3/gam.
 
-Add the following line:
+Add/edit the following line:
 ```
 alias gam="/Users/admin/bin/gamadv-xtd3/gam"
 ```
-to one of these files if you're running bash or an equivalent file if you're running some other shell:
+to one of these files based on your shell:
 ```
 ~/.bash_aliases
 ~/.bash_profile
 ~/.bashrc
+~/.zshrc
+~/.profile
 ```
 
-If you already have a gam alias for standard GAM and want to run it and GAMADV-XTD3, give your new alias a different name:
+Issue the following command replacing `<Filename>` with the name of the file you edited:
 ```
-alias gam3="/Users/admin/bin/gamadv-xtd3/gam"
+source <Filename>
 ```
+
 ### Do you have a browser?
 If your computer doesn't support a browser, Google Cloud Shell for instance, execute this command:
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
+admin@server:/Users/admin$ gam config no_browser true save
 ```
 ### Update your project to include the additional APIs that GAMADV-XTD3 uses.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
+admin@server:/Users/admin$ gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -75,7 +78,7 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Update GAMADV-XTD3 client access.
 
@@ -90,7 +93,7 @@ gam config no_browser true oauth update
 ```
 You will be given instructions on how to get the authorization on another computer and apply it locally.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth update
+admin@server:/Users/admin$ gam oauth update
 
 Select the authorized scopes by entering a number.
 Append an 'r' to grant read-only access or an 'a' to grant action-only access.
@@ -165,11 +168,11 @@ set no_browser = true in gam.cfg and re-run this command.
 Authentication successful.
 Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Updated
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Update GAMADV-XTD3 service account access.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user user@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user user@domain.com check serviceaccount
 System time status:
   Your system time differs by less than 1 second from Google                PASS
 Service Account Private Key Authentication:
@@ -218,7 +221,7 @@ Scopes fields will be pre-populated. Please click Authorize to allow these
 scopes access. After authorizing it may take some time for this test to pass so
 wait a few moments and then try this command again.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -228,7 +231,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user user@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user user@domain.com check serviceaccount
 System time status:
   Your system time differs by less than 1 second from Google                PASS
 Service Account Private Key Authentication:
@@ -271,7 +274,7 @@ Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
 All scopes PASSED!
 Service Account Client name: SVCACCTID is fully authorized.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 
 ## Windows
@@ -305,15 +308,17 @@ Click OK
 Exit Control Panel
 ```
 
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
 ### Do you have a compatible browser?
 If the computer on which you are running GAM does not have access to a browser or
 your default browser is Internet Explorer or Edge, issue this command:
 ```
-C:\GAMADV-X>gam config no_browser true save
+C:\>gam config no_browser true save
 ```
 ### Update your project to include the additional APIs that GAMADV-XTD3 uses.
 ```
-C:\GAMADV-XTD3>gam update project
+C:\>gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -343,7 +348,7 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update GAMADV-XTD3 client access.
 
@@ -361,7 +366,7 @@ You can open the file with Notepad/Wordpad, do a control-A to select the text, c
 start a browser and paste the URL (control-V) into the address bar. Authenticate and copy the Verification code
 back to your Command Prompt/PowerShell window.
 ```
-C:\GAMADV-XTD3>gam oauth update
+C:\>gam oauth update
 
 Select the authorized scopes by entering a number.
 Append an 'r' to grant read-only access or an 'a' to grant action-only access.
@@ -436,11 +441,11 @@ set no_browser = true in gam.cfg and re-run this command.
 Authentication successful.
 Client OAuth2 File: C:\GAMConfig\oauth2.txt, Updated
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Enable GAMADV-XTD3 service account access.
 ```
-C:\GAMADV-XTD3>gam user user@domain.com check serviceaccount
+C:\>gam user user@domain.com check serviceaccount
 System time status:
   Your system time differs by less than 1 second from Google                PASS
 Service Account Private Key Authentication:
@@ -489,7 +494,7 @@ Scopes fields will be pre-populated. Please click Authorize to allow these
 scopes access. After authorizing it may take some time for this test to pass so
 wait a few moments and then try this command again.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -499,7 +504,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-C:\GAMADV-XTD3>gam user user@domain.com check serviceaccount
+C:\>gam user user@domain.com check serviceaccount
 System time status:
   Your system time differs by less than 1 second from Google                PASS
 Service Account Private Key Authentication:
@@ -542,5 +547,5 @@ Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
 All scopes PASSED!
 Service Account Client name: SVCACCTID is fully authorized.
 
-C:\GAMADV-XTD3>
+C:\>
 ```

docs/How-to-Upgrade-from-Standard-GAM.md

@@ -2,10 +2,10 @@
 Use these steps if you have used any version of GAM in your domain. They will update your GAM project
 and all necessary authentications.
 
-- [Downloads](Downloads)
-- [GAM Configuration](gam.cfg)
+- [Downloads-Installs](Downloads-Installs)
 - [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
 - [Windows](#windows)
+- [GAM Configuration](gam.cfg)
 
 ## Linux and MacOS and Google Cloud Shell
 
@@ -25,6 +25,11 @@ probably want to select a non-hidden location. This example assumes that the GAM
 configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
 substitute that value in the directions.
 
+Make the directory:
+```
+mkdir -p /Users/admin/GAMConfig
+```
+
 Add the following line:
 ```
 export GAMCFGDIR="/Users/admin/GAMConfig"
@@ -42,7 +47,10 @@ Issue the following command replacing `<Filename>` with the name of the file you
 source <Filename>
 ```
 
-* Make the /Users/admin/GAMConfig directory before proceeding.
+You need to make sure the GAM configuration directory actually exists. Test that like this:
+```
+ls -l $GAMCFGDIR
+```
 
 ### Set a working directory
 
@@ -51,10 +59,15 @@ data in this folder and execute GAM commands from this folder. You should not us
 /Users/admin/bin/gamadv-xtd3 or /Users/admin/GAMConfig for this purpose.
 This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
 another directory, substitute that value in the directions.
-* Make the /Users/admin/GAMWork directory before proceeding.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMWork
+```
 
 ### Set an alias
 You should set an alias to point to /Users/admin/bin/gamadv-xtd3/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
 
 Add the following line:
 ```
@@ -69,32 +82,44 @@ to one of these files based on your shell:
 ~/.profile
 ```
 
+If you already have an alias for standard GAM but are no longer going to run it, delete these lines:
+```
+function gam() { "/Users/admin/bin/gam/gam" "$@" ; }"
+alias gam="/Users/admin/bin/gam/gam"
+```
+
+If you already have an alias for standard GAM and want to run it and GAMADV-XTD3, give your old alias a different name:
+```
+function gamstd() { "/Users/admin/bin/gam/gam" "$@" ; }"
+alias gamstd="/Users/admin/bin/gam/gam"
+```
+
 Issue the following command replacing `<Filename>` with the name of the file you edited:
 ```
 source <Filename>
 ```
 
-If you already have a gam alias for standard GAM and want to run it and GAMADV-XTD3, give your new alias a different name:
+### Set a symlink
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
 ```
-alias gam3="/Users/admin/bin/gamadv-xtd3/gam"
+ln -s "/Users/admin/bin/gamadv-xtd3/gam" /usr/local/bin/gam
 ```
 
 Set environment variable OLDGAMPATH to point to the existing Gam directory; /Users/admin/bin/gam will be used in this example.
 If your existing Gam is in another directory, substitute that value in the directions.
 ```
-admin@server:~$ cd /Users/admin/bin/gamadv-xtd3
-admin@server:/Users/admin/bin/gamadv-xtd3$ export OLDGAMPATH=/Users/admin/bin/gam
+admin@server:/Users/admin$ export OLDGAMPATH=/Users/admin/bin/gam
 ```
 Verify that OLDGAMPATH points to the correct location.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $OLDGAMPATH/*.json
+admin@server:/Users/admin$ ls -l $OLDGAMPATH/*.json
 -rw-r-----@ 1 admin  staff   553 Feb 26 10:39 /Users/admin/bin/gam/client_secrets.json
 -rw-r-----@ 1 admin  staff  2377 Feb 26 10:39 /Users/admin/bin/gam/oauth2service.json
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 ### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config drive_dir /Users/admin/GAMWork verify
+admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
 Created: /Users/admin/GAMConfig
 Created: /Users/admin/GAMConfig/gamcache
 Copied: /Users/admin/bin/gam/oauth2service.json, To: /Users/admin/GAMConfig/oauth2service.json
@@ -102,127 +127,19 @@ Copied: /Users/admin/bin/gam/oauth2.txt, To: /Users/admin/GAMConfig/oauth2.txt
 Copied: /Users/admin/bin/gam/client_secrets.json, To: /Users/admin/GAMConfig/client_secrets.json
 Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
 Section: DEFAULT
-  activity_max_results = 100
-  admin_email = ''
-  api_calls_rate_check = false
-  api_calls_rate_limit = 100
-  api_calls_tries_limit = 10
-  auto_batch_min = 0
-  bail_on_internal_error_tries = 2
-  batch_size = 50
-  cacerts_pem = ''
+  ...
   cache_dir = /Users/admin/GAMConfig/gamcache
-  cache_discovery_only = true
-  channel_customer_id = ''
-  charset = utf-8
-  classroom_max_results = 0
-  client_secrets_json = client_secrets.json ; /Users/admin/GAMConfig/client_secrets.json
-  clock_skew_in_seconds = 10
-  cmdlog = ''
-  cmdlog_max_backups = 5
-  cmdlog_max_kilo_bytes = 1000
+  ...
   config_dir = /Users/admin/GAMConfig
-  contact_max_results = 100
-  csv_input_column_delimiter = ,
-  csv_input_quote_char = '"'
-  csv_input_row_drop_filter = ''
-  csv_input_row_drop_filter_mode = anymatch
-  csv_input_row_filter = ''
-  csv_input_row_filter_mode = allmatch
-  csv_input_row_limit = 0
-  csv_output_column_delimiter = ,
-  csv_output_convert_cr_nl = false
-  csv_output_field_delimiter = ' '
-  csv_output_header_drop_filter = ''
-  csv_output_header_filter = ''
-  csv_output_header_force = ''
-  csv_output_line_terminator = lf
-  csv_output_quote_char = '"'
-  csv_output_row_drop_filter = ''
-  csv_output_row_drop_filter_mode = anymatch
-  csv_output_row_filter = ''
-  csv_output_row_filter_mode = allmatch
-  csv_output_row_limit = 0
-  csv_output_subfield_delimiter = '.'
-  csv_output_timestamp_column = ''
-  csv_output_users_audit = false
-  customer_id = my_customer
-  debug_level = 0
-  device_max_results = 200
-  domain = ''
+  ...
   drive_dir = /Users/admin/GAMWork
-  drive_max_results = 1000
-  drive_v3_native_names = true
-  email_batch_size = 50
-  enable_dasa = false
-  event_max_results = 250
-  extra_args = ''
-  inter_batch_wait = 0
-  license_max_results = 100
-  license_skus = ''
-  member_max_results = 200
-  message_batch_size = 50
-  message_max_results = 500
-  mobile_max_results = 100
-  multiprocess_pool_limit = 0
-  never_time = Never
-  no_browser = false
-  no_cache = false
-  no_update_check = true
-  no_verify_ssl = false
-  num_tbatch_threads = 2
-  num_threads = 5
-  oauth2_txt = oauth2.txt ; /Users/admin/GAMConfig/oauth2.txt
-  oauth2service_json = oauth2service.json ; /Users/admin/GAMConfig/oauth2service.json
-  people_max_results = 100
-  print_agu_domains = ''
-  print_cros_ous = ''
-  print_cros_ous_and_children = ''
-  process_wait_limit = 0
-  quick_cros_move = false
-  quick_info_user = false
-  reseller_id = ''
-  retry_api_service_not_available = false
-  section = ''
-  show_api_calls_retry_data = false
-  show_commands = false
-  show_convert_cr_nl = false
-  show_counts_min = 1
-  show_gettings = true
-  show_gettings_got_nl = false
-  show_multiprocess_info = false
-  smtp_fqdn = ''
-  smtp_host = ''
-  smtp_password = ''
-  smtp_username = ''
-  timezone = utc
-  tls_max_version = ''
-  tls_min_version = 'TLSv1_2'
-  todrive_clearfilter = false
-  todrive_clientaccess = false
-  todrive_conversion = true
-  todrive_localcopy = false
-  todrive_locale = ''
-  todrive_nobrowser = false
-  todrive_noemail = true
-  todrive_parent = root
-  todrive_sheet_timeformat = ''
-  todrive_sheet_timestamp = false
-  todrive_timeformat = ''
-  todrive_timestamp = false
-  todrive_timezone = ''
-  todrive_upload_nodata = true
-  todrive_user = ''
-  update_cros_ou_with_id = false
-  use_projectid_as_name = false
-  user_max_results = 500
-  user_service_account_access_only = false
+  ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Verify initialization, this was a successful installation.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 48
 -rw-r-----+ 1 admin  staff   553 Mar  3 09:23 client_secrets.json
 -rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
@@ -231,21 +148,21 @@ drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
 -rw-r-----+ 1 admin  staff  5104 Mar  3 09:23 oauth2.txt
 -rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
 -rw-r-----+ 1 admin  staff  2377 Mar  3 09:23 oauth2service.json
-admin@server:/Users/admin/bin/gamadv-xtd3$ 
+admin@server:/Users/admin$ 
 ```
 If the verification looks like this, then you'll have to copy client_secrets.json and oauth2service.json manually.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 40
 -rw-r-----+  1 admin  admin  1427 Nov  1 11:38 gam.cfg
 drwxr-x---+ 16 admin  admin   544 Nov  2 07:25 gamcache
 -rw-r--r--+  1 admin  admin    10 Nov  2 15:31 lastupdatecheck.txt
 -rw-rw-rw-+  1 admin  admin     0 Sep 19 17:28 oauth2.txt.lock
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ cp -p $OLDGAMPATH/client_secrets.json $GAMCFGDIR/
-admin@server:/Users/admin/bin/gamadv-xtd3$ cp -p $OLDGAMPATH/oauth2service.json $GAMCFGDIR/
-admin@server:/Users/admin/bin/gamadv-xtd3$ cp -p $OLDGAMPATH/oauth2.txt $GAMCFGDIR/
-admin@server:/Users/admin/bin/gamadv-xtd3$ ls -l $GAMCFGDIR
+admin@server:/Users/admin$ cp -p $OLDGAMPATH/client_secrets.json $GAMCFGDIR/
+admin@server:/Users/admin$ cp -p $OLDGAMPATH/oauth2service.json $GAMCFGDIR/
+admin@server:/Users/admin$ cp -p $OLDGAMPATH/oauth2.txt $GAMCFGDIR/
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
 total 40
 -rw-r-----+ 1 admin  staff   553 Mar  3 09:23 client_secrets.json
 -rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
@@ -257,7 +174,7 @@ drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
 ```
 ### Update your project with local browser to include the additional APIs that GAMADV-XTD3 uses.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
+admin@server:/Users/admin$ gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -287,12 +204,12 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Update your project without local browser (Google Cloud Shell for instance) to include the additional APIs that GAMADV-XTD3 uses
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam config no_browser true save
-admin@server:/Users/admin/bin/gamadv-xtd3$ gam update project
+admin@server:/Users/admin$ gam config no_browser true save
+admin@server:/Users/admin$ gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -321,7 +238,7 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Enable GAMADV-XTD3 client access
 
@@ -331,17 +248,17 @@ You select a list of scopes, GAM uses a browser to get final authorization from
 writes the credentials into the file oauth2.txt.
 
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ rm -f /Users/admin/GAMConfig/oauth2.txt
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam version
+admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
+admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAMADV-XTD3 6.71.06 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 7.00.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
+Python 3.12.5 64-bit final
+MacOS Sonoma 14.5 x86_64
 Path: /Users/admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam oauth create
+admin@server:/Users/admin$ gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
@@ -422,11 +339,11 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Enable GAMADV-XTD3 service account access.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 $ gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
@@ -481,7 +398,7 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -491,7 +408,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam user admin@domain.com check serviceaccount
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
@@ -535,14 +452,14 @@ All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam info domain
+admin@server:/Users/admin$ gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -550,7 +467,7 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-admin@server:/Users/admin/bin/gamadv-xtd3$ ./gam config customer_id C01234567 domain domain.com timezone local save verify
+admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: /Users/admin/GAMConfig/gam.cfg, Saved
 Section: DEFAULT
   activity_max_results = 100
@@ -661,12 +578,13 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
   user_service_account_access_only = false
 
-admin@server:/Users/admin/bin/gamadv-xtd3$
+admin@server:/Users/admin$
 ```
 
 ## Windows
@@ -726,12 +644,11 @@ At this point, you should restart Command Prompt so that it has the updated path
 Set environment variable OLDGAMPATH to point to the existing Gam directory; C:\GAM will be used in this example.
 If your existing Gam is in another directory, substitute that value in the directions.
 ```
-C:>cd C:\GAMADV-XTD3
-C:\GAMADV-XTD3>set OLDGAMPATH=C:\GAM
+C:\>set OLDGAMPATH=C:\GAM
 ```
 ### Verify that OLDGAMPATH points to the correct location.
 ```
-C:\GAMADV-XTD3>dir %OLDGAMPATH%\*.json
+C:\>dir %OLDGAMPATH%\*.json
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -746,8 +663,7 @@ C:\GAMADV-XTD3>dir %OLDGAMPATH%\*.json
 ```
 ### Initialize GAMADV-XTD3; this should be the first GAMADV-XTD3 command executed.
 ```
-C:>cd C:\GAMADV-XTD3
-C:\GAMADV-XTD3>gam config drive_dir C:\GAMWork verify
+C:\>gam config drive_dir C:\GAMWork verify
 Created: C:\GAMConfig
 Created: C:\GAMConfig\gamcache
 Copied: C:\GAM\oauth2service.json, To: C:\GAMConfig\oauth2service.json
@@ -863,16 +779,17 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
   user_service_account_access_only = false
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Verify initialization, this was a successful installation.
 ```
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -889,11 +806,11 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
 03/03/2017  10:15 AM             2,377 oauth2service.json
                6 File(s)         15,769 bytes
                3 Dir(s)  110,532,562,944 bytes free
-C:\GAMADV-XTD3>
+C:\>
 ```
 If the verification looks like this, then you'll have to copy client_secrets.json and oauth2service.json manually.
 ```
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -908,13 +825,13 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
                3 File(s)          1,135 bytes
                3 Dir(s)  110,532,562,944 bytes free
 
-C:\GAMADV-XTD3>copy %OLDGAMPATH%\client_secrets.json %HOMEPATH%\.gam\
+C:\>copy %OLDGAMPATH%\client_secrets.json %GAMCFGDIR%
         1 file(s) copied.
 
-C:\GAMADV-XTD3>copy %OLDGAMPATH%\oauth2service.json %HOMEPATH%\.gam\
+C:\>copy %OLDGAMPATH%\oauth2service.json %GAMCFGDIR%
         1 file(s) copied.
 
-C:\GAMADV-XTD3>dir %GAMCFGDIR%
+C:\>dir %GAMCFGDIR%
  Volume in drive C has no label.
  Volume Serial Number is 663F-DA8B
 
@@ -933,7 +850,7 @@ C:\GAMADV-XTD3>dir %GAMCFGDIR%
 ```
 ### Update your project with local browser to include the additional APIs that GAMADV-XTD3 uses.
 ```
-C:\GAMADV-XTD3>gam update project
+C:\>gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -960,12 +877,12 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update your project without local browser (headless server for instance) to include the additional APIs that GAMADV-XTD3 uses
 ```
-C:\GAMADV-XTD3>gam config no_browser true save
-C:\GAMADV-XTD3>gam update project
+C:\>gam config no_browser true save
+C:\>gam update project
 
 Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
 
@@ -994,7 +911,7 @@ Enable 3 APIs
   API: groupsmigration.googleapis.com, Enabled (2/3)
   API: sheets.googleapis.com, Enabled (3/3)
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Enable GAMADV-XTD3 client access
 
@@ -1003,17 +920,17 @@ Create oauth2.txt; it must be deleted and recreated because it is in a different
 You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
 writes the credentials into the file oauth2.txt.
 ```
-C:\GAMADV-XTD3>del C:\GAMConfig\oauth2.txt
-C:\GAMADV-XTD3>gam version
+C:\>del C:\GAMConfig\oauth2.txt
+C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAMADV-XTD3 6.71.06 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 7.00.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
+Python 3.12.5 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAMADV-XTD3
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 
-C:\GAMADV-XTD3>gam oauth create
+C:\>gam oauth create
 
 [*]  0)  Calendar API (supports readonly)
 [*]  1)  Chrome Browser Cloud Management API (supports readonly)
@@ -1094,12 +1011,12 @@ Enter verification code or paste "Unable to connect" URL from other computer (on
 The authentication flow has completed.
 Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 
 ### Enable GAMADV-XTD3 service account access.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication
@@ -1153,7 +1070,7 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 The link shown in the error message should take you directly to the authorization screen.
 If not, make sure that you are logged in as a domain admin, then re-enter the link.
@@ -1163,7 +1080,7 @@ If not, make sure that you are logged in as a domain admin, then re-enter the li
 Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
 for the authorization to complete.
 ```
-C:\GAMADV-XTD3>gam user admin@domain.com check serviceaccount
+C:\>gam user admin@domain.com check serviceaccount
 System time status:
   Your system time differs from www.googleapis.com by less than 1 second    PASS
 Service Account Private Key Authentication:
@@ -1207,14 +1124,14 @@ All scopes PASSED!
 
 Service Account Client name: SVCACCTID is fully authorized.
 
-C:\GAMADV-XTD3>
+C:\>
 ```
 ### Update gam.cfg with some basic values
 * `customer_id` - Having this data keeps Gam from having to make extra API calls
 * `domain` - This allows you to omit the domain portion of email addresses
 * `timezone local` - Gam will convert all UTC times to your local timezone
 ```
-C:\GAMADV-XTD3>gam info domain
+C:\>gam info domain
 Customer ID: C01234567
 Primary Domain: domain.com
 Customer Creation Time: 2007-06-06T15:47:55.444Z
@@ -1222,7 +1139,7 @@ Primary Domain Verified: True
 Default Language: en
 ...
 
-C:\GAMADV-XTD3>gam config customer_id C01234567 domain domain.com timezone local save verify
+C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
 Config File: C:\GAMConfig\gam.cfg, Saved
 Section: DEFAULT
   activity_max_results = 100
@@ -1335,10 +1252,11 @@ Section: DEFAULT
   todrive_timezone = ''
   todrive_upload_nodata = true
   todrive_user = ''
+  truncate_client_id = false
   update_cros_ou_with_id = false
   use_projectid_as_name = false
   user_max_results = 500
   user_service_account_access_only = false
 
-C:\GAMADV-XTD3>
+C:\>
 ```

docs/Inbound-SSO.md

@@ -53,6 +53,8 @@ use the `returnnameonly` option to have GAM display just the profile name of the
 This will be useful in scripts that create|update a profile and then want to perform subsequent GAM commands that
 reference the profile.
 
+If `returnnameonly is specified, `inProgress` is returned if the API does not return a complete result.
+
 ```
 gam delete inboundssoprofile <SSOProfileItem>
 ```

docs/Install-GAM-as-Python-Library.md

@@ -9,7 +9,7 @@ Scroll down to Install Git
 
 You can install GAM as a Python library with pip.
 ```
-pip install git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src --use-pep517
+pip install git+https://github.com/taers232c/GAMADV-XTD3.git#subdirectory=src
 ```
 
 Or as a PEP 508 Requirement Specifier, e.g. in requirements.txt file:
@@ -29,7 +29,7 @@ dependencies = [
 
 Target a specific revision or tag:
 ```
-advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git@v6.58.00#subdirectory=src
+advanced-gam-for-google-workspace @ git+https://github.com/taers232c/GAMADV-XTD3.git@v6.76.01#subdirectory=src
 ```
 
 ## Using the library

docs/Licenses.md

@@ -20,10 +20,11 @@
 |--------------|------------|
 | AppSheet | 101038 |
 | Assured Controls | 101039 |
-| Beyond Corp Enterprise | 101040 |
+| Chrome Enterprise | 101040 |
 | Cloud Identity Free | 101001 |
 | Cloud Identity Premium | 101005 |
 | Cloud Search | 101035 |
+| Colab | 101050 |
 | Education Endpoint Management | 101049 |
 | Gemini | 101047 |
 | Google Chrome Device Management | Google-Chrome-Device-Management |
@@ -39,20 +40,26 @@
 
 | License Name | License SKU | Abbreviation  |
 |--------------|-------------|---------------|
+| AI Meetings and Messaging | 1010470007 | aimeetingsandmessaging | 
+| AI Security | 1010470006 |  aisecurity |
 | AppSheet Core | 1010380001 | appsheetcore |
 | AppSheet Enterprise Standard | 1010380002 | appsheetstandard |
 | AppSheet Enterprise Plus | 1010380003 | appsheetplus |
 | Assured Controls | 1010390001 | assuredcontrols |
-| Beyond Corp Enterprise | 1010400001 | bce |
+| Chrome Enterprise Premium | 1010400001 | cep | chromeenterprisepremium |
 | Cloud Identity Free | 1010010001 | cloudidentity |
 | Cloud Identity Premium | 1010050001 | cloudidentitypremium |
 | Cloud Search | 1010350001 | cloudsearch |
+| Colab Pro | 1010500001 | colabpro |
+| Colab Pro+ | 1010500002 | colabpro+ | colabproplus |
 | Endpoint Education Upgrade | 1010490001 | eeu |
 | G Suite Basic | Google-Apps-For-Business | gsuitebasic |
 | G Suite Business | Google-Apps-Unlimited | gsuitebusiness |
 | G Suite Legacy | Google-Apps | standard |
 | G Suite Lite | Google-Apps-Lite | gsuitelite |
 | Gemini Business | 1010470003 | geminibiz
+| Gemini Education | 1010470004 | geminiedu |
+| Gemini Education Premium | 1010470005 | geminiedupremium |
 | Gemini Enterprise | 1010470001 | geminient | duetai |
 | Google Apps Message Security | Google-Apps-For-Postini | postini |
 | Google Chrome Device Management | Google-Chrome-Device-Management | cdm |
@@ -118,6 +125,8 @@
         101040 |
         101043 |
         101047 |
+        101049 |
+        101050 |
         Google-Apps |
         Google-Chrome-Device-Management |
         Google-Drive-storage |
@@ -135,52 +144,64 @@
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        appsheetcore | 1010380001 |
-        appsheetstandard | appsheetenterprisestandard | 1010380002 |
-        appsheetplus | appsheetenterpriseplus | 1010380003 |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
+        aimeetingsandmessaging | 1010470007 | AI Meetings and Messaging |
+        aisecurity | 1010470006 | AI Security |
+        appsheetcore | 1010380001 | AppSheet Core |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
+        appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
+        assuredcontrols | 1010390001 | Assured Controls |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
-        duetai | 1010470001 |
+        cloudidentity | identity | 1010010001 | Cloud Identity |
+        cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
+        cloudsearch | 1010350001 | Cloud Search |
+        colabpro | 1010500001 | Colab Pro |
+        colabpro+ | colabproplus | 1010500002 | Colab Pro+ |
+        eeu | 1010490001 | SKU Endpoint Education Upgrade |
+        geminibiz | 1010470003 | Gemini Business |
+        geminiedu | 1010470004 | Gemini Education |
+        geminiedupremium| 1010470005 | Gemini Education Premium |
+        geminient| duetai | 1010470001 | Gemini Enterprise |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
+        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
+        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 | Google Workspace Enterprise Plus - Archived User |
+        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 | Google Workspace for Education Plus - Legacy |
+        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 | Google Workspace for Education Plus - Legacy (Student) |
         gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
         gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        gwlabs | workspacelabs | 1010470002
-        meetdialing | googlemeetglobaldialing | 1010360001 |
+        gwep | workspaceeducationplus | 1010310008 | Google Workspace for Education Plus |
+        gwepstaff | workspaceeducationplusstaff | 1010310009 | Google Workspace for Education Plus (Staff) |
+        gwepstudent | workspaceeducationplusstudent | 1010310010 | Google Workspace for Education Plus (Extra Student)|
+        gwes | workspaceeducationstandard | 1010310005 | Google Workspace for Education Standard |
+        gwesstaff | workspaceeducationstandardstaff | 1010310006 | Google Workspace for Education Standard (Staff) |
+        gwesstudent | workspaceeducationstandardstudent | 1010310007 | Google Workspace for Education Standard (Extra Student)
+        gwetlu | workspaceeducationupgrade | 1010370001 | Google Workspace for Education: Teaching and Learning Upgrade |
+        gwlabs | workspacelabs | 1010470002 | Google Workspace Labs |
+        meetdialing | googlemeetglobaldialing | 1010360001 |  Google Meet Global Dialing |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
         vault | googlevault | Google-Vault |
         vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsas | plusstorage | 1010430001 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
+        voicepremier | gvpremier | googlevoicepremier | 1010330002 | Google Voice Premier 
+        voicestandard | gvstandard | googlevoicestandard | 1010330004 | Google Voice Standard |
+        voicestarter | gvstarter | googlevoicestarter | 1010330003 | Google Voice Starter |
+        wsas | plusstorage | 1010430001 | Google Workspace Additional Storage |
+        wsbizplus | workspacebusinessplus | 1010020025 | Google Workspace Business Plus |
+        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 | Google Workspace Business Plus - Archived User |
+        wsbizstan | workspacebusinessstandard | 1010020028 | Google Workspace Business Standard }
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 | Google Workspace Business Standard - Archived User |
+        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 | Google Workspace Business Starter |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 | Google Workspace Business Starter - Archived User |
+        wsentess | workspaceenterpriseessentials | 1010060003 | Google Workspace Enterprise Essentials |
+        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 | Google Workspace Enterprise Plus |
+        wsentstan | workspaceenterprisestandard | 1010020026 | Google Workspace Enterprise Standard |
+        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 | Google Workspace Enterprise Standard - Archived User |
+        wsentstarter | workspaceenterprisestarter | wes | 1010020029 | Workspace Enterprise Starter |
+        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
+        wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
 <SKUIDList> ::= "<SKUID>(,<SKUID>)*"
 ```
 ## Notes

docs/List-Items.md

@@ -69,6 +69,7 @@
 <MatterStateList> ::= "<MatterState>(,<MatterState>)*"
 <MessageIDList> ::= "<MessageID>(,<MessageID>)*"
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
 <NamespaceList> ::= "<Namespace>(,<Namespace>)*"
 <NotesNameList> ::= "<NotesName>(,<NotesName>)*"
 <OrgUnitList> ::= "<OrgUnitItem>(,<OrgUnitItem>)*"
@@ -84,7 +85,7 @@
 <QueryMobileList> ::= "<QueryMobile>(,<QueryMobile>)*"
 <QueryUserList> ::= "<QueryUser>(,<QueryUser>)*"
 <ResourceIDList> ::= "<ResourceID>(,<ResourceID>)*"
-<SchemaNameList> ::= "<SchemaName>(,<SchemaName>)*"
+<SchemaNameList> ::= "<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"
 <SerialNumberList> ::= "<SerialNumber>(,<SerialNumber>)*"
 <ServiceAccountKeyList> ::= "<ServiceAccountKey>(,<ServiceAccountKey>)*"
 <SiteACLScopeList> ::= "<SiteACLScope>(,<SiteACLScope>)*"

docs/List.md

@@ -1,6 +1,6 @@
 # List
 
-The list command is used to verify collections of objects. See GamDataSelection.txt/
+The list command is used to verify collections of objects.
 
 ## Commands
 ```
@@ -8,3 +8,42 @@ gam list [todrive <ToDriveAttribute>*] <EntityList> [data <CrOSTypeEntity>|<User
 gam <CrOSTypeEntity>|<UserTypeEntity> list [todrive <ToDriveAttribute>*] [data <EntityList> [delimiter <Character>]]
 ```
 
+Allow mapping of keyfield value in csvkmd selectors.
+    <CSVkmdSelector> ::= csvkmd <FileName> [charset <Charset>]
+        keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <String>]
+        (matchfield <FieldName> <RegularExpression>)*
+        [datafield <FieldName>(:<FieldName)* [delimiter <String>]]
+
+You want to update the membership of a collection of parent groups at your school, the data is coming from a database in a fixed format.
+Example 1, CSV File GroupP1P2.csv, exactly the data you want, keypattern and keyvalue are not required
+Group,P1Email,P2Email
+2017-parents@domain.com,g1member11@domain.com,g1member12@domain.com
+2017-parents@domain.com,g1member21@domain.com,g1member22@domain.com
+2018-parents@domain.com,g2member11@domain.com,g2member11@domain.com
+2018-parents@domain.com,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the Group column is used as the group name.
+Verify data selection: gam list csvkmd GroupP1P2.csv keyfield Group datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GroupP1P2.csv keyfield Group datafield P1Email:P2Email sync member csvdata P1Email:P2Email
+
+Example 2, CSV File GradYearP1P2.csv, you have to convert GradYear to group name GradYear-parents@domain.com, keyvalue is required
+GradYear,P1Email,P2Email
+2017,g1member11@domain.com,g1member12@domain.com
+2017,g1member21@domain.com,g1member22@domain.com
+2018,g2member11@domain.com,g2member11@domain.com
+2018,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the GradYear column replaces the keyField name in the keyvalue argument and that value is used as the group name.
+Verify data selection: gam list csvkmd GradYearP1P2.csv keyfield GradYear keyvalue GradYear-parents@domain.com datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GradYearP1P2.csv keyfield GradYear keyvalue GradYear-parents@domain.com datafield P1Email:P2Email sync member csvdata P1Email:P2Email
+
+Example 3, CSV File GradYearP1P2.csv, you have to convert GradYear to group name 'LastTwoDigitsOfGradYear-parents@domain.com', keypattern and keyvalue are required.
+GradYear,P1Email,P2Email
+2017,g1member11@domain.com,g1member12@domain.com
+2017,g1member21@domain.com,g1member22@domain.com
+2018,g2member11@domain.com,g2member11@domain.com
+2018,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the GradYear column is matched against the keypattern, the matched segments are substituted into the keyvalue argument and that value is used as the group name.
+Verify data selection: gam list csvkmd GradYearP1P2.csv keyfield GradYear keypattern '20(..)' keyvalue '\1-parents@domain.com' datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GradYearP1P2.csv keyfield GradYear keypattern '20(..)' keyvalue '\1-parents@domain.com' datafield P1Email:P2Email sync member csvdata P1Email:P2Email

docs/Meta-Commands-and-File-Redirection.md

@@ -171,9 +171,9 @@ If the pattern `{{Section}}` appears in `<FileName>`, it will be replaced with t
 ### Examples - redirect CSV
 Suppose that you have a CSV file CourseList.csv with a column labeled CourseId that contains course Ids. You want a single CSV file with participant information for these courses.
 ```
-gam redirect csv ./CourseInfo.csv multiprocess csv CourseList.csv gam print course-participants course ~CourseId
+gam redirect csv ./CourseInfo.csv multiprocess csv CourseList.csv gam print course-participants course "~CourseId"
 ```
-`redirect csv ./CourseInfo.csv multiprocess` causes gam to collect output from all of the processes started by `csv CourseList.csv gam print course-participants course ~CourseId` and produces a single CSV file CourseInfo.csv.
+`redirect csv ./CourseInfo.csv multiprocess` causes gam to collect output from all of the processes started by `csv CourseList.csv gam print course-participants course "~CourseId"` and produces a single CSV file CourseInfo.csv.
 
 Generate a list of CrOS devices and update an existing sheet in a Google spreadsheet. The file ID and sheet IDs are preserved so other appplications can access the data using the file ID and sheet ID.
 By setting 'tdtimestamp true`, the file name will the updated to reflect the time of execution, but the file ID will not change.
@@ -183,23 +183,23 @@ gam redirect csv - todrive tdtitle "CrOS" tdtimestamp true tdfileid 12345-mizZ6Q
 
 For a collection of users, generate a list of files shared with anyone; combine the output for all users into a single file.
 ```
-gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 ```
 
 For a collection of users, generate a list of files shared with anyone; generate a separate file for each user.
 The two forms of the command are equivalent.
 ```
-gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 
-gam csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
+gam csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
 ```
 
 ### Examples - Redirect stdout
-The output from each of the `gam info user ~primaryEmail` commands will be combined into the single file Users.txt.
+The output from each of the `gam info user "~primaryEmail"` commands will be combined into the single file Users.txt.
 The value of `show_multiprocess_info` from `gam.cfg` controls whether information identifying the processes is also shown.
 
 ```
-$ gam config show_multiprocess_info false redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+$ gam config show_multiprocess_info false redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 $ more Users.txt
 User: testuser1@domain.com (1/1)
   Settings:
@@ -214,9 +214,9 @@ User: testuser2@domain.com@ (1/1)
     Full Name: Test User2
 ...
 
-$ gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+$ gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 $ more Users.txt
-stdout:      0, Start: 2017-01-26T11:35:00.897773-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+stdout:      0, Start: 2017-01-26T11:35:00.897773-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 stdout:      1, Start: 2017-01-26T11:35:00.902709-08:00, RC:   0, Cmd: gam info user testuser1@domain.com
 User: testuser1@domain.com (1/1)
   Settings:
@@ -233,5 +233,5 @@ User: testuser2@domain.com@ (1/1)
     Full Name: Test User2
 ...
 stdout:      2,   End: 2017-01-26T11:35:02.849646-08:00, RC:   0, Cmd: gam info user testuser2@domain.com
-stdout:      0,   End: 2017-01-26T11:35:02.907141-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user ~primaryEmail
+stdout:      0,   End: 2017-01-26T11:35:02.907141-08:00, RC:   0, Cmd: /Users/admin/gam config show_multiprocess_info true redirect stdout ./Users.txt multiprocess csv Users.csv gam info user "~primaryEmail"
 ```

docs/Organizational-Units.md

@@ -15,6 +15,8 @@
 - [Print organizational units](#print-organizational-units)
 - [Display organizational unit counts](#display-organizational-unit-counts)
 - [Display indented organizational unit tree](#display-indented-organizational-unit-tree)
+- [Check organizational unit for contained items](#check-organizational-unit-for-contained-items)
+- [Delete Empty OUs](#delete-empty-ous)
 - [Special case handling for large number of organizational units](#special-case-handling-for-large-number-of-organizational-units)
 
 ## API documentation
@@ -192,6 +194,7 @@ By default, all users of the org units are displayed:
 * `nousers` - Don't display users of the org units
 * `notsuspended` - Display non-suspended users of the org units
 * `suspended` - Display suspended users of the org units
+* `children|child` - Display users in any child org unit
 
 ## Print organizational units
 This command displays information in CSV format.
@@ -269,6 +272,67 @@ gam show orgtree [fromparent <OrgUnitItem>] [batchsuborgs [<Boolean>]]
 By default, Gam displays the organizational unit tree starting at /.
 * `fromparent <OrgUnitItem>` - Display the organizational unit tree starting at `<OrgUnitItem>`.
 
+## Check organizational unit for contained items
+An organizational unit can be deleted only when it contains no items:
+  * Chrome Browsers
+  * ChromeOS Devices
+  * Shared Drives
+  * Sub Org Units
+  * Users
+
+This command counts those items and displays a CSV file with the item counts.
+  * All counts are zero - A return code of 0 is returned and the `empty` column is `True`
+  * Some count is greater than 0 - A return code of 25 is returned and the `empty` column is `False`
+
+Only items directly within the OU are counted, items in sub-OUs are not counted.
+```
+<OrgUnitCheckName> ::=
+        browsers|
+        devices|
+        shareddrives|
+        subous|
+        users
+<OrgUnitCheckNameList> ::= "<OrgUnitCheckName>(,<OrgUnitCheckName>)*"
+
+gam check org|ou <OrgUnitItem> [todrive <ToDriveAttribute>*]
+        [<OrgUnitCheckName>*|(fields <OrgUnitCheckNameList>)]
+        [filename <FileName>] [movetoou <OrgUnitItem>]
+        [formatjson [quotechar <Character>]]
+```
+By default, GAM checks each of the five items; you can select specfic fields
+with `<OrgUnitCheckName>*` or `fields <OrgUnitCheckNameList>`.
+
+By default, GAM displays the information as columns of fields; the following option causes the output to be in JSON format:
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+If `movetoou <OrgUnitItem>` is specified, GAM will create a batch file of GAM commands that will move any remaining items
+in `ou <OrgUnitItem>` to `movetoou <OrgUnitItem>`.
+
+By default, the batch file will be named `CleanOuBatch.txt` and will be created in `gam.cfg/drive_dir`.
+This can be overridden with `filename <FileName>`.
+
+You can inspect the file and execute it if desired; substitute actual filenames as desired.
+```
+gam redirect stdout CleanOuLog.txt multiproces redirect stderr stdout batch CleanOuBatch.txt
+```
+
+### Delete Empty OUs
+```
+# Get list of OUs
+gam redirect csv ./OUs.csv print ous 
+# Check status of each OU
+gam redirect csv ./CheckOUs.csv multiprocess redirect stderr - multiprocess csv OUs.csv gam check ou "~orgUnitId"
+# Delete empty OUs
+gam config csv_input_row_filter "empty:boolean:true" redirect stdout ./DeleteEmptyOUs.txt multiprocess redirect stderr stdout csv CheckOUs.csv gam delete ou "~orgUnitId"
+```
+Repeat the steps until no empty OUs remain.
+
 ## Special case handling for large number of organizational units
 
 By default, the `print orgs` and `show orgtree`  commands issue a single API call to get the

docs/Other-Resources.md

@@ -1,16 +1,19 @@
 # Other Resources
 
-The following are links to contributions of others in support of GAMADV-XTD3.
+The following are links to contributions of others in support of GAM7.
 
 Thank you.
 
-* Gabriel Clifton - https://docs.google.com/document/d/1p32QOBTr89GaG7RfCafSbFuhlUQ9r3qBM_666E0xvQM/edit
-* Steve Larsen - https://docs.google.com/spreadsheets/d/1MzzA-u-cmoQcJnQOovCnZcEKMjvOyFhfkdFdf10X_GI/edit
-* Kevin Melillo -  https://github.com/KevinMelilloIEEE/gam-script
-* James Seymour - https://sites.google.com/jis.edu.bn/gam-commands/home
 * Amado Tejada - https://github.com/amadotejada/GAMpass
-* Workspace Admins YouTube Channel - https://youtube.com/@googleworkspaceadmins
+* Brecht Sannen - https://gcloud.devoteam.com/blog/what-is-google-apps-manager-gam/
+* Gabriel Clifton - https://docs.google.com/document/d/1p32QOBTr89GaG7RfCafSbFuhlUQ9r3qBM_666E0xvQM/edit
 * Goldy Arora - https://www.goldyarora.com/license-notifier/
-* Paul Ogier (Taming.Tech) - GAMADV-XTD3 Tutorials https://www.youtube.com/watch?v=g9LDeyXQNLI&list=PL_dLiK09pJVhKJxZHNk9CHK0q5hkZ856w
-* Paul Ogier (Taming.Tech) - GAMADV-XTD3 Course on Udemy https://taming.tech/GAMCourse
-* Paul Ogier (Taming.Tech) - https://taming.tech/taming-gam-a-practical-guide-to-gam-and-gamadv-xtd3/
+* Iain Macleod - https://docs.google.com/document/d/1QxWAPdhROcx70OXLpSD9Trh3vs-nJKSMiaMZCTwOOTg/edit?pli=1#heading=h.2a2azzpy36k0
+* James Seymour - https://sites.google.com/view/gam--commands/
+* Kevin Melillo - https://github.com/KevinMelilloIEEE/gam-script
+* Korey Rideout - https://chatgpt.com/g/g-PTxxnVPMG-gam-assist - A helpful tool to assist with, GAM (+Advance) and GYB commands to assist with syntax for Google Workspace Administrators.
+* Paul Ogier (Taming.Tech) - GAM7 Course on Udemy https://taming.tech/GAMCourse
+* Paul Ogier (Taming.Tech) - GAM7 Tutorials https://www.youtube.com/watch?v=g9LDeyXQNLI&list=PL_dLiK09pJVhKJxZHNk9CHK0q5hkZ856w
+* Paul Ogier (Taming.Tech) - https://taming.tech/taming-gam-a-practical-guide-to-gam-and-gamadv-xtd3/
+* Steve Larsen - https://docs.google.com/spreadsheets/d/1MzzA-u-cmoQcJnQOovCnZcEKMjvOyFhfkdFdf10X_GI/edit
+* Workspace Admins YouTube Channel - https://youtube.com/@googleworkspaceadmins

docs/Permission-Matches.md

@@ -97,7 +97,7 @@ In the `print/show drivefileacls` and `create/delete permissions` commands you c
 * `expirationend <Time>` - For types user and group, will the permission expire before or on <Time>.
 * `deleted <Boolean>` - For types user and groups, has the user or group been deleted.
 * `inherited <Boolean>` - For Shared Drive files/folders, is the permission inherited
-* `pmtype member|file` - For Shared Drive files/folders, is the permission derived from  membership or explicitly granted.
+* `pmtype member|file` - For Shared Drive files/folders, is the permission derived from membership or explicitly granted.
 * `em|endmatch` - End of permission match definition
 
 ## File Selection Examples

docs/Rclone.md

@@ -1,10 +1,10 @@
 # Rclone
 
-GAMADV-XTD3 has the capability to upload and download single files between your local computer and Google Drive;
+GAM7 has the capability to upload and download single files between your local computer and Google Drive;
 it has no capability for uploading and dowloading folders. For this you can use Rclone: https://rclone.org/
 
 ## Authorization
-Rclone uses client and service account access to perform its operations; you can use your existing GAMADV-XTD3
+Rclone uses client and service account access to perform its operations; you can use your existing GAM7
 authorization for Rclone, you don't need to create a new project or service account within your project.
 
 You can use your Client ID and Client Secret from `client_secrets.json` and you can use your `oauth2service.json` file with rclone.

docs/Reports.md

@@ -2,6 +2,7 @@
 - [API documentation](#api-documentation)
 - [Collections of Users](Collections-of-Users)
 - [Definitions](#definitions)
+- [Special quoting](#special-quoting)
 - [Activity reports](#activity-reports)
   - [Find Shared Drives with no activity](#find-shared-drives-with-no-activity)
 - [Customer and user reports parameters](#customer-and-user-reports-parameters)
@@ -24,6 +25,17 @@
         never|
         now|today
 ```
+## Special quoting
+If you are going to use `config csv_output_row_filter` when printing reports,
+you'll need special quoting in the filter because of the `:` characters in the parameter names.
+
+See: https://github.com/taers232c/GAMADV-XTD3/wiki/CSV-Output-Filtering#quoting-rules
+
+For example:
+```
+config csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
+```
+
 ## Activity reports
 ```
 <ActivityApplicationName> ::=
@@ -49,7 +61,8 @@
         rules|
         saml|
         token|tokens|oauthtoken|
-        useraccounts
+        useraccounts|
+        vault
 
 gam report <ActivityApplicationName> [todrive <ToDriveAttributes>*]
         [(user all|<UserItem>)|(orgunit|org|ou <OrgUnitPath> [showorgunit])|(select <UserTypeEntity>)]
@@ -143,7 +156,8 @@ Get Shared Drives ID and Name
 ```
 gam redirect csv ./SharedDrives.csv print shareddrives fields id,name
 ```
-Options:
+
+Options for the `gam report drive` commands below:
 * `maxactivities 1` - Limits the number of activities displayed for Shared Drives with activity.
 * `shownoactivities` - Displays a row for Shared Drives with no activity.
 * `addcsvdata shared_drive_id "~id"` adds the Shared Drive ID to the output.
@@ -186,6 +200,7 @@ gam report usage customer [todrive <ToDriveAttribute>*]
          thismonth|(previousmonths <Integer>)]
         [skipdates <Date>[:<Date>](,<Date>[:<Date>])*] [skipdaysofweek <DayOfWeek>(,<DayOfWeek>)*]
         [fields|parameters <String>]
+        [convertmbtogb]
 ```
 Limit the time period.
 * `start <Date>` - Default value is 30 days prior to `end <Date>`
@@ -194,6 +209,9 @@ Limit the time period.
 * `thismonth` - The current calendar month up to the current time
 * `previousmonths <Integer>` - A number in the range 1 to 6 indicating calendar months previous to the current month
 
+Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
 ### Example
 Jay provided this example.
 ```
@@ -232,9 +250,10 @@ Customer reports are generally available up to two days before the current date.
 gam report customers|customer|domain [todrive <ToDriveAttributes>*]
         [(date <Date>)|(range <Date> <Date>)|
          yesterday|today|thismonth|(previousmonths <Integer>)]
-        [nodatechange|(fulldatarequired all|<CustomerServiceNameList>)]
+        [(nodatechange | limitdatechanges <Integer>) | (fulldatarequired all|<CustomerServiceNameList>)]
         [(fields|parameters <String>)|(services <CustomerServiceNameList>)]
         [noauthorizedapps]
+        [convertmbtogb]
 ```
 Specify the report date; the default is today's date.
 * `date <Date>` - A single date; there is one API call
@@ -244,8 +263,13 @@ Specify the report date; the default is today's date.
 * `thismonth` - The current calendar month up to the current time; there is an API call per date
 * `previousmonths <Integer>` - A number in the range 1 to 6 indicating calendar months previous to the current month; there is an API call per date
 
+Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
 If no report is available for the specified date, can an earlier date be used?
-* `nodatechange` - Do not report on an earlier date if no report is available for the specified date.
+* `limitdatechanges -1' - Back up to earlier dates to find report data; this is the default.
+* `limitdatechanges 0 | nodatechange' - Do not report on an earlier date if no report data is available for the specified date.
+* `limitdatechanges N' - Back up to earlier dates to find report data; do not back up more than N times.
 
 If only partial report data is available for the specified date and applications, can an earlier date be used?
 * `fulldatarequired all` - Back up to an earlier date to get complete data until all applications have full report data
@@ -294,6 +318,7 @@ gam report usage user [todrive]
          thismonth|(previousmonths <Integer>)]
         [skipdates <Date>[:<Date>](,<Date>[:<Date>])*] [skipdaysofweek <DayOfWeek>(,<DayOfWeek>)*]
         [fields|parameters <String>]
+        [convertmbtogb]
 ```
 Select the users for whom information is desired.
 * `user all` - All users, the default; there is one API call
@@ -309,6 +334,9 @@ Limit the time period.
 * `thismonth` - The current calendar month up to the current time
 * `previousmonths <Integer>` - A number in the range 1 to 6 indicating calendar months previous to the current month
 
+Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
 ## User reports
 User reports are generally available up to four days before the current date.
 ```
@@ -326,11 +354,12 @@ gam report users|user [todrive <ToDriveAttributes>*]
         [allverifyuser <UserItem>]
         [(date <Date>)|(range <Date> <Date>)|
          yesterday|today|thismonth|(previousmonths <Integer>)]
-        [nodatechange|(fulldatarequired all|<UserServiceNameList>)]
+        [(nodatechange | limitdatechanges <Integer>) | (fulldatarequired all|<UserServiceNameList>)]
         [filtertime.* <Time>] [filter|filters <String>]
         [(fields|parameters <String>)|(services <UserServiceNameList>)]
         [aggregatebydate|aggregatebyuser [Boolean]]
         [maxresults <Number>]
+        [convertmbtogb]
 ```
 Select the users for whom information is desired.
 * `user all` - All users, the default; there is one API call
@@ -350,13 +379,22 @@ Specify the report date; the default is today's date.
 * `thismonth` - The current calendar month up to the current time; there is an API call per date
 * `previousmonths <Integer>` - A number in the range 1 to 6 indicating calendar months previous to the current month; there is an API call per date
 
+Option `convertmbtogb` causes GAM to convert parameters expressed in megabytes
+(name ends with _in_mb) to gigabytes (name converted to _in_gb) with two decimal places.
+
 If no report is available for the specified date, can an earlier date be used?
-* `nodatechange` - Do not report on an earlier date if no report is available for the specified date.
+* `limitdatechanges -1' - Back up to earlier dates to find report data; this is the default.
+* `limitdatechanges 0 | nodatechange' - Do not report on an earlier date if no report data is available for the specified date.
+* `limitdatechanges N' - Back up to earlier dates to find report data; do not back up more than N times.
 
 If only partial report data is available for the specified date and applications, can an earlier date be used?
 * `fulldatarequired all` - Back up to an earlier date to get complete data until all applications have full report data
 * `fulldatarequired <UserServiceNameList>` - Back up to an earlier date to get complete data until all applications in `<UserServiceNameList>` have full report data
 
+By default, when `user <UserItem>` is specified and no report data is available, there is no output.
+If `csv_output_users_audit = true` in `gam.cfg`, then a row with columns `email,date` will be displayed
+where `date` is the earliest date for which report data was requested.
+
 Apply filters.
 * `filter|filters <String>` - `<String>` is a comma separated list of filter expressions.
 
@@ -389,6 +427,10 @@ Report on users Google Drive usage.
 ```
 gam report users parameters accounts:drive_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage
 ```
+Report on users total storage usage.
+```
+gam report users parameters accounts:drive_used_quota_in_mb,accounts:gmail_used_quota_in_mb,accounts:gplus_photos_used_quota_in_mb,accounts:total_quota_in_mb,accounts:used_quota_in_mb,accounts:used_quota_in_percentage
+```
 Report on email activity for individual users.
 ```
 $ gam report users select users testuser1,testuser2,testuser3 fields gmail:num_emails_received,gmail:num_emails_sent range 2023-07-01 2023-07-07 

docs/Reseller.md

@@ -59,46 +59,64 @@ Thanks to Duncan Isaksen-Loxton for a script to help manage multiple domains.
         4tb | drive4tb | googledrivestorage4tb | Google-Drive-storage-4TB |
         8tb | drive8tb | googledrivestorage8tb | Google-Drive-storage-8TB |
         16tb | drive16tb | googledrivestorage16tb | Google-Drive-storage-16TB |
-        assuredcontrols | 1010390001 |
-        bce | beyondcorp | beyondcorpenterprise | 1010400001 |
+        aimeetingsandmessaging | 1010470007 | AI Meetings and Messaging |
+        aisecurity | 1010470006 | AI Security |
+        appsheetcore | 1010380001 | AppSheet Core |
+        appsheetstandard | appsheetenterprisestandard | 1010380002 | AppSheet Enterprise Standard |
+        appsheetplus | appsheetenterpriseplus | 1010380003 | AppSheet Enterprise Plus |
+        assuredcontrols | 1010390001 | Assured Controls |
+        bce | beyondcorp | beyondcorpenterprise | cep | chromeenterprisepremium | 1010400001 | Chrome Enterprise Premium |
         cdm | chrome | googlechromedevicemanagement | Google-Chrome-Device-Management |
-        cloudidentity | identity | 1010010001 |
-        cloudidentitypremium | identitypremium | 1010050001 |
-        cloudsearch | 1010350001 |
+        cloudidentity | identity | 1010010001 | Cloud Identity |
+        cloudidentitypremium | identitypremium | 1010050001 | Cloud Identity Premium |
+        cloudsearch | 1010350001 | Cloud Search |
+        colabpro | 1010500001 | Colab Pro |
+        colabpro+ | colabproplus | 1010500002 | Colab Pro+ |
+        eeu | 1010490001 | SKU Endpoint Education Upgrade |
+        geminibiz | 1010470003 | Gemini Business |
+        geminiedu | 1010470004 | Gemini Education |
+        geminiedupremium| 1010470005 | Gemini Education Premium |
+        geminient| duetai | 1010470001 | Gemini Enterprise |
         gsuitebasic | gafb | gafw | basic | Google-Apps-For-Business |
         gsuitebusiness | gau | gsb | unlimited | Google-Apps-Unlimited |
-        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 |
-        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 |
-        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 |
-        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 |
+        gsuitebusinessarchived | gsbau | businessarchived | 1010340002 | Google Workspace Business - Archived User |
+        gsuiteenterprisearchived | gseau | enterprisearchived | 1010340001 | Google Workspace Enterprise Plus - Archived User |
+        gsuiteenterpriseeducation | gsefe | e4e | 1010310002 | Google Workspace for Education Plus - Legacy |
+        gsuiteenterpriseeducationstudent | gsefes | e4es | 1010310003 | Google Workspace for Education Plus - Legacy (Student) |
         gsuitegov | gafg | gsuitegovernment | Google-Apps-For-Government |
         gsuitelite | gal | gsl | lite | Google-Apps-Lite |
-        gwep | workspaceeducationplus | 1010310008 |
-        gwepstaff | workspaceeducationplusstaff | 1010310009 |
-        gwepstudent | workspaceeducationplusstudent | 1010310010 |
-        gwes | workspaceeducationstandard | 1010310005 |
-        gwesstaff | workspaceeducationstandardstaff | 1010310006 |
-        gwesstudent | workspaceeducationstandardstudent | 1010310007 |
-        gwetlu | workspaceeducationupgrade | 1010370001 |
-        meetdialing | googlemeetglobaldialing | 1010360001 |
+        gwep | workspaceeducationplus | 1010310008 | Google Workspace for Education Plus |
+        gwepstaff | workspaceeducationplusstaff | 1010310009 | Google Workspace for Education Plus (Staff) |
+        gwepstudent | workspaceeducationplusstudent | 1010310010 | Google Workspace for Education Plus (Extra Student)|
+        gwes | workspaceeducationstandard | 1010310005 | Google Workspace for Education Standard |
+        gwesstaff | workspaceeducationstandardstaff | 1010310006 | Google Workspace for Education Standard (Staff) |
+        gwesstudent | workspaceeducationstandardstudent | 1010310007 | Google Workspace for Education Standard (Extra Student)
+        gwetlu | workspaceeducationupgrade | 1010370001 | Google Workspace for Education: Teaching and Learning Upgrade |
+        gwlabs | workspacelabs | 1010470002 | Google Workspace Labs |
+        meetdialing | googlemeetglobaldialing | 1010360001 |  Google Meet Global Dialing |
         postini | gams | gsuitegams | gsuitepostini | gsuitemessagesecurity | Google-Apps-For-Postini |
         standard | free | Google-Apps |
         vault | googlevault | Google-Vault |
         vfe | googlevaultformeremployee | Google-Vault-Former-Employee |
-        voicepremier | gvpremier | googlevoicepremier | 1010330002 |
-        voicestandard | gvstandard | googlevoicestandard | 1010330004 |
-        voicestarter | gvstarter | googlevoicestarter | 1010330003 |
-        wsbizplus | workspacebusinessplus | 1010020025 |
-        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 |
-        wsbizstan | workspacebusinessstandard | 1010020028 |
-        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 |
-        wsentess | workspaceenterpriseessentials | 1010060003 |
-        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 |
-        wsentstan | workspaceenterprisestandard | 1010020026 |
-        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 |
-        wsentstarter | workspaceenterprisestarter | 1010020029 | wes |
-        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 |
-        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030
+        voicepremier | gvpremier | googlevoicepremier | 1010330002 | Google Voice Premier 
+        voicestandard | gvstandard | googlevoicestandard | 1010330004 | Google Voice Standard |
+        voicestarter | gvstarter | googlevoicestarter | 1010330003 | Google Voice Starter |
+        wsas | plusstorage | 1010430001 | Google Workspace Additional Storage |
+        wsbizplus | workspacebusinessplus | 1010020025 | Google Workspace Business Plus |
+        wsbizplusarchived | workspacebusinessplusarchived | 1010340003 | Google Workspace Business Plus - Archived User |
+        wsbizstan | workspacebusinessstandard | 1010020028 | Google Workspace Business Standard }
+        wsbizstanarchived | workspacebusinessstandardarchived | 1010340006 | Google Workspace Business Standard - Archived User |
+        wsbizstarter | workspacebusinessstarter | wsbizstart | 1010020027 | Google Workspace Business Starter |
+        wsbizstarterarchived | workspacebusinessstarterarchived | 1010340005 | Google Workspace Business Starter - Archived User |
+        wsentess | workspaceenterpriseessentials | 1010060003 | Google Workspace Enterprise Essentials |
+        wsentplus | workspaceenterpriseplus | gae | gse | enterprise | gsuiteenterprise | 1010020020 | Google Workspace Enterprise Plus |
+        wsentstan | workspaceenterprisestandard | 1010020026 | Google Workspace Enterprise Standard |
+        wsentstanarchived | workspaceenterprisestandardarchived | 1010340004 | Google Workspace Enterprise Standard - Archived User |
+        wsentstarter | workspaceenterprisestarter | wes | 1010020029 | Workspace Enterprise Starter |
+        wsess | workspaceesentials | gsuiteessentials | essentials | d4e | driveenterprise | drive4enterprise | 1010060001 | Google Workspace Essentials |
+        wsessplus | workspaceessentialsplus | 1010060005 | Google Workspace Essentials Plus |
+        wsflw | workspacefrontline | workspacefrontlineworker | 1010020030 | Google Workspace Frontline Starter |
+        wsflwstan | workspacefrontlinestan | workspacefrontlineworkerstan | 1010020031 | Google Workspace Frontline Standard
 ```
 ## Manage Resold Customers
 ```

docs/Resources.md

@@ -1,6 +1,7 @@
 # Resources
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
+- [Region Codes](#region-codes)
 - [Special quoting](#special-quoting)
 - [Manage buildings](#manage-buildings)
 - [Display buildings](#display-buildings)
@@ -121,6 +122,252 @@ See [Collections of Items](Collections-of-Items)
         uservisibledescription
 <ResourceFieldNameList> ::= "<ResourceFieldName>(,<ResourceFieldName>)*"
 ```
+
+## Region Codes
+
+| Region | Code |
+|--------|------|
+| Afghanistan | AF |
+| Aland Islands | AX |
+| Albania | AL |
+| Algeria | DZ |
+| American Samoa | AS |
+| Andorra | AD |
+| Angola | AO |
+| Anguilla | AI |
+| Antarctica | AQ |
+| Antigua & Barbuda | AG |
+| Argentina | AR |
+| Armenia | AM |
+| Aruba | AW |
+| Ascension Island | AC |
+| Australia | AU |
+| Austria | AT |
+| Azerbaijan | AZ |
+| Bahamas | BS |
+| Bahrain | BH |
+| Bangladesh | BD |
+| Barbados | BB |
+| Belarus | BY |
+| Belgium | BE |
+| Belize | BZ |
+| Benin | BJ |
+| Bermuda | BM |
+| Bhutan | BT |
+| Bolivia | BO |
+| Bosnia & Herzegovina | BA |
+| Botswana | BW |
+| Bouvet Island | BV |
+| Brazil | BR |
+| British Indian Ocean Territory | IO |
+| British Virgin Islands | VG |
+| Brunei | BN |
+| Bulgaria | BG |
+| Burkina Faso | BF |
+| Burundi | BI |
+| Cambodia | KH |
+| Cameroon | CM |
+| Canada | CA |
+| Canary Islands | IC |
+| Cape Verde | CV |
+| Caribbean Netherlands | BQ |
+| Cayman Islands | KY |
+| Central African Republic | CF |
+| Ceuta & Melilla | EA |
+| Chad | TD |
+| Chile | CL |
+| China | CN |
+| Christmas Island | CX |
+| Clipperton Island | CP |
+| Cocos (Keeling) Islands | CC |
+| Columbia | CO |
+| Comoros | KM |
+| Congo - Brazzaville | CG |
+| Congo - Kinshasa | CD |
+| Cook Islands | CK |
+| Costa Rica | CR |
+| Cote d’Ivoire | CI |
+| Croatia | HR |
+| Cuba | CU |
+| Curacao | CW |
+| Cyprus | CY |
+| Czech Republic | CZ |
+| Falkland Islands | FK |
+| Faroe Islands | FO |
+| Fiji | FJ |
+| Finland | FI |
+| France | FR |
+| Gabon | GA |
+| Gambia | GM |
+| Georgia | GE |
+| Germany | DE |
+| Ghana | GH |
+| Gibraltar | GI |
+| Greece | GR |
+| Greenland | GL |
+| Grenada | GD |
+| Guadeloupe | GP |
+| Guam | GU |
+| Guatemala | GT |
+| Guernsey | GG |
+| Guinea | GN |
+| Guinea-Bissau | GW |
+| Guyana | GY |
+| Haiti | HT |
+| Heard & McDonald Islands | HM |
+| Honduras | HN |
+| Hong Kong SAR China | HK |
+| Hungary | HU |
+| Iceland | IS |
+| India | IN |
+| Indonesia | ID |
+| Iran | IR |
+| Iraq | IQ |
+| Ireland | IE |
+| Isle of Man | IM |
+| Israel | IL |
+| Italy | IT |
+| Jamaica | JM |
+| Japan | JP |
+| Jersey | JE |
+| Jordan | JO |
+| Kazakhstan | KZ |
+| Kenya | KE |
+| Kiribati | KI |
+| Kosovo | XK |
+| Kuwait | KW |
+| Kyrgyzstan | KG |
+| Laos | LA |
+| Latvia | LV |
+| Lebanon | LB |
+| Lesotho | LS |
+| Liberia | LR |
+| Libya | LY |
+| Liechtenstein | LI |
+| Lithuania | LT |
+| Luxembourg | LU |
+| Macau SAR China | MO |
+| Macedonia | MK |
+| Madagascar | MG |
+| Malawi | MW |
+| Malaysia | MY |
+| Maldives | MV |
+| Mali | ML |
+| Malta | MT |
+| Marshall Islands | MH |
+| Martinique | MQ |
+| Mauritania | MR |
+| Mauritius | MU |
+| Mayotte | YT |
+| Mexico | MX |
+| Micronesia | FM |
+| Moldova | MD |
+| Monaco | MC |
+| Mongolia | MN |
+| Montenegro | ME |
+| Montserrat | MS |
+| Morocco | MA |
+| Mozambique | MZ |
+| Myanmar | MM |
+| Namibia | NA |
+| Nauru | NR |
+| Nepal | NP |
+| Netherlands | NL |
+| New Caledonia | NC |
+| New Zealand | NZ |
+| Nicaragua | NI |
+| Niger | NE |
+| Nigeria | NG |
+| Niue | NU |
+| Norfolk Island | NF |
+| North Korea | KP |
+| Northern Mariana Islands | MP |
+| Norway | NO |
+| Oman | OM |
+| Pakistan | PK |
+| Palau | PW |
+| Palestinia Territories | PS |
+| Panama | PA |
+| Papua New Guinea | PG |
+| Paraguay | PY |
+| Peru | PE |
+| Philippines | PH |
+| Pitcairn Islands | PN |
+| Poland | PL |
+| Portugal | PT |
+| Puerto Rico | PR |
+| Qatar | QA |
+| Reunion | RE |
+| Romania | RO |
+| Russia | RU |
+| Rwanda | RW |
+| Samoa | WS |
+| San Marino | SM |
+| Sao Tomm & Principe | ST |
+| Saudi Arabia | SA |
+| Senegal | SN |
+| Serbia | RS |
+| Seychelles | SC |
+| Sierra Leone | SL |
+| Singapore | SG |
+| Sint Maarten | SX |
+| Slovakia | SK |
+| Slovenia | SI |
+| Solomon Islands | SB |
+| Somalia | SO |
+| South Africa | ZA |
+| South Georgia & South Sandwich Islands | GS |
+| South Korea | KR |
+| South Sudan | SS |
+| Spain | ES |
+| Sri Lanka | LK |
+| St. Barthelemy | BL |
+| St. Helena | SH |
+| St. Kitts & Nevis | KN |
+| St. Lucia | LC |
+| St. Martin | MF |
+| St. Pierre & Miquelon | PM |
+| St. Vincent & Grenadines | VC |
+| Sudan | SD |
+| Suriname | SR |
+| Svalbard & Jan Mayen | SJ |
+| Swaziland | SZ |
+| Sweden | SE |
+| Switzerland | CH |
+| Syria | SY |
+| Taiwan | TW |
+| Tajikistan | TJ |
+| Tanzania | TZ |
+| Thailand | TH |
+| Timor-Leste | TL |
+| Togo | TG |
+| Tokelau | TK |
+| Tonga | TO |
+| Trinidad & Tobago | TT |
+| Tristan da Cunha | TA |
+| Tunisia | TN |
+| Turkey | TR |
+| Turkmenistan | TM |
+| Turks & Caicos Islands | TC |
+| Tuvalu | TV |
+| U.S. Outlying Islands | UM |
+| U.S. Virgin Islands | VI |
+| Uganda | UG |
+| Ukraine | UA |
+| United Arab Emirates | AE |
+| United Kingdom | GB |
+| United States | US |
+| Unknown Region | ZZ |
+| Uraguay | UY |
+| Uzbekistan | UZ |
+| Vanuatu | VU |
+| Vatican City | VA |
+| Venezuela | VE |
+| Vietnam | VN |
+| Yemen | YE |
+| Zambia | ZM |
+| Zimbabwe | ZW |
+
 ## Special quoting
 When entering `<FeatureNameList>` with `<FeatureName>s`containing spaces, enclose the list in `"` and the names containing spaces in `'`.
 ```
@@ -133,10 +380,8 @@ When creating a building, at a minimum you must enter `address|addresslines` and
 
 * Enter a single-line address as `address "123 Main Street"`
 * Enter a multi-line address as `addresslines "123 Main Street\nAnytown, US"`
-
-For `country|regioncode` see: http://www.unicode.org/cldr/charts/30/supplemental/territory_information.html
 ```
-gam create|add building <BuildIngID> <Name> <BuildingAttribute>*
+gam create|add building <Name> <BuildingAttribute>*
 gam update building <BuildIngID> <BuildingAttribute>*
 gam delete building <BuildingID>
 ```
@@ -207,7 +452,7 @@ gam show resources
         [formatjson]
 ```
 Optional data may be displayed for the resource:
-* `acls` - Display the resource calendar ACLs
+* `acls` - Display the resource calendar ACLs. This adds Scope and Role values.
 * `calendar` - Display the resource calendar settings
 
 Option `noselfowner` suppresses the display of ACLs that reference the calendar itself as its owner.
@@ -222,7 +467,7 @@ gam print resources [todrive <ToDriveAttribute>*]
         [formatjson [quotechar <Character>]]
 ```
 Optional data may be displayed for the resource:
-* `acls` - Display the resource calendar ACLs
+* `acls` - Display the resource calendar ACLs. This adds columns: id, role, scope.type, scope.value
 * `calendar` - Display the resource calendar settings
 
 Option `noselfowner` suppresses the display of ACLs that reference the calendar itself as its owner.
@@ -274,13 +519,17 @@ count = & gam print resources showitemcountonly
 These commands operate on a single resource calendar.
 ```
 gam resource <ResourceID> add acls|calendaracls <CalendarACLRole> <CalendarACLScopeEntity>
+        [sendnotifications <Boolean>]
 gam resource <ResourceID> update acls|calendaracls <CalendarACLRole> <CalendarACLScopeEntity>
+        [sendnotifications <Boolean>]
 gam resource <ResourceID> delete acls|calendaracls [<CalendarACLRole>] <CalendarACLScopeEntity>
 ```
 These commands operate on multiple resource calendars.
 ```
 gam resources <ResourceEntity> add acls|calendaracls <CalendarACLRole> <CalendarACLScopeEntity>
+        [sendnotifications <Boolean>]
 gam resources <ResourceEntity> update acls|calendaracls <CalendarACLRole> <CalendarACLScopeEntity>
+        [sendnotifications <Boolean>]
 gam resources <ResourceEntity> delete acls|calendaracls [<CalendarACLRole>] <CalendarACLScopeEntity>
 ```
 ## Display resource calendar ACLs

docs/Running-GAM7-securely-on-a-Google-Compute-Engine.md

@@ -0,0 +1,76 @@
+# Running GAM7 securely on a Google Compute Engine
+- [thanks](#thanks)
+- [Introduction](#introduction)
+- [Setup Steps](#setup-steps)
+
+## Thanks
+
+Thanks to Jay Lee for the original version of this document.
+
+## Introduction
+GAM7 can run on a Linux or Windows Google Compute Engine (GCE) VM and use the attached service account to access Google Workspace APIs. The advantage of this configuration is that no service account private key is accessible to GAM7 directly and there is no risk of the key being stolen/lost.
+
+GAM7 version 6.50.00 or higher is required.
+
+## Setup Steps
+1. Create a [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).
+
+2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAM7.
+   * Enter a value in `Service account name`
+   * Enter text in `Service account description`
+   * Click `Create` and `Continue`
+   * Click `Continue` under `Grant this service account access to project`
+   * Click `Done` under `Grant users access to this service account`
+ 
+3. Grant the service account rights to generate authentication tokens.
+   * Go to [console.cloud.google.com](https://console.cloud.google.com).
+   * Go to `IAM & Admin` > `Service accounts`
+   * Click on the service account you created (not the default service account).
+   * Copy the email address of your service account to the clipboard.
+   * Click on the `Permissions` tab.
+   * Click `Grant Access`.
+   * In the `New principals` text box, paste the service account email you copied.
+   * Give your service account the `Service Account Token Creator` and `View Service Accounts` roles.
+   * Click `Save`
+
+4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances).
+   * Scroll down and start at Create a VM and attach the service account
+   * Click `Go to VM instances`
+   * Click `Create Instance`
+   * Enter a value for `Name`
+   * Configure `Manage Tags and Labels`
+   * You can choose a region physically close to you though you may be limited in your choices if you want to use the free tier.
+   * GAM7 can run on the minimal `e2-micro` [free tier VM](https://cloud.google.com/free/docs/free-cloud-features#compute) though performance may suffer. If you are performing batch operations, raising the CPU count will help performance. If you have a very large and busy Workspace instance downloading reports or Drive file lists may require more RAM.
+   * Set `Service account` under `Identity and API access/API and identity management`; choose the service account you created above.
+   * Select `Set access for each API`
+   * Enable `Cloud Platform`
+   * GAM7 does not use a significant amount of storage, unless you have specific storage needs the default disk size should suffice.
+   * Leave other VM instance settings at their defaults unless you know what you are doing.
+   * Click `Create`
+
+5. Install GAM7 on the VM
+   * See: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Install-GAM7
+
+6. Logout and log back in to the VM, you should now be able to run GAM7 commands like:
+```
+gam version
+```
+
+7. Create the special `oauth2service.json` file GAM7 will use:
+```
+gam create gcpserviceaccount
+```
+If you'd like, take a look at the generated ```oauth2service.json``` file;
+you'll notice that while the file has some fields similar to a normal service account file, there is no `private_key` attribute containing an RSA private key.
+
+8. Enable the Google APIs GAM7 will use:
+```
+gam enable apis
+```
+You are given the option to enable them automatically or manually. Automatic enablement will ask you to authenticate to GAM7. You should authenticate as a user with rights to manage project APIs, probably a project owner. If you are not the project owner you can choose manual enablement and GAM7 will provide two or more URLs which you can send to the project owner. When the owner opens these URLs, they'll be prompted to enable all the APIs GAM7 needs.
+
+9. Perform admin actions (manage users, groups, orgunits, Chrome devices, etc)
+   * [Configure delegated admin service account (DASA)](https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-delegated-admin-service-account); start at step 4.
+
+10. Manage user data
+   * Run ```gam user user@domain.com check serviceaccount``` and follow the instructions to perform domain-wide delegation.

docs/Running-GAMADV-XTD3-securely-on-a-Google-Compute-Engine.md

@@ -15,24 +15,38 @@ GAMADV-XTD3 version 6.50.00 or higher is required.
 ## Setup Steps
 1. Create a [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).
 
-2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAMADV-XTD3. Continue steps 2 and 3 without granting the new service account any special access to the project and without granting users access to the service account.
+2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAMADV-XTD3.
+   * Enter a value in `Service account name`
+   * Enter text in `Service account description`
+   * Click `Create` and `Continue`
+   * Click `Continue` under `Grant this service account access to project`
+   * Click `Done` under `Grant users access to this service account`
  
 3. Grant the service account rights to generate authentication tokens.
-   * go to [console.cloud.google.com](https://console.cloud.google.com).
-   * go to "IAM & Admin" > Service accounts
-   * click on the service account you created (not the default service account).
-   * copy the email address of your service account to the clipboard.
-   * click on the Permissions tab.
-   * click "Grant Access".
-   * In the "New principals text box, paste the service account email you copied.
-   * Give your service account the "Service Account Key Admin", "Service Account Token Creator" and "View Service Accounts" roles.
+   * Go to [console.cloud.google.com](https://console.cloud.google.com).
+   * Go to `IAM & Admin` > `Service accounts`
+   * Click on the service account you created (not the default service account).
+   * Copy the email address of your service account to the clipboard.
+   * Click on the `Permissions` tab.
+   * Click `Grant Access`.
+   * In the `New principals` text box, paste the service account email you copied.
+   * Give your service account the `Service Account Token Creator` and `View Service Accounts` roles.
+   * Click `Save`
 
-4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/instances/create-start-instance).
+4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances).
+   * Scroll down and start at Create a VM and attach the service account
+   * Click `Go to VM instances`
+   * Click `Create Instance`
+   * Enter a value for `Name`
+   * Configure `Manage Tags and Labels`
    * You can choose a region physically close to you though you may be limited in your choices if you want to use the free tier.
    * GAMADV-XTD3 can run on the minimal `e2-micro` [free tier VM](https://cloud.google.com/free/docs/free-cloud-features#compute) though performance may suffer. If you are performing batch operations, raising the CPU count will help performance. If you have a very large and busy Workspace instance downloading reports or Drive file lists may require more RAM.
-   * [DO NOT use the default service account](https://cloud.google.com/iam/docs/best-practices-service-accounts#single-purpose). Choose the service account you created above instead.
+   * Set `Service account` under `Identity and API access/API and identity management`; choose the service account you created above.
+   * Select `Set access for each API`
+   * Enable `Cloud Platform`
    * GAMADV-XTD3 does not use a significant amount of storage, unless you have specific storage needs the default disk size should suffice.
-   * leave other VM instance settings at their defaults unless you know what you are doing.
+   * Leave other VM instance settings at their defaults unless you know what you are doing.
+   * Click `Create`
 
 5. Install GAMADV-XTD3 on the VM
    * See: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Install-Advanced-GAM

docs/Scripts.md

@@ -1,7 +1,7 @@
 # Scripts
 
 These scripts can be used to enhance GAM's capabilities; all are supported with Advanced GAM,
-many are supported with Standard GAM. They require that Python 3 be installed on you computer.
+many are supported with Legacy GAM. They require that Python 3 be installed on you computer.
 
 * https://github.com/taers232c/GAM-Scripts3
 * https://www.python.org/

docs/Shared-Drives.md

@@ -12,7 +12,11 @@
   - [Delete a Shared Drive](#delete-a-shared-drive)
   - [Change Shared Drive visibility](#change-shared-drive-visibility)
 - [Display Shared Drives](#display-shared-drives)
+- [Display List of Shared Drives in an Organizational Unit other than /](#display-list-of-shared-drives-in-an-organizational-unit-other-than-)
 - [Display List of Shared Drives in an Organizational Unit](#display-list-of-shared-drives-in-an-organizational-unit)
+- [Display all Shared Drives with no organizers](#display-all-shared-drives-with-no-organizers)
+- [Display all Shared Drives with a specific organizer](#display-all-shared-drives-with-a-specific-organizer)
+- [Display all Shared Drives without a specific organizer](#display-all-shared-drives-without-a-specific-organizer)
 - [Manage Shared Drive access](#manage-shared-drive-access)
 - [Transfer Shared Drive access](#transfer-shared-drive-access)
 - [Display Shared Drive access](#display-shared-drive-access)
@@ -72,6 +76,22 @@
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
 
+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
+
 <DriveFileACLRole> ::=
         manager|organizer|owner|
         contentmanager|fileorganizer|
@@ -371,45 +391,42 @@ Print information about all Shared Drives in the organization.
 gam print teamdrives
 gam user admin@domain.com print teamdrives adminaccess
 ```
-Print information about all Shared Drives in the organization with no organizers.
-```
-gam print teamdrives query "organizerCount = 0"
-gam user admin@domain.com print teamdrives adminaccess teamdriveadminquery "organizerCount = 0"
-```
 Print information about Shared Drives that have admin@domain.com as a member.
 ```
 gam user admin@domain.com print teamdrives
 ```
+## Display all Shared Drives with no organizers
+```
+gam print teamdrives query "organizerCount = 0"
+```
+
+## Display all Shared Drives with a specific organizer
+Substitute actual email address for `organizer@domain.com`.
+```
+gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
+```
+
+## Display all Shared Drives without a specific organizer
+Substitute actual email address for `organizer@domain.com`.
+```
+gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
+```
+
+## Display List of Shared Drives in an Organizational Unit other than /
+Get the orgUnitID of OU / and use it (without the id:) in the print|show command. Adjust fields as desired.
+```
+gam info ou / nousers
+gam show teamdrives query "orgUnitId!='00gjdgxs2p9cxyz'" fields id,name,orgunit,createdtime
+gam print teamdrives query "orgUnitId!='00gjdgxs2p9cxyz'" fields id,name,orgunit,createdtime
+```
+
 ## Display List of Shared Drives in an Organizational Unit
-To use this command you must add the `Cloud Identity API` to your project and authorize
-the appropriate scope: `Cloud Identity OrgUnits API`.
-
-You'll have to do `gam update project` and `gam oauth create` to enable this command.
-
+Get the orgUnitID of the desired OU and use it (without the id:) in the print|show command. Adjust fields as desired.
 ```
-gam show oushareddrives
-        [ou|org|orgunit <OrgUnitPath>]                                                                                                                                                                                                                                             
-        [formatjson]
+gam info ou <OrgUnitPath> nousers
+gam show teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam print teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
 ```
-If `ou|org|orgunit <OrgUnitPath>` is not specified, `/` is used.
-
-By default, Gam displays the information as an indented list of keys and values.
-* `formatjson` - Display the fields in JSON format.
-```
-gam print oushareddrives [todrive <ToDriveAttribute>*]
-        [ou|org|orgunit <OrgUnitPath>]
-        [formatjson [quotechar <Character>]]
-```
-If `ou|org|orgunit <OrgUnitPath>` is not specified, `/` is used.
-
-By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
-* `formatjson` - Display the fields in JSON format.
-
-By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
-the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
-When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
-The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
-`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
 ## Manage Shared Drive access
 These commands are used to manage the ACLs on Shared Drives themselves, not the files/folders on the Shared Drives.
@@ -509,7 +526,7 @@ Find all the organizers and file organizers on the Golgafrincham shared drive in
 ```
 
 By default, all Shared Drives specified are displayed; use the following option to select a subset of those Shared Drives.
-* `<PermissionMatch>* [<PermissionMatchAction>] pmselect` - Use permission matching to select Shared Drives
+* `<PermissionMatch>* [<PermissionMatchAction>] pmselect` - Use permission matching to select Shared Drives; all ACLs are displayed for the selected Shared Drives
 
 By default, all ACLS are displayed; use the following option to select a subset of the ACLS to display.
 * `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified
@@ -548,7 +565,7 @@ By default, all Shared Drives are displayed; use the following options to select
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
 * `matchname <RegularExpression>` - Retrieve Shared Drives with names that match a pattern.
 * `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
-* `<PermissionMatch>* [<PermissionMatchAction>] pmselect` -  Use permission matching to select Shared Drives
+* `<PermissionMatch>* [<PermissionMatchAction>] pmselect` -  Use permission matching to select Shared Drives; all ACLs are displayed for the selected Shared Drives
 
 By default, Shared Drives with no permissions are not displayed; use the `shownopermissionsdrives` to control whether
 Shared Drives with no permissions are displayed.
@@ -580,10 +597,12 @@ Print ACLs for all Shared Drives in the organization created after November 1, 2
 ```
 gam print teamdriveacls teamdriveadminquery "createdTime > '2017-11-01T00:00:00'"
 ```
+
 Print ACLs for all Shared Drives in the organization with foo@bar.com as an organizer.
 ```
 gam print teamdriveacls user foo@bar.com role organizer
 ```
+
 Print ACLs for all Shared Drives in the organization with foo@bar.com or groups that contain foo@bar.com as a reader.
 ```
 gam print teamdriveacls user foo@bar.com role reader checkgroups

docs/Todrive.md

@@ -191,6 +191,7 @@ direct the uploaded file to a particular user and location and add a timestamp t
         (tdnotify [<Boolean>])|
         (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
         (tdretaintitle [<Boolean>])|
+        (tdreturnidonly [<Boolean>])|
         (tdshare <EmailAddress> commenter|reader|writer)*|
         (tdsheet (id:<Number>)|<String>)|
         (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
@@ -238,6 +239,11 @@ If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdcellwrap clip|overflow|wrap` - The Spreadsheet cell wrapping strategy.
 * `tdcellnumberformat text|number` - The Spreadsheet number format.
 
+## Report action, capture file ID
+* `tdreturnidonly` - If False, a message is written to stdout with the uploaded file URL; if True, only the uploaded file ID is written to stdout
+
+The ID can be captured and used in subsequent commands, `tdfileid <DriveFileID>` that will update the same file.
+
 ## Open browser and send email
 * `tdnobrowser` - If False, a browser is opened to view the file uploaded to Google Drive; if not specified, the `todrive_nobrowser` value from gam.cfg is used. If True, no browser is opened.
 * `tdnoemail` - If False, an email is sent to `tduser` informing them of name and URL of the uploaded file; if not specified, the `todrive_noemail` value from gam.cfg is used. If True, no email is sent to `tduser`.
@@ -304,15 +310,15 @@ gam redirect csv - todrive tdtitle "CrOS" tdtimestamp true tdfileid 12345-mizZ6Q
 
 For a collection of users, generate a list of files shared with anyone; combine the output for all users into a single file.
 ```
-gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam redirect csv - multiprocess todrive tdtitle AnyoneShares-All csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 ```
 
 For a collection of users, generate a list of files shared with anyone; generate a separate file for each user.
 The two forms of the command are equivalent.
 ```
-gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user ~primaryEmail print filelist fields id,name,permissions pm type anyone em
+gam csv Users.csv gam redirect csv - todrive tdtitle "AnyoneShares-~~primaryEmail~~" user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em
 
-gam csv Users.csv gam user ~primaryEmail print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
+gam csv Users.csv gam user "~primaryEmail" print filelist fields id,name,permissions pm type anyone em todrive tdtitle "AnyoneShares-~~primaryEmail~~" 
 ```
 
 Suppose you have a spreadsheet with sheets `Monday` ... `Friday`, `Backup Monday` ... `Backup Friday` and `Latest`.

docs/Upgrade-Benefits.md

@@ -29,7 +29,7 @@
 
 ## Configuration
 
-GAMADV-XTD3 uses a configuration file, gam.cfg, to store the values of the various environment variables
+GAM7 uses a configuration file, gam.cfg, to store the values of the various environment variables
 and signal files used by earlier versions of GAM. Configuration files client_secrets.json, oauth2.txt, oauth2service.json and extra_args.txt
 are moved to a version independent location. This should simplify upgrading GAM versions in the future.
 Additionally, if you support multiple clients/domains or have multiple users running GAM,
@@ -39,7 +39,7 @@ See: [gam.cfg](gam.cfg)
 
 ## Syntax Checking
 
-GAMADV-XTD3 produces better error messages when syntax errors are found on the command line.
+GAM7 produces better error messages when syntax errors are found on the command line.
 
 ## API error checking
 
@@ -48,14 +48,14 @@ was an operation on multiple items, the items after the failing item are not pro
 you produce a CSV file containing the items you want to process; as each item is an independent excution, API failures for some items
 do not affect other items. Capturing meaningful output from the CSV execution is hard and you have to create the CSV file as a separate step.
 
-In GAMADV-XTD3, every API call is made with error handling; if an API call fails, a message is output and execution continues with additional items if possible.
+In GAM7, every API call is made with error handling; if an API call fails, a message is output and execution continues with additional items if possible.
 
 ## Batch files
 
 GAM uses multiprocessing for processing batch files and CSV files; this offers better performance than using threads. Unfortunately, one
 multiprocess subprocess can not create another subprocess; this prevents using gam csv commands inside GAM batch files.
 
-GAMADV-XTD3 supports two commands for processing batch files, batch and tbatch. gam batch uses multiprocessing and gam tbatch uses threads.
+GAM7 supports two commands for processing batch files, batch and tbatch. gam batch uses multiprocessing and gam tbatch uses threads.
 If you have a batch file that contains gam csv commands, gam tbatch can successfuly process the batch file.
 
 See: [Bulk Processing](Bulk-Processing)
@@ -69,13 +69,13 @@ gam csv File.csv gam <Command> > File.out 2>&1
 ```
 Multiple processes are writing to File.out(.err) simultaneously resulting in interleaved output that can be hard to read.
 
-With GAMADV-XTD3, you can capture the output from the multiple processes such that all of the output from each process is contiguous.
+With GAM7, you can capture the output from the multiple processes such that all of the output from each process is contiguous.
 ```
 gam redirect stdout ./File.out multiprocess redirect stderr ./File.err multiprocess csv File.csv gam <Command>
 gam redirect stdout ./File.out multiprocess redirect stderr stderr csv File.csv gam <Command>
 ```
 
-You can choose to have GAMADV-XTD3 bracket the output from each process with lines that show the command being executed.
+You can choose to have GAM7 bracket the output from each process with lines that show the command being executed.
 ```
 gam config show_multiprocess_info true redirect stdout ./File.out multiprocess redirect stderr ./File.err multiprocess csv File.csv gam <Command>
 gam config show_multiprocess_info true redirect stdout ./File.out multiprocess redirect stderr stderr csv File.csv gam <Command>
@@ -85,7 +85,7 @@ See: [Meta Commands and File Redirection](Meta-Commands-and-File-Redirection)
 
 ## Data selection
 
-GAMADV-XTD3 has many more ways to specify collections of ChromeOS devices, Users and other items.
+GAM7 has many more ways to specify collections of ChromeOS devices, Users and other items.
 
 See: [Collections of ChromeOS Devices](Collections-of-ChromeOS-Devices)
 
@@ -97,7 +97,7 @@ See: [Collections of Items](Collections-of-Items)
 
 GAM specifies drive files in different ways based on the command.
 
-GAMADV-XTD3 has a consistent way of specifying Google Drive files for all commands.
+GAM7 has a consistent way of specifying Google Drive files for all commands.
 
 See: [Drive File Selection](Drive-File-Selection)
 
@@ -106,17 +106,17 @@ See: [Drive File Selection](Drive-File-Selection)
 GAM allows no options when you use the todrive option with a gam print command; the file is always uploaded with a fixed name to the root folder of
 Google Drive for the Google Admin user named in oauth2.txt.
 
-GAMADV-XTD3 allows you to specify the name, location and user for files uploaded with todrive; you can also save a local copy of the file.
+GAM7 allows you to specify the name, location and user for files uploaded with todrive; you can also save a local copy of the file.
 
 See: [Todrive](Todrive)
 
 ## Calendars
 
-GAM can manage the list of calendars a user can view; GAMADV-XTD3 can also create, modify and remove calendars.
+GAM can manage the list of calendars a user can view; GAM7 can also create, modify and remove calendars.
 
-GAM can add and delete events; GAMADV-XTD3 can also update, move, show and print events.
+GAM can add and delete events; GAM7 can also update, move, show and print events.
 
-GAM can add, update, delete and show calendar ACLs; GAMADV-XTD3 can also get ACLs for a single calendar and print a CSV file of calendar ACLs.
+GAM can add, update, delete and show calendar ACLs; GAM7 can also get ACLs for a single calendar and print a CSV file of calendar ACLs.
 
 See: [Calendars - Access](Calendars-Access), [Calendars - Events](Calendars-Events)
 
@@ -130,7 +130,7 @@ See: [Users - Calendars - Transfer](Users-Calendars-Transfer)
 
 ## Contacts
 
-GAMADV-XTD3 supports domain shared contacts and user contacts.
+GAM7 supports domain shared contacts and user contacts.
 
 See: [Domain Shared Contacts](Contacts)
 
@@ -138,48 +138,48 @@ See: [Users - People - Contacts & Profiles](Users-People-Contacts-Profiles)
 
 ## Courses
 
-When updating a course, GAM can only add/delete a single alias; GAMADV-XTD3 can add/delete multiple aliases.
+When updating a course, GAM can only add/delete a single alias; GAM7 can add/delete multiple aliases.
 
-When updating a course's membership, GAM can only add/delete a single student/teacher; GAMADV-XTD3 can
+When updating a course's membership, GAM can only add/delete a single student/teacher; GAM7 can
 add/delete multiple students/teachers.
 
-When creating/updating courses, GAMADV-XTD3 can copy settings from another course.
+When creating/updating courses, GAM7 can copy settings from another course.
 
 See: [Courses](Courses)
 
 ## Data Studio
 
-GAMADV-XTD3 supports commands to display Data Studio assets and display/manage Data Studio permissions
+GAM7 supports commands to display Data Studio assets and display/manage Data Studio permissions
 
 See: [Users - Data Studio](Users-DataStudio)
 
 ## Drive File Copy and Move
 
-GAMADV-XTD3 supports advanced file/folder copying/moving
+GAM7 supports advanced file/folder copying/moving
 
 See: [Users - Drive - Copy/Move](Users-Drive-Copy-Move)
 
 ## Drive File Orphans
 
-GAMADV-XTD3 allows collecting a user's orphaned files.
+GAM7 allows collecting a user's orphaned files.
 
 See: [Users - Drive - Orphans](Users-Drive-Orphans)
 
 ## Drive File Ownership
 
-GAMADV-XTD3 allows transferring ownership of selected folders of a source user to a target user.
+GAM7 allows transferring ownership of selected folders of a source user to a target user.
 
-GAMADV-XTD3 allows claiming ownership of of selected folders to which the user has access.
+GAM7 allows claiming ownership of of selected folders to which the user has access.
 
 See: [Users - Drive - Ownership](Users-Drive-Ownership)
 
 ## Drive File Revisions
 
-GAMADV-XTD3 can manage drive file revisions.
+GAM7 can manage drive file revisions.
 
 ## Drive File Transfer
 
-GAMADV-XTD3 has more capabilites for transferring the Google Drive of a source user to a target user.
+GAM7 has more capabilites for transferring the Google Drive of a source user to a target user.
 
 See: [Users - Drive - Transfer](Users-Drive-Transfer)
 
@@ -187,63 +187,63 @@ See: [Users - Drive - Revisions](Users-Drive-Revisions)
 
 ## Send email messages
 
-GAMADV-XTD3 can send email messages.
+GAM7 can send email messages.
 
 See: [Send Email](Send-Email)
 
 ## Forms
 
-GAMADV-XTD3 supports commands to manage and display Google Forms.
+GAM7 supports commands to manage and display Google Forms.
 
 See: [Users - Forms](Users-Forms)
 
 ## Gmail
 
-GAMADV-XTD3 has commands for displaying Gmail messages.
+GAM7 has commands for displaying Gmail messages.
 
-GAMADV-XTD3 has commands for forwarding Gmail messages.
+GAM7 has commands for forwarding Gmail messages.
 
 See: [Users - Gmail - Messages/Threads](Users-Gmail-Messages-Threads)
 
 ## Groups
 
-GAMADV-XTD3 allows selecting fields with `info group`. The output is much easier to read.
+GAM7 allows selecting fields with `info group`. The output is much easier to read.
 
-When creating/updating groups, GAMADV-XTD3 can copy settings from another group.
+When creating/updating groups, GAM7 can copy settings from another group.
 
 See: [Groups](Groups)
 
-GAMADV-XTD3 has a more powerful `print group-members` command.
+GAM7 has a more powerful `print group-members` command.
 
-GAMADV-XTD3 has a more powerful ways of specifying changes to group membership.
+GAM7 has a more powerful ways of specifying changes to group membership.
 
 See: [Groups Membership](Groups-Membership)
 
-GAMADV-XTD3 has commands to display/manage a user's group membership.
+GAM7 has commands to display/manage a user's group membership.
 
 See: [Users - Group Membership](Users-Group-Membership)
 
 ## Keep
 
-GAMADV-XTD3 supports commands to manage and display Google Keep notes.
+GAM7 supports commands to manage and display Google Keep notes.
 
 See: [Users - Keep](Users-Keep)
 
 ## Organizational Units
 
-GAMADV-XTD3 supports updating multiple org units in a single command.
+GAM7 supports updating multiple org units in a single command.
 
 See: [Organizational Units](Organizational-Units)
 
 ## Resource Calendars
 
-GAMADV-XTD3 supports managing resource calendar ACLs.
+GAM7 supports managing resource calendar ACLs.
 
 See: [Resource Calendars](Resource-Calendars)
 
 ## Shared Drives
 
-GAMADV-XTD3 has more powerful commands for managing Shared Drives.
+GAM7 has more powerful commands for managing Shared Drives.
 
 See: [Shared Drives](Shared-Drives)
 
@@ -251,12 +251,12 @@ See: [Users - Shared Drives](Users-Shared-Drives)
 
 ## Spreadsheets
 
-GAMADV-XTD3 can manipulate Google Sheets.
+GAM7 can manipulate Google Sheets.
 
 See: [Users - Spreadsheets](Users-Spreadsheets)
 
 ## Tasks
 
-GAMADV-XTD3 supports commands to manage and display Google Tasks.
+GAM7 supports commands to manage and display Google Tasks.
 
 See: [Users - Tasks](Users-Tasks)

docs/Users-Backup-Verification-Codes.md

@@ -31,8 +31,10 @@ Exit Status of 0 indicates no errors, and backup codes are sent to stdout.
 
 Exit status of 60 indicates no errors, and that no backup codes are available for this user.
 ```
-gam <UserTypeEntity> print backupcodes|verificationcodes [todrive <ToDriveAttributes>*] [delimiter <Character>]
+gam <UserTypeEntity> print backupcodes|verificationcodes [todrive <ToDriveAttributes>*]
+        [delimiter <Character>] [countsonly]
 ```
-Gam displays the information in CSV form.
+GAM displays the information in CSV form.
 
 * `delimiter <Character>` - Separate `verificationCodes` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
+* `countsonly` - Display only the number of available backup codes but not the codes themselves.

docs/Users-Calendars-Access.md

@@ -37,6 +37,17 @@ Calendar ACL roles (as seen in Calendar GUI):
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
 
+<CalendarAttribute> ::=
+        (backgroundcolor <ColorValue>)|
+        (color <CalendarColorName>)|
+        (colorindex|colorid <CalendarColorIndex>)|
+        (foregroundcolor <ColorValue>)|
+        (hidden <Boolean>)|
+        (notification clear|(email <CalendarEmailNotificatonEventTypeList>))|
+        (reminder clear|(email|pop <Number>)|(<Number> email|pop))|
+        (selected <Boolean>)|
+        (summary <String>)
+
 <CalendarSettings> ::=
         (description <String>)|
         (location <String>)|
@@ -134,15 +145,15 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ## Transfer calendar ownership
 
 You can transfer ownership of calendars from one user to another; only non-primary calendars owned by the source user can be transferred.
-You can update calendar settings as part of the transfer. In description, location and summary, #email#, #user# and #username# will be replaced
-by the original owner's full email address or just the name portion; #timestamp# will be replaced by the current date and time.
 ```
-gam <UserTypeEntity> transfer calendars <UserItem> <UserCalendarEntity>
+gam <UserTypeEntity> transfer calendars|seccals <UserItem> [<UserCalendarEntity>]
         [keepuser | (retainrole <CalendarACLRole>)] [sendnotifications <Boolean>]
         [noretentionmessages]
         [<CalendarSettings>] [append description|location|summary] [noupdatemessages]
-gam <UserTypeEntity> transfer seccals <UserItem> [keepuser] [sendnotifications <Boolean>]
+        [deletefromoldowner] [addtonewowner <CalendarAttribute>*] [nolistmessages]
 ```
+If `<UserCalendarEntity>` is not specified, all of a user's owned secondary calendars will be transferrdd.
+
 By default, the users in `<UserTypeEntity>` retain no role in the transferred calendars.
 * `keepuser` - The users in `<UserTypeEntity>` retain their ownership.
 * `retainrole <CalendarACLRole>` - The users in `<UserTypeEntity>` retain the specified role.
@@ -150,11 +161,23 @@ By default, the users in `<UserTypeEntity>` retain no role in the transferred ca
 
 By default, when you add or update a calendar ACL, a notification is sent to the affected users; use `sendnotifications false` to suppress sending the notifications.
 
+You can update calendar settings as part of the transfer. In description, location and summary, #email#, #user# and #username# will be replaced
+by the original owner's full email address or just the name portion; #timestamp# will be replaced by the current date and time.
 * `<CalendarSettings>` - The value specified will replace the existing value.
 * `append description|location|summary` - The specified <CalendarSettings> value will be appended to the existing value.
 * `noupdatemessages` - Suppress the settings update messages.
 
+You can manipulate the old and new owner's calendar lists.
+* `deletefromoldowner` - Delete the calendar from the old owner's calendar list
+* `addtonewowner <CalendarAttribute>*` - Add the calendar to the new owner's calendar list; optionally specify attributes
+* `nolistmessages` - Suppress the calendar list add/delete messages.
+
 ### Example
+Transfer a secondary calendar from oldowner to newowner. Remove the calendar from the old owner's calendar list and add to the new owner's  calendar list.
+```
+gam user oldowner@domain.com transfer calendars newowner@domain.com c_aaa123zzz@group.calendar.google.com removefromoldowner addtonewowner
+```
+
 Transfer ownership of all non-primary calendars from oldowner to newowner; append a message to the calendar description noting the old owner and the time of transfer.
 ```
 gam user oldowner@domain.com transfer calendars newowner@domain.com minaccessrole owner description "(Transferred from #user# on #timestamp#)" append description

docs/Users-Calendars-Events.md

@@ -26,6 +26,7 @@
 * https://developers.google.com/calendar/v3/reference/events
 * https://developers.google.com/calendar/v3/reference/events/import
 * https://developers.google.com/calendar/api/guides/working-hours-and-location
+* https://developers.google.com/calendar/api/guides/event-types#birthday
 
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)
@@ -241,8 +242,10 @@
 ```
 ```
 <EventType> ::=
+        birthday|
         default|
         focustime|
+        fromgmail|
         outofoffice|
         workinglocation
 <EventTypeList> ::= "<EventType>(,<EventType>)*"
@@ -261,6 +264,9 @@
 
 <EventMatchProperty> ::=
         (matchfield attendees <EmailAddressEntity>)|
+        (matchfield attendeesonlydomainlist <DomainNameList>)|
+        (matchfield attendeesdomainlist <DomainNameList>)|
+        (matchfield attendeesnotdomainlist <DomainNameList>)|
         (matchfield attendeespattern <RegularExpression>)|
         (matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>)|
         (matchfield creatoremail <RegularExpression>)|
@@ -302,6 +308,7 @@
         (attendee <EmailAddress>)|
         (attendeestatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddress>)|
         available|
+        (birthday <Date>)|
         (color <EventColorName>)|
         (colorindex|colorid <EventColorIndex>)|
         (description <String>)|
@@ -322,7 +329,7 @@
         (privateproperty <PropertyKey> <PropertyValue>)|
         (range <Date> <Date>)|
         (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
-        (reminder <Number> email|popup))|
+        (reminder <Number> email|popup)|
         (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
         (sequence <Integer>)|
         (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -425,7 +432,7 @@ If none of the following options are selected, all events are selected.
 * `<EventSelectProperty>* <EventMatchProperty>*` - Properties used to select events
 
 The Google Calendar API processes `<EventSelectProperty>*`; you may specify none or multiple properties.
-* `after|starttime|timemin <Time>` - Lower bound (inclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
+* `after|starttime|timemin <Time>` - Lower bound (exclusive) for an event's end time to filter by. If timeMax is set, timeMin must be smaller than timeMax.
 * `before|endtime|timemax <Time>` - Upper bound (exclusive) for an event's start time to filter by. If timeMin is set, timeMax must be greater than timeMin.
 * `eventtypes <EventTypeList>` - Select events based on their type.
 * `query <QueryCalendar>` - Free text search terms to find events that match these terms in any field, except for extended properties
@@ -438,7 +445,15 @@ The Google Calendar API processes `<EventSelectProperty>*`; you may specify none
 
 GAM processes `<EventMatchProperty>*`; you may specify none or multiple properties.
 * `matchfield attendees <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
-* `matchfield attendeespattern <RegularExpression>` - Some attendee must match `<RegularExpression>`
+* `matchfield attendeesonlydomainlist <DomainNameList>` - All attendee's email addresses must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with all attendees in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeesdomainlist <DomainNameList>` - Some attendee's email address must be in a domain in `<DomainNameList>`
+  * For example, this lets you look for events with attendees in specific external domains
+* `matchfield attendeesnotdomainlist <DomainNameList>` - Some attendee's email address must be in a domain not in `<DomainNameList>`
+  * For example, this lets you look for events with attendees not in your internal domains. You should include `resource.calendar.google.com`
+    in `<DomainNameList>` if the events use resources.
+* `matchfield attendeespattern <RegularExpression>` - Some attendee's email address must match `<RegularExpression>`
 * `matchfield attendeesstatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddressEntity>` - All of the attendees in `<EmailAddressEntity>` must be present
 and must have the specified values.
     * `<AttendeeAttendance>` - Default is `required`
@@ -449,6 +464,7 @@ and must have the specified values.
 * `matchfield location <RegularExpression>` - The location must match `<RegularExpression>`
 * `matchfield organizeremail <RegularExpression>` - The organizer email address must match `<RegularExpression>`
 * `matchfield organizername <RegularExpression>` - The orgainzer name must match `<RegularExpression>`
+* `matchfield organizerself <Boolean>` - The user must be/not be the organizer of the event
 * `matchfield status <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
     * `confirmed`
     * `tentative`

docs/Users-Chat.md

@@ -3,18 +3,26 @@
 - [Introduction](#introduction)
 - [Set up a Chat Bot](#set-up-a-chat-bot)
 - [Definitions](#definitions)
+- [Chat Space Permissions](#chat-space-permissions)
 - [Manage Chat Spaces](#manage-chat-spaces)
 - [Display Chat Spaces](#display-chat-spaces)
 - [Manage Chat Members](#manage-chat-members)
 - [Display Chat Members](#display-chat-members)
 - [Manage Chat Messages](#manage-chat-messages)
 - [Display Chat Messages](#display-chat-messages)
+- [Display Chat Events](#display-chat-events)
 - [Bulk Operations](#bulk-operations)
 
 ## API documentation
-* https://developers.google.com/chat/concepts
-* https://developers.google.com/chat/reference/rest
+* https://developers.google.com/workspace/chat/overview
+* https://developers.google.com/workspace/chat/api/reference/rest
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.members/list
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.messages/list
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.spaceEvents/list
 * https://support.google.com/chat/answer/7655820
+* https://support.google.com/a/answer/13369245
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces#Space.FIELDS.predefined_permission_settings
 
 ## Introduction
 These features were added in version 6.60.00.
@@ -23,12 +31,23 @@ To use these commands you must update your service account authorization.
 ```
 gam user user@domain.com update serviceaccount
 
-[*]  3)  Chat API - Memberships (supports readonly)
-[*]  4)  Chat API - Messages (supports readonly)
-[*]  5)  Chat API - Spaces (supports readonly)
-[*]  6)  Chat API - Spaces Delete
-
+[*]  4)  Chat API - Memberships (supports readonly)
+[*]  5)  Chat API - Memberships Admin (supports readonly)
+[*]  6)  Chat API - Messages (supports readonly)
+[*]  7)  Chat API - Spaces (supports readonly)
+[*]  8)  Chat API - Spaces Admin (supports readonly)
+[*]  9)  Chat API - Spaces Delete
+[*] 10)  Chat API - Spaces Delete Admin
 ```
+
+Added `use_chat_admin_access` Boolean variable to `gam.cfg`. 
+```
+* When False, GAM uses user access when making all Chat API calls. For calls that support admin access,
+    this can be overridden with the asadmin command line option.
+* When True, GAM uses admin access for Chat API calls that support admin access; other calls will use user access.
+* Default: False
+```
+
 Google requires that you have a Chat Bot configured in order to use the Chat API; set up a Chat Bot as described in the next section.
 
 ## Set up a Chat Bot
@@ -63,6 +82,7 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
          (gdoc <UserGoogleDoc>)|
          (gcsdoc <StorageBucketObjectName>))
 
+<ChatEvent> ::= spaces/<String>/spaceEvents/<String>
 <ChatMember> ::= spaces/<String>/members/<String>
 <ChatMemberList> ::= "<ChatMember>(,<ChatMember>)*"
 <ChatMessage> ::= spaces/<String>/messages/<String>
@@ -76,12 +96,97 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
 <ChatMessageID> ::= client-<String>
         <String> must contain only lowercase letters, numbers, and hyphens up to 56 characters in length.
 ```
+```
+<ChatSpaceFieldName> ::=
+        accesssettings|
+        admininstalled|
+        createtime|
+        displayname|
+        externaluserallowed|
+        importmode|
+        lastactivetime|
+        membershipcount|
+        name|
+        permissionsettings|
+        singleuserbotdm|
+        spacedetails|
+        spacehistorystate|
+        spacethreadingstate|threaded|
+        spacetype|type|
+        spaceuri
+<ChatSpaceFieldNameList> ::= "<ChatSpaceFieldName>(,<ChatSpaceFieldName>)*"
+
+<ChatMemberFieldName> ::=
+        createtime|
+        deletetime|
+        groupmember|
+        member|
+        name|
+        role|
+        state|
+<ChatMemberFieldNameList> ::= "<ChatMemberFieldName>(,<ChatMemberFieldName>)*"
+
+<ChatMessageFieldName> ::=
+        accessorywidgets|
+        actionresponse|
+        annotations|
+        argumenttext|
+        attachedgifs|
+        attachment|
+        cards|
+        cardsv2|
+        clientassignedmessageid|
+        createtime|
+        deletetime|
+        deletionmetadata|
+        emojireactionsummaries|
+        fallbacktext|
+        formattedtext|
+        lastupdatetime|
+        matchedurl|
+        name|
+        privatemessageviewer|
+        quotedmessagemetadata|
+        sender|
+        slashcommand|
+        space|
+        text|
+        thread|
+        threadreply
+<ChatMessageFieldNameList> ::= "<ChatMessageFieldName>(,<ChatMessageFieldName>)*"
+
+```
+
+## Chat Space Permissions
+### Announcement
+| Keyword | Description | Allowed | Default |
+|---------|-------------|---------|---------|
+| manageapps | Manage apps | managers-immutable | managers |
+| managemembersandgroups | Manage members and groups | managers/members | managers |
+| managewebhooks | Manage web hooks | managers-immutable | managers |
+| modifyspacedetails | Modify space details | managers/members | managers |
+| postmessages | Post messages | managers-immutable | managers |
+| replymessages | Reply messages | members/managers | members |
+| togglehistory | Turn history on and off | managers/members | managers |
+| useatmentionall | Use @all | managers-immutable | managers |
+
+### Collaboration
+| Keyword | Description | Allowed | Default |
+|---------|-------------|---------|---------|
+| manageapps | Manage apps | members-immutable | members |
+| managemembersandgroups | Manage members and groups | managers/members | members |
+| managewebhooks | Manage web hooks | managers/members | members |
+| modifyspacedetails | Modify space details | managers/members | members |
+| postmessages | Post messages | members-immutable | members |
+| replymessages | Reply messages | members-immutable | members |
+| togglehistory | Turn history on and off | managers/members | members |
+| useatmentionall | Use @all | managers/members | members |
 
 ## Manage Chat Spaces
 ### Create a chat space
 ```
 gam <UserTypeEntity> create chatspace
-        [type <ChatSpaceType>]
+        [type <ChatSpaceType>] [announcement|collaboration]
         [restricted|(audience <String>)]
         [externalusersallowed <Boolean>]
         [members <UserTypeEntity>]
@@ -92,21 +197,22 @@ gam <UserTypeEntity> create chatspace
         [formatjson|returnidonly]
 ```
 For `type space`, the following apply:
-* `member <UserTypeEntity>` - Optional, can not specify more that 20 users
+* `members <UserTypeEntity>` - Optional, can not specify more that 20 users
 * `displayname <String>` - Required
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
 * `history <Boolean>` - Optional
+* `announcement|collaboration` - Initial permission settings; default is `collaboration`; this is in Developer Preview
 
 For `type groupchat`, the following apply:
-* `member <UserTypeEntity>` - Required, must specify between 2 and 20 users
+* `members <UserTypeEntity>` - Required, must specify between 2 and 20 users
 * `displayname <String>` - Ignored
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
 * `history <Boolean>` - Optional
 
 For `type directmessage`, the following apply:
-* `member <UserTypeEntity>` - Required, must specify 1 user
+* `members <UserTypeEntity>` - Required, must specify 1 user
 * `displayname <String>` - Ignored
 * `description <String>` - Ignored
 * `guidelines <String>` - Ignored
@@ -118,14 +224,47 @@ By default, Gam displays the information about the created chatspace as an inden
 
 Use the `<ChatContent>` option to send an initial message to the created chatspace.
 
-The `restricted|audience` options are in Developer Preview and will not be generally available.
-
 By default, details about the chatmessage are displayed.
 * `returnidonly` - Display the chatmessage name only
 
-### Update a chat space
+### Update a user's chat space
 ```
 gam <UserTypeEntity> update chatspace <ChatSpace>
+        [restricted|(audience <String>)]|
+        ([displayname <String>]
+         [type space]
+         [description <String>] [guidelines|rules <String>]
+         [history <Boolean>])
+        [managemembersandgroups managers|members]
+        [modifyspacedetails managers|members]
+        [togglehistory managers|members]
+        [useatmentionall managers|members]
+        [manageapps managers|members]
+        [managewebhooks managers|members]
+        [replymessages managers|members]
+        [formatjson]
+```
+A groupchat space can be upgraded to a space by specifying `type space` and `displayname <String>`.
+
+The `restricted|audience` options can not be combined with options `displayname,type,description,guidelines,history`.
+
+You can manage permissions for chat spaces with the following options that are available with Developer Preview.
+        [managemembersandgroups managers|members]
+        [modifyspacedetails managers|members]
+        [togglehistory managers|members]
+        [useatmentionall managers|members]
+        [manageapps managers|members]
+        [managewebhooks managers|members]
+        [postmessages managers|members]
+        [replymessages managers|members]
+
+
+By default, Gam displays the information about the created chatspace as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Update a chat space, asadmin
+```
+gam <UserItem> update chatspace asadmin <ChatSpace>
         [restricted|(audience <String>)]|
         ([displayname <String>]
          [type space]
@@ -136,20 +275,25 @@ gam <UserTypeEntity> update chatspace <ChatSpace>
 A groupchat space can be upgraded to a space by specifying `type space` and `displayname <String>`.
 
 The `restricted|audience` options can not be combined with options `displayname,type,description,guidelines,history`.
-They are in Developer Preview and will not be generally available.
 
 By default, Gam displays the information about the created chatspace as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
-### Delete a chat space
+### Delete a user's chat space
 ```
 gam <UserTypeEntity> delete chatspace <ChatSpace>
 ```
 
+### Delete a chat space, asadmin
+```
+gam <UserItem> delete chatspace asadmin <ChatSpace>
+```
+
 ## Display Chat Spaces
 ### Display information about a specific chat space for a user
 ```
 gam <UserTypeEntity> info chatspace <ChatSpace>
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -158,6 +302,7 @@ By default, Gam displays the information as an indented list of keys and values.
 ### Display information about a direct message chat space between two users
 ```
 gam <UserTypeEntity> info chatspacedm <UserItem>
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -167,16 +312,24 @@ By default, Gam displays the information as an indented list of keys and values.
 ```
 gam <UserTypeEntity> show chatspaces
         [types <ChatSpaceTypeList>]
+        [fields <ChatSpaceFieldNameList>]
         [formatjson]
 ```
+By default, chat spaces of all types are displayed.
+* `types <ChatSpaceTypeList>` - Display specific types of spaces.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
 ```
 gam <UserTypeEntity> print chatspaces [todrive <ToDriveAttribute>*]
         [types <ChatSpaceTypeList>]
+        [fields <ChatSpaceFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
+By default, chat spaces of all types are displayed.
+* `types <ChatSpaceTypeList>` - Display specific types of spaces.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -186,7 +339,7 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
-### Display information about all chat spaces
+### Display information about all user's chat spaces
 ```
 # Local file
 gam config auto_batch_min 1 redirect csv ./AllChatSpaces.csv multiprocess redirect stdout - multiprocess redirect stderr stdout all users print chatspaces
@@ -207,8 +360,55 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
+### Display information about a specific chat space, asadmin
+```
+gam <UserItem> info chatspace asadmin <ChatSpace>
+        [fields <ChatSpaceFieldNameList>]
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display information about all chat spaces, asadmin
+For query and orderby information, see: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+Only spaces of `<ChatSpaceType>` `space` are displayed; spaces of `<ChatSpaceType>` `groupchat` and `directmessage` are not displayed.
+```
+gam <UserItem> show chatspaces asadmin
+        [query <String>] [querytime<String> <Time>]
+        [orderby <ChatSpaceAdminOrderByFieldName> [ascending|descending]]
+        [fields <ChatSpaceFieldNameList>]
+        [formatjson]
+```
+By default, all chat spaces of type SPACE are displayed.
+* `query <String> [querytime<String> <Time>]` - Display selected chat spaces
+  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserItem> print chatspaces asadmin [todrive <ToDriveAttribute>*]
+        [query <String>] [querytime<String> <Time>]
+        [orderby <ChatSpaceAdminOrderByFieldName> [ascending|descending]]
+        [fields <ChatSpaceFieldNameList>]
+        [formatjson [quotechar <Character>]]
+```
+By default, all chat spaces of type SPACE are displayed.
+* `query <String> [querytime<String> <Time>]` - Display selected chat spaces
+  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 ## Manage Chat Members
-### Add members to a chat space
+### Add members to a user's chat space
 ```
 gam <UserTypeEntity> create chatmember <ChatSpace>
         [type human|bot] [role member|manager]
@@ -220,7 +420,7 @@ By default, Gam displays the information about the chatmember as an indented lis
 * `formatjson` - Display the fields in JSON format.
 * `returnidonly` - Display the chatmember name only
 
-### Delete members from a chat space
+### Delete members from a user's chat space
 Delete members by specifying a chat space and user/group email addresses.
 ```
 gam <UserTypeEntity> delete chatmember <ChatSpace>
@@ -228,36 +428,142 @@ gam <UserTypeEntity> delete chatmember <ChatSpace>
          (group <GroupItem>)|(groups <GroupEntity>))+
 ```
 
-Delete members by specifying chatmember names.
+Delete members from a user's chat space by specifying chatmember names.
 ```
 gam <UserTypeEntity> remove chatmember members <ChatMemberList>
 ```
 
+### Add members to a chat space, asadmin
+```
+gam <UserItem> create chatmember asadmin <ChatSpace>
+        [type human|bot] [role member|manager]
+        (user <UserItem>)* (members <UserTypeEntity>)*
+        (group <GroupItem>)* (groups <GroupEntity>)*
+        [formatjson|returnidonly]
+```
+By default, Gam displays the information about the chatmember as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+* `returnidonly` - Display the chatmember name only
+
+### Delete members from a chat space, asadmin
+Delete members by specifying a chat space and user/group email addresses.
+```
+gam <UserItem> delete chatmember asadmin <ChatSpace>
+        ((user <UserItem>)|(members <UserTypeEntity>)|
+         (group <GroupItem>)|(groups <GroupEntity>))+
+```
+
+Delete members from a chat space by specifying chatmember names, asadmin
+```
+gam <UserItem> remove chatmember members asadmin <ChatMemberList>
+```
+
+### Update a members role in a user's chat space
+Update members by specifying a chat space, user/group email addresses and role.
+```
+gam <UserTypeEntity> update chatmember <ChatSpace>
+        role member|manager
+        ((user <UserItem>)|(members <UserTypeEntity>))+
+```
+Update members by specifying chatmember names and role.
+```
+gam <UserTypeEntity> modify chatmember
+        role member|manager
+        members <ChatMemberList>
+```
+
+### Update a members role in a chat space, asadmin
+Update members by specifying a chat space, user/group email addresses and role.
+```
+gam <UserItem> update chatmember asadmin <ChatSpace>
+        role member|manager
+        ((user <UserItem>)|(members <UserTypeEntity>))+
+```
+Update members by specifying chatmember names and role.
+```
+gam <UserItem> modify chatmember asadmin
+        role member|manager
+        members <ChatMemberList>
+```
+
 ## Display Chat Members
-### Display information about a specific chat members
+### Display information about a user's specific chat members
 ```
 gam <UserTypeEntity> info chatmember members <ChatMemberList>
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
-### Display information about all chat members in a chat space
+### Display information about members in a user's chat spaces
 ```
-gam <UserTypeEntity> show chatmembers <ChatSpace>
+gam <UserTypeEntity> show chatmembers
+        <ChatSpace>* [types <ChatSpaceTypeList>]
         [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson]
 ```
 
+By default, members for all of a user's chat spaces of all types are displayed.
+* `<ChatSpace>` - Display members for a specific chat space
+* `types <ChatSpaceTypeList>` - Display members for specific types of spaces.
+
+By default, all JOINED user members in a chat space are displayed.
+* `showinvited` - Display `INVITED` members.
+* `showgroups` - Display group members,
+* `filter <String>` - Filter memberships by a member's `role `and `member.type`.
+  * To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
+  * To filter by type, set member.type to HUMAN or BOT.
+  * To filter by both role and type, use the AND operator.
+  * To filter by either role or type, use the OR operator.
+
+For example, the following filters are valid:
+```
+role = "ROLE_MANAGER" OR role = "ROLE_MEMBER"
+member.type = "HUMAN" AND role = "ROLE_MANAGER"
+```
+The following filters are invalid:
+```
+member.type = "HUMAN" AND member.type = "BOT"
+role = "ROLE_MANAGER" AND role = "ROLE_MEMBER"
+```
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
 ```
-gam <UserTypeEntity> print chatmembers [todrive <ToDriveAttribute>*] <ChatSpace>
+gam <UserTypeEntity> print chatmembers [todrive <ToDriveAttribute>*]
+        <ChatSpace>* [types <ChatSpaceTypeList>]
         [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 
+By default, members for all of a user's chat spaces of all types are displayed.
+* `<ChatSpace>` - Display members for a specific chat space
+* `types <ChatSpaceTypeList>` - Display members for specific types of spaces.
+
+By default, all JOINED user members in a chat space are displayed.
+* `showinvited` - Display `INVITED` members.
+* `showgroups` - Display group members,
+* `filter <String>` - Filter memberships by a member's `role `and `member.type`.
+  * To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
+  * To filter by type, set member.type to HUMAN or BOT.
+  * To filter by both role and type, use the AND operator.
+  * To filter by either role or type, use the OR operator.
+
+For example, the following filters are valid:
+```
+role = "ROLE_MANAGER" OR role = "ROLE_MEMBER"
+member.type = "HUMAN" AND role = "ROLE_MANAGER"
+```
+The following filters are invalid:
+```
+member.type = "HUMAN" AND member.type = "BOT"
+role = "ROLE_MANAGER" AND role = "ROLE_MEMBER"
+```
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -267,25 +573,95 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
-By default, only `JOINED` members are displayed; use `showinvited` to also display `INVITED` members.
+### Display information about specific chat members, asadmin
+```
+gam <UserItem> info chatmember asadmin members <ChatMemberList>
+        [fields <ChatMemberFieldNameList>]
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
 
-Use `filter <String>` to filter memberships by a member's `role `and `member.type`.
-* To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
-* To filter by type, set member.type to HUMAN or BOT.
-* To filter by both role and type, use the AND operator.
-* To filter by either role or type, use the OR operator.
+### Display information about members all chat spaces, asadmin
+For query and orderby information, see: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+```
+gam <UserItem> show chatmembers asadmin
+        <ChatSpace>*  [query <String>] [querytime<String> <Time>]
+        [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
+        [formatjson]
+```
 
-For example, the following queries are valid:
+By default, members for all chat spaces of type SPACE are displayed.
+* `<ChatSpace>` - Display members for a specific chat space
+* `query <String> [querytime<String> <Time>]` - Display members for selected chat spaces
+  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+By default, all JOINED user members in a chat space are displayed.
+* `showinvited` - Display `INVITED` members.
+* `showgroups` - Display group members,
+* `filter <String>` - Filter memberships by a member's `role `and `member.type`.
+  * To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
+  * To filter by type, set member.type to HUMAN or BOT.
+  * To filter by both role and type, use the AND operator.
+  * To filter by either role or type, use the OR operator.
+
+For example, the following filters are valid:
 ```
 role = "ROLE_MANAGER" OR role = "ROLE_MEMBER"
 member.type = "HUMAN" AND role = "ROLE_MANAGER"
 ```
-The following queries are invalid:
+The following filters are invalid:
 ```
 member.type = "HUMAN" AND member.type = "BOT"
 role = "ROLE_MANAGER" AND role = "ROLE_MEMBER"
 ```
 
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserItem> print chatmembers asadmin  [todrive <ToDriveAttribute>*]
+        <ChatSpace>*  [query <String>] [querytime<String> <Time>]
+        [showinvited [<Boolean>]] [showgroups [<Boolean>]] [filter <String>]
+        [fields <ChatMemberFieldNameList>]
+        [formatjson [quotechar <Character>]]
+```
+
+By default, members for all chat spaces of type SPACE are displayed.
+* `<ChatSpace>` - Display members for a specific chat space
+* `query <String> [querytime<String> <Time>]` - Display members for selected chat spaces
+  * See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+
+By default, all JOINED user members in a chat space are displayed.
+* `showinvited` - Display `INVITED` members.
+* `showgroups` - Display group members,
+* `filter <String>` - Filter memberships by a member's `role `and `member.type`.
+  * To filter by role, set role to ROLE_MEMBER or ROLE_MANAGER.
+  * To filter by type, set member.type to HUMAN or BOT.
+  * To filter by both role and type, use the AND operator.
+  * To filter by either role or type, use the OR operator.
+
+For example, the following filters are valid:
+```
+role = "ROLE_MANAGER" OR role = "ROLE_MEMBER"
+member.type = "HUMAN" AND role = "ROLE_MANAGER"
+```
+The following filters are invalid:
+```
+member.type = "HUMAN" AND member.type = "BOT"
+role = "ROLE_MANAGER" AND role = "ROLE_MEMBER"
+```
+
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
 ### Delete a user from their `space` and `groupchat` spaces
 There is no way to delete a user from a directmessage space.
 ```
@@ -378,7 +754,7 @@ Display a specific Chat message.
 
 ```
 gam <UserTypeEntity> info chatmessage name <ChatMessage>
-        [filter <String>]
+        [fields <ChatMessageFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
@@ -391,16 +767,20 @@ gam user user@domain.com info chatmessage name spaces/AAAADi-pvqc/messages/PKJrx
 
 ### Display information about all chat messages in a chat space
 ```
-gam <UserTypeEntity> show chatmessages <ChatSpace>
+gam <UserTypeEntity> show chatmessages
+        <ChatSpace>+
         [showdeleted [<Boolean>]] [filter <String>]
+        [fields <ChatMessageFieldNameList>]
         [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
 ```
-gam <UserTypeEntity> print chatmessages [todrive <ToDriveAttribute>*] <ChatSpace>
+gam <UserTypeEntity> print chatmessages [todrive <ToDriveAttribute>*]
+        <ChatSpace>+
         [showdeleted [<Boolean>]] [filter <String>]
+        [fields <ChatMessageFieldNameList>]
         [formatjson [quotechar <Character>]]
 ```
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
@@ -447,6 +827,71 @@ filter 'createTime > \"2012-04-21T11:30:00+00:00\" AND createTime < \"2013-01-01
 filter 'thread.name = spaces/AAAAAAAAAAA/threads/123'
 ```
 
+## Display Chat Events
+Display a specific Chat event.
+
+```
+gam <UserTypeEntity> info chatevent name <ChatEvent>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Example
+```
+gam user user@domain.com info chatevent name spaces/AAAAsUhqjkg/spaceEvents/MTcxMTY4ODM2NDE3OTQzOV81X3VwZGF0ZWQ
+```
+
+### Display information about all chat events in a chat space
+```
+gam <UserTypeEntity> show chatevents
+        <ChatSpace>+
+        filter <String>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+```
+gam <UserTypeEntity> print chatevents [todrive <ToDriveAttribute>*]
+        <ChatSpace>+
+        filter <String>
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+Use `filter <String>` to filter events by when they occurred and by the type of event.
+
+To filter events by the date they happened, specify the start_time and end_time with a timestamp in RFC-3339 format and double quotation marks.
+
+You must specify at least one event type (event_types) using the has : operator. To filter by multiple event types, use the OR operator.
+For a list of supported event types, see: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.spaceEvents#SpaceEvent.FIELDS.event_type
+
+For example, the following queries are valid on Linux/MacOS:
+```
+filter 'start_time="2024-03-15T11:30:00-04:00" AND event_types:"google.workspace.chat.message.v1.created"'
+filter 'start_time="2024-03-15T11:30:00+00:00" AND end_time="2024-03-3100:00:00+00:00"event_types:"google.workspace.chat.message.v1.created"'
+```
+
+For example, the following queries are valid on Windows Command Prompt:
+```
+filter "start_time=\"2024-03-15T11:30:00-04:00\" AND event_types:\"google.workspace.chat.message.v1.created\""
+filter "start_time=\"2024-03-15T11:30:00+00:00\" AND end_time=\"2024-03-3100:00:00+00:00\" AND event_types:\"google.workspace.chat.message.v1.created\""
+```
+
+For example, the following queries are valid on Windows PowerShell:
+```
+filter 'start_time=\"2024-03-15T11:30:00-04:00\" AND event_types:\"google.workspace.chat.message.v1.created\"'
+filter 'start_time=\"2024-03-15T11:30:00+00:00\" AND end_time=\"2024-03-3100:00:00+00:00\" AND event_types:\"google.workspace.chat.message.v1.created\"'
+```
+
 ## Bulk Operations
 ### Display information about all chat spaces for a collection of users
 ```

docs/Users-Drive-Activity-Settings.md

@@ -70,7 +70,7 @@ Google has introduced Drive Activity API v2; it adds time and action filtering a
 Drive Activity API v1 has been deprecated.
 * https://developers.google.com/drive/activity/v2/migrating
 ```
-gam <UserTypeEntity> print|show driveactivity [v2] [todrive <ToDriveAttributes>*]
+gam <UserTypeEntity> print driveactivity [v2] [todrive <ToDriveAttributes>*]
         [(fileid <DriveFileID>)|(folderid <DriveFolderID>)|
          (drivefilename <DriveFileName>)|(drivefoldername <DriveFolderName>)|
          (query <QueryDriveFile>)]
@@ -79,7 +79,7 @@ gam <UserTypeEntity> print|show driveactivity [v2] [todrive <ToDriveAttributes>*
         [action|actions [not] <DriveActivityActionList>]
         [consolidationstrategy legacy|none]
         [idmapfile <FileName>|(gsheet <UserGoogleSheet>) [charset <String>] [columndelimiter <Character>] [noescapechar <Boolean>]  [quotechar <Character>]]
-        [formatjson [quotechar <Character>]]
+        [stripcrsfromname] [formatjson [quotechar <Character>]]
 ```
 By default, Drive Activity API v2 is used; the `v2` option is ignored.
 
@@ -128,6 +128,9 @@ must be present in the file; the column `name.fullName` will be used if present.
 
 If you don't use the `idmapfile` option, Gam makes an additional API call per user to get the name and email address.
 
+The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
+Use this option if you discover filenames containing these special characters; it is not common.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 
@@ -141,10 +144,16 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ```
 gam <UserTypeEntity> print drivesettings [todrive <ToDriveAttribute>*]
         [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)]
-        [delimiter <Character>]
+        [delimiter <Character>] [showusagebytes]
 gam <UserTypeEntity> show drivesettings
         [allfields|<DriveSettingsFieldName>*|(fields <DriveSettingsFieldNameList>)]
-        [delimiter <Character>]
+        [delimiter <Character>] [showusagebytes]
 ```
 If no fields are selected, these fields will be displayed:
     `name,appInstalled,largestChangeId,limit,maxUploadSize,permissionId,rootFolderId,usage,usageInDrive,usageInDriveTrash`
+
+By default, these fields are displayed in formatted form with units: ```usage,usageInDrive,usageInDriveTrash```.
+
+The option `showusagebytes` also displays the following fields in bytes ```usageBytes,usageInDriveBytes,usageInDriveTrashBytes```.
+
+This will be most useful with `print` as the rows can be sorted based on the `usagexxxBytes` columns.

docs/Users-Drive-Cleanup.md

@@ -39,7 +39,7 @@ gam <UserTypeEntity> delete emptydrivefolders
         [<SharedDriveEntity>]
         [pathdelimiter <Character>]
 ```
-By default, empty folders on My Drive are deleted. Use `select <DriveFileEntity>`
+By default, empty folders on My Drive are deleted(purged). Use `select <DriveFileEntity>`
 to select a Shared Drive or an alternate starting point folder on My Drive or a Shared Drive.
 
 By default, folder path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.

docs/Users-Drive-Comments.md

@@ -0,0 +1,157 @@
+# Users - Drive - Comments
+- [API documentation](#api-documentation)
+- [Query documentation](Users-Drive-Query)
+- [Definitions](#definitions)
+- [Display file comments](#display-file-comments)
+
+## API documentation
+* https://developers.google.com/drive/api/v3/reference/comments
+
+## Definitions
+* [`<DriveFileEntity>`](Drive-File-Selection)
+* [`<UserTypeEntity>`](Collections-of-Users)
+
+```
+<DomainName> ::= <String>(.<String>)+
+<EmailAddress> ::= <String>@<DomainName>
+<UniqueID> ::= id:<String>
+<UserItem> ::= <EmailAddress>|<UniqueID>|<String>
+
+<CommentsAuthorSubfieldName> ::=
+        author.displayname|
+        author.emailaddress|
+        author.me|
+        author.permissionid|
+        author.photolink
+
+<CommentsRepliesSubfieldName> ::=
+        reply.action|
+        reply.author|
+        reply.author.<CommentsAuthorSubfieldName>|
+        reply.content|
+        reply.createddate|createdtime|
+        reply.deleted|
+        reply.htmlcontent|
+        reply.id|
+        reply.modifieddate|modifiedtime
+
+<CommentsFieldName> ::=
+        action|
+        author|
+        content|
+        <CommentsAuthorSubfieldName>|
+        <CommentsRepliesSubfieldName>|
+        createddate|createdtime|
+        deleted|
+        htmlcontent|
+        id|
+        modifieddate|modifiedtime|
+        quotedfilecontent|
+        reply|replies|
+        resolved
+<CommentsFieldNameList> ::= "<CommentsFieldName>(,<CommentsFieldName>)*"
+```
+
+## Display file comments
+### Display as an indented list of keys and values.
+```
+gam <UserTypeEntity> show filecomments <DriveFileEntity>
+        [showdeleted] [start <Date>|<Time>]
+        [fields <CommentsFieldNameList>] [showphotolinks]
+	[countsonly]
+        [formatjson]
+```
+By default, all non-deleted comments for a file are displayed; use these options to modify that behavior.
+* `showdeleted` - Display deleted comments
+* `start <Date>|<Time>` - Display comments modified on or after `<Date>|<Time>`
+
+By default, all comment and reply fields except author photolinks are displayed; use these options to modify that behavior.
+* `fields <CommentsFieldNameList>` - Select fields to display
+* `showphotolinks` - Display author photolinks
+* `countsonly` - Display just the number of comments and replies; no fields
+
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display as a CSV file.
+Each comment/reply pair is output on a separate CSV file row.
+```
+gam <UserTypeEntity> print filecomments <DriveFileEntity> [todrive <ToDriveAttribute>*]
+        [showdeleted] [start <Date>|<Time>] [countsonly]
+        [fields <CommentsFieldNameList>] [showphotolinks]
+        (addcsvdata <FieldName> <String>)*
+        [formatjson [quotechar <Character>]]
+```
+By default, all non-deleted comments for a file are displayed; use these options to modify that behavior.
+Files with no comments will not be displayed.
+* `showdeleted` - Display deleted comments
+* `start <Date>|<Time>` - Display comments modified on or after `<Date>|<Time>`
+
+By default, all comment and reply fields except author photolinks are displayed; use these options to modify that behavior.
+* `fields <CommentsFieldNameList>` - Select fields to display
+* `showphotolinks` - Display author photolinks
+* `countsonly` - Display just the number of comments and replies; no fields. Files with no comments will display zero counts.
+
+Add additional columns of data from the command line to the output:
+* `addcsvdata <FieldName> <String>`
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+### Example
+```
+# Get files that may have comments
+$ gam redirect csv ./CheckForComments.csv user testsimple@domain.com print filelist showmimetype gdoc,gpresentation,gsheet fields id,name,mimetype
+Getting all Drive Files/Folders that match query ('me' in owners and (mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet' or mimeType = 'application/vnd.google-apps.document')) for testsimple@domain.com
+Got 131 Drive Files/Folders that matched query ('me' in owners and (mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet' or mimeType = 'application/vnd.google-apps.document')) for testsimple@domain.com...
+
+# Display file comments
+$ gam redirect csv ./FilesWithComments.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" fields author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,reply.modifiedTime
+2024-03-24T08:04:46.235-07:00,0/131,Using 10 processes...
+2024-03-24T08:04:58.122-07:00,0,Processing item 100/131
+2024-03-24T08:05:01.345-07:00,0,Processing item 131/131
+2024-03-24T08:07:11.731-07:00,0/131,Processing complete
+
+$ more FilesWithCommnts.csv
+User,fileId,fileName,mimeType,commentId,replyId,author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,reply.modifiedTime
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwm0,,Test-Simple,True,XXX Comment,2024-03-14T11:34:39-07:00,False,2024-03-14T11:34:39-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkw,,Test-Simple,True,Grack Comment,2024-03-14T11:26:30-07:00,False,2024-03-14T11:26:30-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkY,,Test-Simple,True,Again commnt,2024-03-14T11:24:13-07:00,False,2024-03-14T11:24:13-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkQ,,Test-Simple,True,More Comment,2024-03-14T11:23:48-07:00,False,2024-03-14T11:23:48-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwkA,,Test-Simple,True,Comment 8,2024-03-14T11:23:14-07:00,False,2024-03-14T11:34:01-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwj4,,Test-Simple,True,Comment 7,2024-03-14T11:23:05-07:00,False,2024-03-14T11:23:05-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwj0,,Test-Simple,True,Comment 6,2024-03-14T11:22:55-07:00,False,2024-03-14T11:22:55-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwjs,,Test-Simple,True,Comment 5,2024-03-14T11:22:38-07:00,False,2024-03-14T11:22:38-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedwjo,,Test-Simple,True,Comment 4,2024-03-14T11:22:19-07:00,False,2024-03-14T11:22:19-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKQ,,Test-Simple,True,End Comment,2024-03-14T10:32:16-07:00,False,2024-03-14T10:32:16-07:00,False,,,,,,
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKI,AAABJFedwik,Test-Simple,True,My first comment,2024-03-14T10:32:03-07:00,False,2024-03-14T11:15:05-07:00,False,Test-Simple,True,My first reply,2024-03-14T11:14:13-07:00,False,2024-03-14T11:14:13-07:00
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,AAABJFedtKI,AAABJFedwiw,Test-Simple,True,My first comment,2024-03-14T10:32:03-07:00,False,2024-03-14T11:15:05-07:00,False,Test-Simple,True,Yet another reply,2024-03-14T11:15:05-07:00,False,2024-03-14T11:15:05-07:00
+testsimple@domain.com,yyy,TS Sheet,application/vnd.google-apps.spreadsheet,AAABJM6zbc0,,Test-Simple,True,Sheet Comment,2024-03-14T20:43:18-07:00,False,2024-03-14T20:43:18-07:00,False,,,,,,
+testsimple@domain.com,zzz,TS Pres,application/vnd.google-apps.presentation,AAABJLy5DpA,,Test-Simple,True,Presentation Comment,2024-03-14T20:42:48-07:00,False,2024-03-14T20:42:48-07:00,False,,,,,,
+
+$ gam redirect csv ./FilesWithComments.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" fields author.displayName,author.me,content,createdTime,deleted,modifiedTime,resolved,reply.author.displayName,reply.author.me,reply.content,reply.createdTime,reply.deleted,,reply.modifiedTime
+2024-03-24T08:04:46.235-07:00,0/131,Using 10 processes...
+2024-03-24T08:04:58.122-07:00,0,Processing item 100/131
+2024-03-24T08:05:01.345-07:00,0,Processing item 131/131
+2024-03-24T08:07:11.731-07:00,0/131,Processing complete
+
+
+# Display file comment counts
+$ gam redirect csv ./FileCommentCounts.csv multiprocess csv CheckForComments.csv gam user "~Owner" print filecomments "~id" addcsvdata fileName "~name" addcsvdata mimeType "~mimeType" countsonly
+2024-03-24T07:51:16.881-07:00,0/131,Using 10 processes...
+2024-03-24T07:51:28.909-07:00,0,Processing item 100/131
+2024-03-24T07:51:32.241-07:00,0,Processing item 131/131
+2024-03-24T07:51:37.404-07:00,0/131,Processing complete
+
+$ more FileCommentCounts.csv
+User,fileId,fileName,mimeType,comments,replies
+...
+testsimple@domain.com,yyy,TS Sheet,application/vnd.google-apps.spreadsheet,1,0
+testsimple@domain.com,aaa,ViewTest,application/vnd.google-apps.document,0,0
+testsimple@domain.com,xxx,TS Doc,application/vnd.google-apps.document,11,2
+testsimple@domain.com,zzz,TS Pres,application/vnd.google-apps.presentation,1,0
+...
+```

docs/Users-Drive-Files-Display.md

@@ -28,9 +28,10 @@
 - [Display file list](#display-file-list)
   - [File selection by name and entity shortcuts for Display file list](#file-selection-by-name-and-entity-shortcuts-for-display-file-list)
   - [File selection starting point for Display file list](#file-selection-starting-point-for-display-file-list)
-  - [File selection with a particular drive label](#file-selection-with-a-particular-drive-label)
+  - [File selection with or without a particular drive label](#file-selection-with-or-without-a-particular-drive-label)
   - [Handle empty file lists](#handle-empty-file-lists)
 - [Display disk usage](#display-disk-usage)
+- [Display files published to the web](#display-files-published-to-the-web)
 
 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/files
@@ -55,6 +56,16 @@
         never|
         now|today
 
+<SharedDriveID> ::= <String>
+<SharedDriveName> ::= <String>
+<SharedDriveIDEntity> ::= (teamdriveid <SharedDriveID>) | (teamdriveid:<SharedDriveID>)
+<SharedDriveNameEntity> ::= (teamdrive <SharedDriveName>) | (teamdrive:<SharedDriveName>)
+<SharedDriveFileNameEntity> ::= (teamdrivefilename <DriveFileName>) | (teamdrivefilename:<DriveFileName>)
+
+<SharedDriveEntity> ::=
+        <SharedDriveIDEntity> |
+        <SharedDriveNameEntity>
+
 <MimeTypeShortcut> ::=
         gdoc|gdocument|
         gdrawing|
@@ -71,70 +82,73 @@
         g3pshortcut|
         gsite
 <MimeTypeName> ::= application|audio|font|image|message|model|multipart|text|video
+<MimeTypeNameList> ::= "<MimeTypeName>(,<MimeTypeName>)*"
 <MimeType> ::= <MimeTypeShortcut>|(<MimeTypeName>/<String>)
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
 ```
 ```
 <DriveCapabilitiesSubfieldName> ::=
-        canacceptownership|
-        canaddchildren|
-        canaddfolderfromanotherdrive|
-        canaddmydriveparent|
-        canchangecopyrequireswriterpermission|
-        canchangecopyrequireswriterpermissionrestriction|
-        canchangedomainusersonlyrestriction|
-        canchangedrivebackground|
-        canchangedrivemembersonlyrestriction|
-        canchangesecurityupdateenabled|
-        canchangesharingfoldersrequiresorganizerpermissionrestriction|
-        canchangeviewerscancopycontent|
-        cancomment|
-        cancopy|
-        candelete|
-        candeletechildren|
-        candeletedrive|
-        candownload|
-        canedit|
-        canlistchildren|
-        canmanagemembers|
-        canmodifycontent|
-        canmodifycontentrestriction|
-        canmodifyeditorcontentrestriction|
-        canmodifylabels|
-        canmodifyownercontentrestriction|
-        canmovechildrenoutofdrive|
-        canmovechildrenoutofteamdrive|
-        canmovechildrenwithindrive|
-        canmovechildrenwithinteamdrive|
-        canmoveitemintodrive|
-        canmoveitemintoteamdrive|
-        canmoveitemoutofdrive|
-        canmoveitemoutofteamdrive|
-        canmoveitemwithindrive|
-        canmoveitemwithinteamdrive|
-        canmoveteamdriveitem|
-        canreaddrive|
-        canreadlabels|
-        canreadrevisions|
-        canreadteamdrive|
-        canremovechildren|
-        canremovecontentrestriction|
-        canremovemydriveparent|
-        canrename|
-        canrenamedrive|
-        canresetdriverestrictions|
-        canshare|
-        cantrash|
-        cantrashchildren|
-        canuntrash
+        capabilities.canacceptownership|
+        capabilities.canaddchildren|
+        capabilities.canaddfolderfromanotherdrive|
+        capabilities.canaddmydriveparent|
+        capabilities.canchangecopyrequireswriterpermission|
+        capabilities.canchangecopyrequireswriterpermissionrestriction|
+        capabilities.canchangedomainusersonlyrestriction|
+        capabilities.canchangedrivebackground|
+        capabilities.canchangedrivemembersonlyrestriction|
+        capabilities.canchangesecurityupdateenabled|
+        capabilities.canchangesharingfoldersrequiresorganizerpermissionrestriction|
+        capabilities.canchangeviewerscancopycontent|
+        capabilities.cancomment|
+        capabilities.cancopy|
+        capabilities.candelete|
+        capabilities.candeletechildren|
+        capabilities.candeletedrive|
+        capabilities.candisableinheritedpermissions|
+        capabilities.candownload|
+        capabilities.canedit|
+        capabilities.canenableinheritedpermissions|
+        capabilities.canlistchildren|
+        capabilities.canmanagemembers|
+        capabilities.canmodifycontent|
+        capabilities.canmodifycontentrestriction|
+        capabilities.canmodifyeditorcontentrestriction|
+        capabilities.canmodifylabels|
+        capabilities.canmodifyownercontentrestriction|
+        capabilities.canmovechildrenoutofdrive|
+        capabilities.canmovechildrenoutofteamdrive|
+        capabilities.canmovechildrenwithindrive|
+        capabilities.canmovechildrenwithinteamdrive|
+        capabilities.canmoveitemintodrive|
+        capabilities.canmoveitemintoteamdrive|
+        capabilities.canmoveitemoutofdrive|
+        capabilities.canmoveitemoutofteamdrive|
+        capabilities.canmoveitemwithindrive|
+        capabilities.canmoveitemwithinteamdrive|
+        capabilities.canmoveteamdriveitem|
+        capabilities.canreaddrive|
+        capabilities.canreadlabels|
+        capabilities.canreadrevisions|
+        capabilities.canreadteamdrive|
+        capabilities.canremovechildren|
+        capabilities.canremovecontentrestriction|
+        capabilities.canremovemydriveparent|
+        capabilities.canrename|
+        capabilities.canrenamedrive|
+        capabilities.canresetdriverestrictions|
+        capabilities.canshare|
+        capabilities.cantrash|
+        capabilities.cantrashchildren|
+        capabilities.canuntrash
 
 <DriveContentRestrictionsSubfieldName> ::=
-        ownerrestricted|
-        readonly|
-        reason|
-        restrictinguser|
-        restrictiontime|
-        type
+        contentrestrictions.ownerrestricted|
+        contentrestrictions.readonly|
+        contentrestrictions.reason|
+        contentrestrictions.restrictinguser|
+        contentrestrictions.restrictiontime|
+        contentrestrictions.type
 
 <DriveLabelInfoSubfieldName> ::=
         labels.id|              # modifiedByMe
@@ -245,6 +259,7 @@
         iconlink|
         id|
         imagemediametadata|
+        inheritedpermissionsdisabled|
         isappauthorized|
         labelinfo|
         <DriveLabelInfoSubfieldName>|
@@ -282,6 +297,8 @@
         <DriveSharingUserSubfieldName>|
         shortcutdetails|
         <DriveShortcutDetailsSubfieldName>|
+        sha1checksum|
+        sha256checksum|
         size|
         spaces|
         starred|
@@ -395,22 +412,22 @@ Display file details in indented keyword: value format. The two forms are equiva
 ```
 gam <UserTypeEntity> show fileinfo <DriveFileEntity>
         [returnidonly]
-        [filepath|fullpath] [pathdelimiter <Character>]
+        [filepath|fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
         [showdrivename] [showshareddrivepermissions]
         [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
-        [showparentsidsaslist]
+        [showparentsidsaslist] [followshortcuts [<Boolean>]]
         [stripcrsfromname]
         [formatjson]
 gam <UserTypeEntity> info drivefile <DriveFileEntity>
         [returnidonly]
-        [filepath|fullpath] [pathdelimiter <Character>]
+        [filepath|fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
         [showdrivename] [showshareddrivepermissions]
         [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
-        [showparentsidsaslist]
+        [showparentsidsaslist] [followshortcuts [<Boolean>]]
         [stripcrsfromname]
         [formatjson]
 ```
@@ -420,6 +437,10 @@ Use `filepath` to display the path(s) to the files in `<DriveFileEntity>`.
 
 Use `fullpath` to add additional path information indicating that a file is an Orphan or Shared with me.
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 When `allfields` is specified (or no fields are specified), use `showdrivename` to display Shared(Team) Drive names.
@@ -470,6 +491,9 @@ gam user user@domain.com show fileinfo <DriveFileEntity> fields id,name,mimetype
 The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
 Use this option if you discover filenames containing these special characters; it is not common.
 
+Starting in version 6.80.10, the option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to display information about the target of the shortcut rather than the shortcut itself.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 
@@ -478,16 +502,23 @@ By default, Gam displays the information as an indented list of keys and values.
 gam <UserTypeEntity> show filepath <DriveFileEntity>
         [returnpathonly]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
-        [stripcrsfromname] [fullpath] [pathdelimiter <Character>]
+        [stripcrsfromname]
+        [folderpathonly [<Boolean>]] [fullpath] [pathdelimiter <Character>]
+        [followshortcuts [<Boolean>]]
 gam <UserTypeEntity> print filepath <DriveFileEntity> [todrive <ToDriveAttribute>*]
         (orderby <DriveFileOrderByFieldName> [ascending|descending])*
-        [stripcrsfromname] [fullpath] [pathdelimiter <Character>]
-        [oneitemperrow]
+        [stripcrsfromname] [oneitemperrow]
+        [fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
+        [followshortcuts [<Boolean>]]
 ```
 Use `returnpathonly` to display just the file path of the files in `<DriveFileEntity>`.
 
 Use `fullpath` to add additional path information indicating that a file is an Orphan or Shared with me.
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
@@ -496,6 +527,9 @@ Use this option if you discover filenames containing these special characters; i
 By default, when printing file paths, all paths for a file are displayed on the same row; use `oneitemperrow` to
 have each file path displayed on a separate row.
 
+Starting in version 6.80.10, the option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to display path information for the target of the shortcut rather than the shortcut itself.
+
 ## Select files for Display file counts, list, tree
 Most GAM commands that deal with files require a `<DriveFileEntity>` to be specified; the command
 then processes those files. The `filecounts`, `filelist` and `filetree` commands don't process files, they just list them.
@@ -521,15 +555,22 @@ See: [Drive File Selection](Drive-File-Selection) for details of `<DriveFileName
         all_shortcuts |
         all_3p_shortcuts |
         all_items |
+        my_docs |
         my_files |
         my_folders |
         my_forms |
         my_google_files |
         my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
         my_shortcuts |
+        my_slides |
         my_3p_shortcuts |
         my_items |
-        my_forms |
+        my_top_files |
+        my_top_folders |
+        my_top_items |
         others_files |
         others_folders |
         others_forms |
@@ -611,9 +652,11 @@ By default, all types of files and folders are selected. You can specify a list
 This option updates the current query.
 ```
 showmimetype [not] <MimeTypeList>
+showmimetype category <MimeTypeNameList>
 ```
 * `showmimetype <MimeTypeList>` - Select files and folders with the specified MIME types
 * `showmimetype not <MimeTypeList>` - Select files and folders with MIME types other than those specified
+* `showmimetype category <MimeTypeNameList>` - Select files and folders with the specified MIME type categories
 
 ## File selection by file size
 These options would typically be used with `showmimetype` to select files of a particular type. This
@@ -646,36 +689,52 @@ Print or show file counts by MIME type and/or file name.
 gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
         [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
             (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
         [corpora <CorporaAttribute>]
         [select <SharedDriveEntity>]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
         [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showmimetypesize] [showlastmodification]
+        (addcsvdata <FieldName> <String>)*
         [summary none|only|plus] [summaryuser <String>]
 gam <UserTypeEntity> show filecounts
         [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
             (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
         [corpora <CorporaAttribute>]
         [select <SharedDriveEntity>]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
         [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showmimetypesize] [showlastmodification]
         [summary none|only|plus] [summaryuser <String>]
 ```
 
 By default, print filecounts displays counts of all files owned by the specified [`<UserTypeEntity>`](Collections-of-Users).
 
+The option `continueoninvalidquery [<Boolean>] can be used in special cases where a query of the form
+`query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels" causes Google to issue an error
+saying that the query is invalid when, in fact, it is but the user does not have a license that suppprts drive file labels.
+When `continueoninvalidquery` is true, GAM prints an error message and proceeds to the next user rather that terminating
+as it does now. Of course, if the query really is invalid, you will get the message for every user.
+
 The `showsize` option displays the total size (in bytes) of the files counted.
 
-The showmimetypesize' displays the total size (in bytes) of each MIME type counted.
+The `showmimetypesize` option displays the total size (in bytes) of each MIME type counted.
+
+The option `showlastmodification` displays the following fields:
+`lastModifiedFileId,lastModifiedFileName,lastModifyingUser,lastModifiedTime`;
+these are for the most recently modified file.
+
+For print filecouts, add additional columns of data from the command line to the output:
+* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
 
 See [Select files for Display file counts, list, tree](#select-files-for-display-file-counts-list-tree)
 
@@ -894,7 +953,7 @@ gam <UserTypeEntity> print filetree [todrive <ToDriveAttribute>*]
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [depth <Number>]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -906,7 +965,7 @@ gam <UserTypeEntity> show filetree
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [depth <Number>]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
@@ -994,20 +1053,22 @@ Display a list of file/folder details in CSV format.
 gam <UserTypeEntity> print|show filelist [todrive <ToDriveAttribute>*]
         [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
             (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
         [choose <DriveFileNameEntity>|<DriveFileEntityShortcut>]
         [corpora <CorporaAttribute>]
         [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
             [(norecursion [<Boolean>])|(depth <Number>)] [showparent]]
         [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>] [mimetypeinquery [<Boolean>]]
         [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
         [filenamematchpattern <RegularExpression>]
         <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>] [pmfilter] [oneitemperrow]
         [excludetrashed]
         [maxfiles <Integer>] [nodataheaders <String>]
         [countsonly [summary none|only|plus] [summaryuser <String>]
-                    [showsource] [showsize] [showmimetypesize]] [countsrowfilter]
-        [filepath|fullpath [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
+                    [showsource] [showsize] [showmimetypesize]]
+        [countsrowfilter]
+        [filepath|fullpath [folderpathonly [<Boolean>]] [pathdelimiter <Character>] [addpathstojson] [showdepth]] [buildtree]
         [allfields|<DriveFieldName>*|(fields <DriveFieldNameList>)]
         [showdrivename] [showshareddrivepermissions]
         [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
@@ -1019,10 +1080,20 @@ gam <UserTypeEntity> print|show filelist [todrive <ToDriveAttribute>*]
 ```
 By default, `print filelist` displays all files owned by the specified [`<UserTypeEntity>`](https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Users)
 
+The option `continueoninvalidquery [<Boolean>] can be used in special cases where a query  of the form
+`query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels" causes Google to issue an error
+saying that the query is invalid when, in fact, it is but the user does not have a license that suppprts drive file labels.
+When `continueoninvalidquery` is true, GAM prints an error message and proceeds to the next user rather that terminating
+as it does now. Of course, if the query really is invalid, you will get the message for every user.
+
 When `allfields` is specified (or no fields are specified), use `showshareddrivepermissions` to display permissions
 when shared drives are queried/selected. In this case, the Drive API returns the permission IDs
 but not the permissions themselves so GAM makes an additional API call per file to get the permissions.
 
+By default, when `showimimetype` and `filepath|fullpath`are both specified, GAM locally filters files by MimeType;
+this may be slow if the user has a large number of files. Adding the option `mimetypeinquery` or `mimetypeinquery true`
+causes GAM to have Google filter files by MimeType; this will increase performance.
+
 See [Select files for Display file counts, list, tree](#select-files-for-display-file-counts-list-tree)
 
 ## File selection by name and entity shortcuts for Display file list
@@ -1114,13 +1185,13 @@ By default, when a folder is selected, only its contents are displayed.
 ## Choose what fields to display
 If no query or select is performed, use these options to get file path information:
 * `filepath|fullpath` - For files and folders, display the full path(s) to them starting at the root (My Drive)
-* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
 * `addpathstojson` - When this option and `formatjson` are specified, the path information will be included in the
 JSON data rather than as additional columns
+* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output
 
 When used with `filepath` or `fullpath`, `showdepth` will display a `depth` column.
 Files/folders directly in `My Drive` are at depth 0, the depth increases by 1
-for each containing folder. For files with multiple parents, the maximum depth is displayed.
+for each containing folder.
 
 If a query or select is performed, use these options to get file path information:
 * `filepath` - For files, no path information is shown; for folders, the paths of all of its children are shown starting at the selected folder
@@ -1128,6 +1199,10 @@ If a query or select is performed, use these options to get file path informatio
 * `addpathstojson` - When this option and `formatjson` are specified, the path information will be included in the
 JSON data rather than as additional columns
 
+By default, the path to a file includes the file name as the last element of the path.
+Use `folderpathonly` to display only the folder names when displaying the path to a file. This folder only path
+an be used in  `gam <UserTypeEntity> create drivefolderpath` to recreate the folder hierarchy.
+
 By default, file path components are separated by `/`; use `pathdelimiter <Character>` to use `<Character>` as the separator.
 
 By default, only the fields `id` and `webViewLink` are displayed.
@@ -1454,7 +1529,7 @@ testuser@domain.com,Bottom Folder 11,1,My Drive/Top Folder/Middle Folder 1/Botto
 testuser@domain.com,Bottom Sheet 11,1,My Drive/Top Folder/Middle Folder 1/Bottom Folder 11/Bottom Sheet 11
 ```
 
-## File selection with a particular drive label
+## File selection with or without a particular drive label
 The Drive API doesn't support querying for a drive label, so GAM must do the filtering.
 
 Get the label id.
@@ -1464,9 +1539,13 @@ gam show drivelabels
 
 Find the label with properties:title: XXX where XXX is the desired label title, then get its id: value
 
-List the files.
+List the files with the label
 ```
-gam config csv_output_row_filter "labelInfo.labels.0.id:regex:PutLabelIdHere" user user@domain.com print filelist fields id,name,labelinfo includelabels PutLabelIdHere
+gam config csv_output_row_filter "labels:count>0" user user@domain.com print filelist fields id,name,mimetype showlabels ids includelabels PutLabelIdHere
+```
+List the files without the label
+```
+gam config csv_output_row_filter "labels:count=0" user user@domain.com print filelist fields id,name,mimetype showlabels ids includelabels PutLabelIdHere
 ```
 
 Adjust the `fields` list as desired.
@@ -1480,8 +1559,8 @@ Getting all Drive Files/Folders that match query ('me' in owners and name contai
 Got 0 Drive Files/Folders that matched query ('me' in owners and name contains 'abcd') for user@domain.com...
 $ more Files.csv
 Owner
-$ gam csv Files.csv gam user ~Owner show fileinfo ~id permissions
-Command: /Users/admin/bin/gam csv Files.csv gam user ~Owner show fileinfo >>>~id<<< permissions
+$ gam csv Files.csv gam user "~Owner" show fileinfo "~id" permissions
+Command: /Users/admin/bin/gam csv Files.csv gam user "~Owner" show fileinfo >>>~id<<< permissions
 
 ERROR: Header "id" not found in CSV headers of "Owner".
 Help: Syntax in file /Users/admin/bin/gam/GamCommands.txt
@@ -1495,7 +1574,7 @@ Getting all Drive Files/Folders that match query ('me' in owners and name contai
 Got 0 Drive Files/Folders that matched query ('me' in owners and name contains 'abcd') for user@domain.com...
 $ more Files.csv
 Owner,id,name
-$ gam csv Files.csv gam user ~Owner show fileinfo ~id permissions
+$ gam csv Files.csv gam user "~Owner" show fileinfo "~id" permissions
 $
 ```
 
@@ -1539,6 +1618,10 @@ For each folder in `<DriveFileEntity>`, the following items are displayed:
 * `totalFileCount` - The number of files directly in the folder and all of its subfolders
 * `totalFileSize` - The sum of the sizes of the files directly in the folder and all of its subfolders
 * `totalFolderCount` - The number of folders directly in the folder and all of its subfolders
+* `depth` - The depth of the folder
+  * `-1` - The top level folder
+  * `0` - Immediate children of the top level folder
+  * `1` - Immediate children of level 0 folders
 * `path` - The path of the folder
 
 There is a final row detailing files and folders in the trash; it is omitted if `excludetrashed` or `show summary` are specified.
@@ -1555,8 +1638,13 @@ There is a final row detailing files and folders in the trash; it is omitted if
 * `totalFileCount` - The number of files in the trash
 * `totalFileSize` - The sum of the sizes of the files in the trash
 * `totalFolderCount` - The number of folders in the trash
+* `depth` - Always -1
 * `path` - Trash
 
+GAM version `6.71.17` added the `depth` column that can be used to filter the depth of the folders displayed.
+Depth `-1` is the top level folder, depth `0` are its immediate children, depth `2` are the children of depth `1` and so forth.
+For example to limit the display to the top folder and its immediate children, use `config csv_output_row_filter depth:count<1`.
+
 By default, files owned by the user are counted. These options update the current query with the desired ownership.
 * `showownedby me` - Count files owned by the user; this is the default
 * `showownedby any` or `anyowner` - Count files accessible by the user
@@ -1583,27 +1671,67 @@ Use the `show` option to control the display of data:
 
 ### Examples
 ```
-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive 
-User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive 
+User: user@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv
-User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,My Drive
-testsimple@domain.com,testsimple@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,My Drive/Classroom
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
+user@domain.com,user@domain.com,0B3YenC8f12ALfmRuX3I4WFlqaTRnMGhXNkVvWV9UUG1zRDQwY1BwVkJhUGx5WHVIcjJKZUU,TestUpdate,True,False,False,2,3420,0,2,3420,0,1,My Drive/Classroom/TestUpdate
+user@domain.com,user@domain.com,1MT5xJ897oYa0Q2OuzBDfLHvig6k_b0EKaovVA2imGYcnrmqZu5hjlJkEPMH-rHKj4qDyy9_j,TS Course,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course
+user@domain.com,user@domain.com,1gsbqsbhhwBx9hCF0sqtE213tpUn6Ebj2klLFhHb4xkzBKIdEFkvvwCVtZpYWPgOA796fIPEN,TS Course 2,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course 2
 ...
-testsimple@domain.com,testsimple@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,My Drive/XferFolder
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,Trash
+user@domain.com,user@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
 
-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive show summaryandtrash
-User: testsimple@domain.com, Print 1 Drive Disk Usage
-$ more MyDriveUsage.csv 
-User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,My Drive
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,Trash
+$ gam config csv_output_row_filter "depth:count<1" redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive 
+User: user@domain.com, Print 1 Drive Disk Usage
+$ more MyDriveUsage.csv
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
+...
+user@domain.com,user@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
 
-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
-User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive show summaryandtrash
+User: user@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv 
-User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,path
-testsimple@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,SharedDrives/TS Shared Drive 1
-testsimple@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,Trash
+User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
+
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
+User: user@domain.com, Print 1 Drive Disk Usage
+$ more MyDriveUsage.csv 
+User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
+user@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,-1,SharedDrives/TS Shared Drive 1
+user@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,-1,Trash
+```
+
+## Display files published to the web
+Ths requires version 6.80.13 or later.
+
+You can display files published to the web.
+```
+# Get the published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
+```
+
+You can display files published to the web internally for your domain only.
+```
+# Get the internally only published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true,revisions.0.publishedOutsideDomain:boolean:false" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
+```
+
+You can display files published to the web externally outside of your domain.
+```
+# Get the externally published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true,revisions.0.publishedOutsideDomain:boolean:true" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
 ```

docs/Users-Drive-Files-Manage.md

@@ -19,6 +19,7 @@
 - [Shortcuts](Users-Drive-Shortcuts)
 - [Drive Labels](Users-Drive-Labels)
 - [Download Google Documents as JSON](#download-google-documents-as-json)
+- [Upload changes to Google Documents](#upload-changes-to-google-documents)
 
 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/files
@@ -116,6 +117,7 @@
         (description <String>)|
         (folderColorRgb <ColorValue>)|
         (indexabletext <String>)|
+        (inheritedpermissionsdisabled [<Boolean>])|
         (keeprevisionforever|pinned)|
         (lastviewedbyme <Time>)|
         (mimetype <MimeType>)|
@@ -126,10 +128,10 @@
         (property <PropertyKey> <PropertyValue> [private|public])|
         (restricted|restrict [<Boolean>])|
         (securityupdate [<Boolean>])|
+        (shortcut <DriveFileID>)|
         (starred|star [<Boolean>])|
         (trashed|trash [<Boolean>])|
         (viewed|view [<Boolean>])|
-        (shortcut <DriveFileID>)|
         (viewerscancopycontent [<Boolean>])|
         (writerscanshare|writerscantshare [<Boolean>])
 
@@ -207,7 +209,7 @@ If `noduplicate` is specfied, GAM will issue a warning and not perform the creat
 exists in the parent folder.
 
 By default, when files are uploaded from local content, they are created with `binary` format, i.e., the data is uploaded
-without any conversion. Standard GAM had an option `convert` that was passed to the Drive API v2 that it used.
+without any conversion. Legacy GAM had an option `convert` that was passed to the Drive API v2 that it used.
 * convert - Whether to convert this file to the corresponding Docs Editors format
 
 Advanced GAM uses Drive API v3 that doesn't support the `convert` option; it uses the `mimetype` argument to cause conversions.
@@ -283,7 +285,7 @@ mary@domain.com, Mary Smith
 
 # Create the student folders on the Shared Drive
 gam redirect csv ./StudentFolders.csv multiprocess csv Students.csv gam user admin@domain.com create drivefile mimetype gfolder drivefilename "~~Name~~ Digital Portfolio" parentid <TeamDriveID> csv addcsvdata primaryEmail "~primaryEmail"
-# Add ACLs granting the students write access to their folders; ~User refers to admin@domain.com
+# Add ACLs granting the students write access to their folders; "~User" refers to admin@domain.com
 gam csv StudentFolders.csv gam user "~User" add drivefileacl "~id" user "~primaryEmail" role fileorganizer
 # Add a shortcut to the folder on the student's My Drive
 gam csv StudentFolders.csv gam user "~primaryEmail" create drivefileshortcut "~id" parentid root
@@ -518,6 +520,7 @@ You can update a specific sheet within a Google spreadsheet or add a new sheet t
 * `addsheet <String>` - Specify a sheet name to be added to the Google Sheets file
 * `charset <Charset>` - Specify the character set of the local file; if not specified, the value of `charset` from `gam.cfg` will be used
 * `columndelimiter <Character>` - Columns are separated by `<Character>`; if not specified, the value of `csv_input_column_delimiter` from `gam.cfg` will be used
+
 If you want the Google spreadsheet to retain its name, specify: `retainname localfile LocalFile.csv`.
 
 By default, the user, file name, updated file name and id values are displayed on stdout.
@@ -542,6 +545,7 @@ gam <UserTypeEntity> get drivefile <DriveFileEntity> [revision <DriveFileRevisio
         [(format <FileFormatList>)|(gsheet|csvsheet <SheetEntity>)] [exportsheetaspdf <String>]
         [targetfolder <FilePath>] [targetname <FileName>|-]
         [donotfollowshortcuts [<Boolean>]] [overwrite [<Boolean>]] [showprogress [<Boolean>]]
+        [acknowledgeabuse [<Boolean>]]
 ```
 By default, Google Docs/Sheets/Slides are converted to Open Office format when downloaded. If you want a
 different format for these files or are downloading a different type of file, you must specify the format.
@@ -611,39 +615,55 @@ When getting a drivefile, you can show download progress information with the `s
 * `showprogress true` - Show download progress information
 * `showprogress false` - Do not show download progress information
 
+You may get the following error from Google when trying to download a file:
+```
+Download Failed: This file has been identified as malware or spam and cannot be downloaded.
+```
+Use the `acknowledgeabuse` option to control downloading the file.
+* `acknowledgeabuse` - Download the file; `the user is acknowledging the risk of downloading known malware or other abusive files`
+* `acknowledgeabuse true` - Download the file; `the user is acknowledging the risk of downloading known malware or other abusive files`
+* `acknowledgeabuse false` - Do not download the file; this is the default
+
 ### Example: Download a CSV file and execute a Gam command on its contents
 Suppose you have a Google Sheets file UserSheet with multiple sheets, one of which is named NewUsers; it has a column labelled primaryEmail.
 
 The following command will download the sheet and show the name for each user in the column.
 ```
-gam user user@domain.com get drivefile drivefilename UserSheet csvsheet NewUsers targetname - | gam redirect stdout - multiprocess csv - gam info user ~primaryEmail name nogroups nolicenses
+gam user user@domain.com get drivefile drivefilename UserSheet csvsheet NewUsers targetname - | gam redirect stdout - multiprocess csv - gam info user "~primaryEmail" name nogroups nolicenses
 ```
 * The `redirect stdout - multiprocess` option produces clean output from the multiple processes
 
 ## Trash files
 Move a file or folder to the trash. If a folder is moved to the trash, all of its child files and folders are moved to the trash.
 ```
-gam <UserTypeEntity> trash drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> trash
+gam <UserTypeEntity> trash drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> trash [shortcutandtarget [<Boolean>]]
 ```
 
+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Untrash files
 Remove a file or folder from the trash. If a folder is removed from the trash, all of its child files and folders are removed from the trash.
 ```
-gam <UserTypeEntity> untrash drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> untrash
+gam <UserTypeEntity> untrash drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> untrash [shortcutandtarget [<Boolean>]]
 ```
 
+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Purge files
 Purging a file permanently deletes it; it can not be recovered. If a folder is purged, all of its child files and folders are purged.
 ```
-gam <UserTypeEntity> purge drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> purge
+gam <UserTypeEntity> purge drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> purge [shortcutandtarget [<Boolean>]]
 ```
 
+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Download Google Documents as JSON
-This command was added in version 5.31.04, you'll have to do `gam update project` and
-`gam <UserTypeEntity> check|update serviceaccount` to enable it.
 ```
 gam <UserTypeEntity> get document <DriveFileEntity>
         [viewmode default|suggestions_inline|preview_suggestions_accepted|preview_without_suggestions]
@@ -666,3 +686,31 @@ By default, when getting a document, an existing local file will not be overwrit
 * `overwrite` - Overwite an existing file
 * `overwrite true` - Overwite an existing file
 * `overwrite false` - Do not overwite an existing file; add a numeric prefix and create a new file
+
+## Upload changes to Google Documents
+
+```
+<DocumentJSONUpdateRequest> ::=
+        '{"requests": [{object (Request)}], "writeControl": {object (WriteControl) }`
+See: https://developers.google.com/docs/api/reference/rest/v1/documents/request
+
+gam <UserTypeEntity> update document <DriveFileEntity>
+        ((json [charset <Charset>] <DocumentJSONUpdateRequest>) |
+         (json file <FileName> [charset <Charset>]))
+        [formatjson]
+```
+The JSON data can be read from a command line argument or a file. On the command line, the
+JSON data is enclosed in single quotes; these should not be present when the JSON data is read from a file.
+
+The output is formatted for human readability. Use the following option to produce JSON output for program parsing.
+* `formatjson` - Display output in JSON format.
+
+### Examples
+Replace Foo with Goo in a document.
+```
+File Update.json contains:
+{ "requests": [{"replaceAllText": {"replaceText": "Goo", "containsText": {"text": "Foo", "matchCase": "True"}}}]}
+
+
+gam user testuser@domain.com update document <DriveFileItem> json file Update.json
+```

docs/Users-Drive-Ownership.md

@@ -63,6 +63,10 @@ gam <UserTypeEntity> transfer ownership <DriveFileEntity> <UserItem>
         (orderby <DriveOrderByFieldName> [ascending|descending])*
         [preview] [filepath] [pathdelimiter <Character>] [buildtree] [todrive <ToDriveAttribute>*]
 ```
+`<DriveFileEntity>` specifies a file/folder owned by the source user `<UserTypeEntity>`.
+
+The target user is specified by `<UserItem>`.
+
 By default, there is no change of parents for the transferred files/folders, they remain in their current location.
 * `<DriveFileParentAttribute>` - Specify a parent folder in the My Drive of the target user `<UserItem>`.
 
@@ -92,7 +96,7 @@ point to control the students further access to the files.
 ```
 gam <UserTypeEntity> claim ownership <DriveFileEntity>
         [<DriveFileParentAttribute>] [includetrashed]
-        [skipids <DriveFileEntity>] [skipusers <UserTypeEntity>] [subdomains <DomainNameEntity>]
+        [skipids <DriveFileEntity>] [onlyusers|skipusers <UserTypeEntity>] [subdomains <DomainNameEntity>]
         [restricted [<Boolean>]] [writerscanshare|writerscantshare [<Boolean>]]
         [keepuser | (retainrole reader|commenter|writer|editor|none)] [noretentionmessages]
         (orderby <DriveOrderByFieldName> [ascending|descending])*
@@ -107,8 +111,11 @@ By default, files in the trash are not transferred.
 Specify order of file processing.
 * `(orderby <DriveOrderByFieldName> [ascending|descending])*`
 
-These options handle special cases where you want to prevent ownership from being transferred for selected files/folders.
+This option handles special cases where you want to prevent ownership from being transferred for selected files/folders.
 * `skipids <DriveFileEntity>` - Do not transfer ownership for files/folders with the specified IDs.
+
+These mutually exclusive  options handle special cases where you want to prevent ownership from being transferred based on the current file/folder owner.
+* `onlyusers <UserTypeEntity>` - Only transfer ownership for files/folders owned by the specified users.
 * `skipusers <UserTypeEntity>` - Do not transfer ownership for files/folders owned by the specified users.
 
 By default, only files owned by users in the same domain as the claiming user have their ownership transferred.

docs/Users-Drive-Permissions.md

@@ -25,6 +25,22 @@
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
 
+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
+
 <DrivePermissionsFieldName> ::=
         additionalroles|
         allowfilediscovery|

docs/Users-Drive-Revisions.md

@@ -85,6 +85,8 @@ gam <UserTypeEntity> update filerevisions <DriveFileEntity> select <DriveFileRev
 ```
 When `select <DriveFileRevisionIDEntity>` is omitted, all revisions are updated. 
 
+* `keepforever true` - Keep revision forever, even if it is no longer the head revision
+* `keepforever false` - Do not keep revision forever
 * `published true` - Publish these revision to the web
 * `published false` - Do not publish these revision to the web
 * `publishauto true` - Automaticaly publish subsequent revisions to the web

docs/Users-Drive-Transfer.md

@@ -19,6 +19,22 @@
 <EmailAddress> ::= <String>@<DomainName>
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
+
+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
 ```
 ## GAM Data Transfers
 ```

docs/Users-Gmail-Forwarding.md

@@ -87,3 +87,8 @@ Show forwarding addresses for all users with forwarding on.
 gam config auto_batch_min 1 num_threads 5 redirect csv ./FowardEnabledUsers.csv multiprocess redirect stdout - multiprocess redirect stderr stdout all users print forward enabledonly
 gam redirect csv ./FowardEnabledUsersForwardingAddresses.csv multiprocess redirect stdout - multiprocess redirect stderr stdout csv ./FowardEnabledUsers.csv gam user "~User" print forwardingaddresses
 ```
+
+Show forwarding addresses that are not your domain for all users with forwarding on.
+```
+gam config csv_output_row_drop_filter "forwardTo:regex:yourdomain.com" auto_batch_min 1 num_threads 20 redirect csv ./NonDomainForwards.csv multiprocess redirect stdout - multiprocess redirect stderr stdout all users print forward enabledonly
+```

docs/Users-Gmail-Labels.md

@@ -88,11 +88,17 @@ all parent labels are created as necessary.
 Example: `gam user user@domain.com add label "Top/Middle/Bottom" buildpath`
 
 ## Update a label's settings
+The two commands are equivalent; in the first you specify a `<LabelName>`, in the second you specify a `<LabelId>`.
 ```
 gam <UserTypeEntity> update labelsettings <LabelName> [name <String>]
         [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
         [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
         [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
+
+gam <UserTypeEntity> update labelid <LabelID> [name <String>]
+        [messagelistvisibility hide|show] [labellistvisibility hide|show|showifunread]
+        [backgroundcolor "<LabelColorHex>|<LabelBackgroundColorHex>|custom:<ColorHex>"]
+        [textcolor "<LabelColorHex>|<LabelTextColorHex>|custom:<ColorHex>"]
 ```
 `<LabelColorHex>` values should be enclosed in " to keep the command shell on MacOS and Linux from mis-interpreting them.
 

docs/Users-Gmail-Messages-Threads.md

@@ -1,4 +1,5 @@
 # Users - Gmail - Messages/Threads
+- [Notes](#notes)
 - [API documentation](#api-documentation)
 - [Query documentation](#query-documentation)
 - [Definitions](#definitions)
@@ -22,9 +23,17 @@
   - [Print only options](#print-only-options)
   - [Show only options](#show-only-options)
   - [Download attachments](#download-attachments)
+  - [Upload attachments](#upload-attachments)
   - [Display messages sent by delegates for delegator](#display-messages-sent-by-delegates-for-delegator)
 - [User attribute `replace <Tag> <UserReplacement>` processing](Tag-Replace)
 
+## Notes
+Restrict email messages to authorized addresses or domains only
+* https://support.google.com/a/answer/2640542
+
+Block emails between specific user groups
+* https://support.google.com/a/answer/9175444
+
 ## API documentation
 * https://developers.google.com/gmail/api/v1/reference/users/messages
 * https://developers.google.com/gmail/api/v1/reference/users/threads
@@ -172,6 +181,20 @@
         (gdoc|ghtml <UserGoogleDoc>)|
         (gcsdoc|gcshtml <StorageBucketObjectName>)|
         (emlfile <FileName> [charset <Charset>]))
+
+<DriveFolderID> ::= <String>
+<DriveFolderName> ::= <String>
+<SharedDriveID> ::= <String>
+<SharedDriveName> ::= <String>
+
+<DriveFileParentAttribute> ::=
+        (parentid <DriveFolderID>)|
+        (parentname <DriveFolderName>)|
+        (anyownerparentname <DriveFolderName>)|
+        (teamdriveparentid <DriveFolderID>)|
+        (teamdriveparent <SharedDriveName>)|
+        (teamdriveparentid <SharedDriveID> teamdriveparentname <DriveFolderName>)|
+        (teamdriveparent <SharedDriveName> teamdriveparentname <DriveFolderName>)
 ```
 ## Message queries with dates
 ```
@@ -221,7 +244,7 @@ gam <UserTypeEntity> draft message
 * `file|htmlfile <FileName> [charset <Charset>]` - Read the message from `<FileName>`
 * `gdoc|ghtml <UserGoogleDoc>` - Read the message from `<UserGoogleDoc>`
 * `gcsdoc|gcshtml <StorageBucketObjectName>` - Read the message from the Google Cloud Storage file `<StorageBucketObjectName>`
-* `emlfile <FileName> [charset <Charset>]` - Read the message from the EML message file `<FileName>`. SMTP headers specified in the command will replace those in the message file. The default `chatser` is `ascii`.
+* `emlfile <FileName> [charset <Charset>]` - Read the message from the EML message file `<FileName>`. SMTP headers specified in the command will replace those in the message file. The default `charset` is `ascii`.
 
 The `<SMTPDateHeader> <Time>` argument  requires `<Time>` values which will be converted to RFC2822 dates. If you have these headers with values that
 are not in `<Time>` format, use the argument `header <SMTPDateHeader> <String>`.
@@ -238,7 +261,7 @@ Your HTML message will contain lines like this:
 <img src="cid:image2"/>
 ```
 
-Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg image2`
+Your command line will have: `embedimage file1.jpg image1 embedimage file2.jpg image2`
 
 ## Import messages
 Import a message into a user's mailbox, with standard email delivery scanning and classification similar to receiving via SMTP.
@@ -337,20 +360,35 @@ Your command line will have: `embedimage file1.jpg image1` embedimage file2.jpg
 gam <UserTypeEntity> archive messages <GroupItem>
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_archive <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 ```
 
 Messages are archived to the group specified by `<GroupItem>`.
 
+By default, the command results are displayed as indented keys and values. Use the `csv` option
+to display the command results in CSV form.
+```
+$ gam user user@domain.com archive messages ids 18e9fc6581b9acab,18e9fc58c5491f4c    
+User: user@domain.com, Archive 2 Messages
+  User: user@domain.com, Message: 18e9fc6581b9acab, Archived (1/2)
+  User: user@domain.com, Message: 18e9fc58c5491f4c, Archived (2/2)
+$ gam user user@domain.com archive messages ids 18e9fc6581b9acab,18e9fc58c5491f4c csv
+User: user@domain.com, Archive 2 Messages
+User,id,action,error
+user@domain.com,18e9fc6581b9acab,Archived,
+user@domain.com,18e9fc58c5491f4c,Archived,
+```
+
 See below for message selection.
 
 ## Export messages/threads
 Export messages in EML format.
 ```
 gam <UserTypeEntity> export message|messages
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <MessageIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <MessageIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 gam <UserTypeEntity> export thread|threads
-        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [doit] [max_to_export <Number>])|(ids <ThreadIDEntity>)
+        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+ [quick|notquick] [max_to_export <Number>])|(ids <ThreadIDEntity>)
         [targetfolder <FilePath>] [targetname <FileName>] [overwrite [<Boolean>]]
 ```
 
@@ -398,20 +436,40 @@ See below for message selection.
 gam <UserTypeEntity> delete messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_delete <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> modify messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
-        (addlabel <LabelName>)* (removelabel <LabelName>)*
+        ((addlabel <LabelName>)|(removelabel <LabelName>))+
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_spam <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> trash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_trash <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> untrash messages|threads
         (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
          [quick|notquick] [doit] [max_to_untrash <Number>])|(ids <MessageIDEntity>)
+        [csv [todrive <ToDriveAttribute>*]]
 ```
+
+By default, the command results are displayed as indented keys and values. Use the `csv` option
+to display the command results in CSV form.
+```
+$ gam user user@domain.com delete messages ids 18e9fc6581b9acab,18e9fc58c5491f4c    
+User: user@domain.com, Delete 2 Messages
+  User: user@domain.com, Message: 18e9fc6581b9acab, Deleted (1/2)
+  User: user@domain.com, Message: 18e9fc58c5491f4c, Deleted (2/2)
+$ gam user user@domain.com delete messages ids 18e9fc6581b9acab,18e9fc58c5491f4c csv
+User: user@domain.com, Delete 2 Messages
+User,id,action,error
+user@domain.com,18e9fc6581b9acab,Deleted,
+user@domain.com,18e9fc58c5491f4c,Deleted,
+```
+
 ### Manage a specific set of messages
 * `ids <MessageIDEntity>` - A list of message ids
 
@@ -498,6 +556,7 @@ By default, Gam displays all messages.
   * `labelmatchpattern xyz` - Label must start with xyz
   * `labelmatchpattern .*xyz.*` - Label must contain xyz
   * `labelmatchpattern .*xyz` - Label must end with xyz
+  * `labelmatchpattern ^xyz$` - Label must extctly match xyz
 * `sendermatchpattern <RegularExpression>` - Only display messages if the sender matches the `<RegularExpression>`
 
 When `matchlabel <LabelName>` is specified, the following characters are replaced with a `-` in the generated query.
@@ -524,7 +583,7 @@ By default, the Message ID and these SMTP headers are displayed: `Date, Subject,
 Use these options to customize the display.
 
 By default, the `<SMTPDateHeader>` values are displayed in RFC2822 format; the `dateheaderformat iso|rfc2822|<String>` option allows reformatting it:
-* `iso` - Format is `%Y-%m-%dT%H:%M:%S%z`
+* `iso` - Format is `%Y-%m-%dT%H:%M:%S%:z`
 * `rfc2822` - Format is `%a, %d %b %Y %H:%M:%S %z`
 * `<String>` - Format according to: https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior
 If the `Date` header value can't be parsed as RFC2822, it is left unchanged.
@@ -587,6 +646,16 @@ By default, when downloading attachments, an existing local file will not be ove
 * `overwrite true` - Overwite an existing file
 * `overwrite false` - Do not overwite an existing file; add a numeric prefix and create a new file
 
+## Upload attachments
+These options are valid with `show'.
+
+By default, message attachments are not uploaded to Google Drive.
+* `uploadattachments` - Upload message attachments
+* `attachmentnamepattern <RegularExpression>` - Limit the attachments uploaded to those whose names match `<RegularExpression>`
+
+By default, message attachments are uploaded to the root of the user's My Drive.
+* `<DriveFileParentAttributeh>` - Specify an alternate location for the uploaded attachments
+
 ## Display messages sent by delegates for delegator
 Display messages sent by a particular delegate for a delegator; the message is
 from the delegator but sent by the delegate.

docs/Users-Gmail-Send-As-Signature-Vacation.md

@@ -9,6 +9,7 @@
 - [Manage vacation](#manage-vacation)
 - [Display vacation](#display-vacation)
 - [User attribute `replace <Tag> <UserReplacement>` processing](Tag-Replace)
+- [Standardize user signatures](#standardize-user-signatures)
 
 ## API documentation
 * https://developers.google.com/gmail/api/reference/rest/v1/users.settings.sendAs
@@ -209,11 +210,13 @@ gam config csv_output_row_filter "signature:boolean:false"
 
 ## Manage vacation
 ```
-gam <UserTypeEntity> vacation <Boolean> subject <String>
+gam <UserTypeEntity> vacation [<Boolean>] [subject <String>]
         [<VacationMessageContent> (replace <Tag> <UserReplacement>)*]
         [html [<Boolean>]] [contactsonly [<Boolean>]] [domainonly [<Boolean>]]
         [start|startdate <Date>|Started] [end|enddate <Date>|NotSpecified]
 ```
+The initial `<Boolean>` can be omitted to allow updates to other fields without affecting the current responder state.
+
 `<VacationMessageContent>` is the vacation message, there are four ways to specify it:
 * `message|textmessage|htmlmessage <String>` - Use `<String>` as the vacation message
 * `file|htmlfile <FileName> [charset <Charset>]` - Read the vacation message from `<FileName>`
@@ -245,3 +248,37 @@ Gam displays the information in CSV form.
 * `compact` - Strip carriage returns and newlines in original HTML; this makes these values easier to process in the CSV file
 and can be used as input to GAM.
 * `enabledonly` - Do not display users with vacation autoreply disabled.
+
+## Standardize user signatures
+You can standardize user signatures by creating a signature template and a CSV file with data for each user.
+
+You can create a signature template by defining the signature in the Gmail Settings GUI of a test user.
+You must use the default signature `My signature`.
+Use text like `{FirstName}` and `{Email}` in the locations where the actual values will go.
+
+Once you're created the template signature, do the following:
+```
+$ gam user testuser@domain.com show signature compact > SimpleSig.html
+$ more SimpleSig.html
+SendAs Address: <testuser@domain.com>
+  IsPrimary: True
+  Default: True
+  Signature: <div dir="ltr">--<div>Name: {FirstName} {LastName}<div>Phone: {Phone}</div><div>Email: {Email}</div></div><div><br></div><div>Company Name</div><div>Company Address</div><div><br></div></div>\n
+```
+Edit SimpleSig.html and delete all text from `SendAs ` through `Signature: `.
+The result should be:
+```
+<div dir="ltr">--<div>Name: {FirstName} {LastName}<div>Phone: {Phone}</div><div>Email: {Email}</div></div><div><br></div><div>Company Name</div><div>Company Address</div><div><br></div></div>\n
+```
+
+This is a sample Users.csv file.
+```
+email,first,last,phone
+bsmith@domain.com,Bob,Smith,510-555-1212 x 123
+mjones@domain.com,Mary,Jones,510-555-1212 x 456
+```
+
+This command will update the user's signatures.
+```
+gam csv Users.csv gam user "~email" signature htmlfile SimpleSig.html replace FirstName "~first"  replace LastName "~last" replace Phone "~phone" replace Email "~email"
+```

docs/Users-Group-Membership.md

@@ -14,6 +14,8 @@
   - [Display group details in CSV format](#display-group-details-in-csv-format)
   - [Display group counts as an indented list](#display-group-counts-as-an-indented-list)
   - [Display group counts in CSV format](#display-group-counts-in-csv-format)
+  - [Display total group counts as an indented list](#display-total-group-counts-as-an-indented-list)
+  - [Display total group counts in CSV format](#display-total-group-counts-in-csv-format)
   - [Display group addresses in CSV format](#display-group-addresses-in-csv-format)
   - [Display groups and their parents](#display-groups-and-their-parents)
 - [Add a target user to the same groups as a source user](#add-a-target-user-to-the-same-groups-as-a-source-user)
@@ -81,7 +83,7 @@ $ gam csvkmd users UserGroupRole.csv keyfield User print groups
 User,Group,Role,Status,Delivery
 
 # Add users to groups
-$ gam redirect stdout - multiprocess csv UserGroupRole.csv gam user ~User add group ~Role ~Delivery ~Group
+$ gam redirect stdout - multiprocess csv UserGroupRole.csv gam user "~User" add group "~Role" "~Delivery" "~Group"
 Using 5 processes...
 User: testuser1@domain.com, Add to 1 Group
   Group: testgroup1@domain.com, Owner: testuser1@domain.com, Added
@@ -249,7 +251,7 @@ testuser2@domain.com,testgroup2@domain.com,MANAGER,ACTIVE,DAILY
 testuser3@domain.com,testgroup2@domain.com,OWNER,ACTIVE,DIGEST
 
 # Update roles/delivery settings
-$ gam redirect stdout - multiprocess csv UserGroupRoleNew.csv gam user ~User update group ~Role ~Delivery ~Group
+$ gam redirect stdout - multiprocess csv UserGroupRoleNew.csv gam user "~User" update group "~Role" "~Delivery" "~Group"
 Using 3 processes...
 User: testuser2@domain.com, Update to 1 Group
   Group: testgroup2@domain.com, Manager: testuser2@domain.com, Updated
@@ -357,7 +359,7 @@ testuser3@domain.com,testgroup1@domain.com,MEMBER,ACTIVE,ALL_MAIL
 testuser3@domain.com,testgroup2@domain.com,OWNER,ACTIVE,ALL_MAIL
 
 # Update roles/delivery settings
-$ gam redirect stdout - multiprocess csv UserGroupRole.csv gam user ~User update group ~Role ~Delivery ~Group
+$ gam redirect stdout - multiprocess csv UserGroupRole.csv gam user "~User" update group "~Role" "~Delivery" "~Group"
 Using 5 processes...
 User: testuser2@domain.com, Update to 1 Group
   Group: testgroup1@domain.com, Member: testuser2@domain.com, Updated
@@ -461,6 +463,10 @@ gam <UserTypeEntity> show groups
         [(domain <DomainName>)|(customerid <CustomerID>)]
         [roles <GroupRoleList>] countsonly
 ```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+* `roles <GroupRoleList>` - Limit display to those groups for which the user has a specific role
 
 ### Display group counts in CSV format
 There is one row per user displaying the number of groups, by role, to which a user belongs.
@@ -476,6 +482,33 @@ By default, all groups to which a member belongs are displayed, these options al
 * `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
 * `roles <GroupRoleList>` - Limit display to those groups for which the user has a specific role
 
+### Display total group counts as an indented list
+There is one row per user displaying the number of groups to which a user belongs.
+
+There is one API call per user to get the total group count.
+```
+gam <UserTypeEntity> show groups
+        [(domain <DomainName>)|(customerid <CustomerID>)]
+        totalonly
+```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+
+
+### Display total group counts in CSV format
+There is one row per user displaying the total number of groups to which a user belongs.
+
+There is one API call per user to get the total group count.
+```
+gam <UserTypeEntity> print groups [todrive <ToDriveAttribute>*]
+        [(domain <DomainName>)|(customerid <CustomerID>)]
+        totalonly
+```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+
 ### Display group addresses in CSV format
 There is one row per user showing the number and list of groups to which a user directly belongs.
 ```

docs/Users-Keep.md

@@ -131,13 +131,17 @@ Display all notes
 ```
 gam <UserTypeEntity> show notes
         [fields <NotesFieldList>] [filter <String>]
-        [role owner|writwer]
+        [role owner|writer]
+        [countsonly]
         [compact|formatjson]
 ```
 By default, GAM displays all non-trashed notes:
 * `filter trashed` - Display notes in the trash
 * `role owner|writer` - Display notes where the user has the specified role
 
+When  option `countsonly` is specified, the number of notes a user owns, the number of notes of user can edit
+and the total number of notes is displayed.
+
 By default, Gam displays the information as an indented list of keys and values; the note text is displayed as individual lines.
 * `compact` - Display the note text with escaped carriage returns as \r and newlines as \n
 * `formatjson` - Display the note in JSON format
@@ -145,7 +149,8 @@ By default, Gam displays the information as an indented list of keys and values;
 ```
 gam <UserTypeEntity> print notes [todrive <ToDriveAttribute>*]
         [fields <NotesFieldList>] [filter <String>]
-        [role owner|writwer]
+        [role owner|writer]
+        [countsonly]
         [formatjson [quotechar <Character>]]
 
 ```
@@ -153,6 +158,9 @@ By default, GAM displays all non-trashed notes:
 * `filter trashed` - Display notes in the trash
 * `role owner|writer` - Display notes where the user has the specified role
 
+When  option `countsonly` is specified, the number of notes a user owns, the number of notes of user can edit
+and the total number of notes is displayed.
+
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.

docs/Users-Looker-Studio.md

@@ -17,6 +17,8 @@ To use these commands you must add the 'Looker Studio API' to your project and u
 ```
 gam update project
 gam user user@domain.com check serviceaccount
+...
+[*] 35)  Looker Studio API (supports readonly)
 ```
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)

docs/Users-Meet.md

@@ -0,0 +1,174 @@
+# Users - Meet
+- [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Manage Meet Spaces](#manage-meet-spaces)
+- [Display Meet Conferences](#display-meet-conferences)
+- [Display Meet Participants](#display-meet-participants)
+- [Display Meet Recordings](#display-meet-recordings)
+- [Display Meet Transcripts](#display-meet-transcripts)
+
+## API documentation
+* https://developers.google.com/meet/api/reference/rest/v2
+* https://developers.google.com/meet/api/reference/rest/v2/spaces
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.participants
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.recordings
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.transcripts
+
+## Query documentation
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords/list
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.participants/list
+
+## Introduction
+These features were added in version 6.81.00.
+
+To use these commands you must add the 'Meet API' to your project and update your service account authorization.
+```
+gam update project
+gam user user@domain.com update serviceaccount
+...
+[*] 36)  Meet API (supports readonly)
+
+```
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+```
+<MeetConferenceName> ::= conferenceRecords/<String>
+<MeetSpaceName> ::= spaces/<String> | <String>
+<MeetSpaceOptions> ::=
+        accesstype open|trusted|restricted |
+        entrypointaccess all|creatorapponly
+```
+
+## Manage Meet Spaces
+### Create a meet space
+```
+gam <UserTypeEntity> create meetspace
+        <MeetSpaceOptions>*
+        [formatjson|returnidonly]
+```
+By default, Gam displays the information about the created meetspace as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+* `returnidonly` - Display the meetspace name only
+
+### Update a meet space
+```
+gam <UserTypeEntity> update meetspace <MeetSpaceName>
+        <MeetSpaceOptions>*
+        [formatjson]
+```
+By default, Gam displays the information about the created meetspace as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display information about a specific meet space for a user
+```
+gam <UserTypeEntity> info meetspace <MeetSpaceName>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### End a meet space conference
+```
+gam <UserTypeEntity> end meetconference <MeetSpaceName>
+```
+
+## Display Meet Conferences
+```
+gam <UserItem> show meetconferences
+        [space <MeetSpaceName>] [code <String>]
+        [andquery|orquery <String>] [querytime<String> <Time>]
+        [formatjson]
+```
+By default, conferences are shown for all of a user's meet spaces. To limit the display use:
+  * `space <MeetSpaceName>` - Display conferences for a specifc space by giving its name
+  * `code <String>` - Display conferences for a specifc space by giving its code
+  
+By default, Gam displays the information about the meet conferences as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetconferences [todrive <ToDriveAttribute>*]
+        [space <MeetSpaceName>] [code <String>]
+        [andquery|orquery <String>] [querytime<String> <Time>]
+        [formatjson [quotechar <Character>]]
+```
+By default, conferences are shown for all of a user's meet spaces. To limit the display use:
+  * `space <MeetSpaceName>` - Display conferences for a specifc space by giving its name
+  * `code <String>` - Display conferences for a specifc space by giving its code
+  
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Participants
+```
+gam <UserItem> show meetparticipants <MeetConferenceName>
+        [query <String>] [querytime<String> <Time>]
+        [formatjson]
+```
+By default, Gam displays the information about the meet participants as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetparticipants <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [query <String>] [querytime<String> <Time>]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Recordings
+```
+gam <UserItem> show meetrecordings <MeetConferenceName>
+        [formatjson]
+```
+By default, Gam displays the information about the meet recordings as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetrecordings <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Transcripts
+```
+gam <UserItem> show meettranscripts <MeetConferenceName>
+        [formatjson]
+```
+By default, Gam displays the information about the meet transcripts as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meettranscripts <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+

docs/Users-People-Contacts-Profiles.md

@@ -59,6 +59,7 @@ gam user user@domain.com check serviceaccount
 
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
+<QueryContact> ::= <String>
 
 <PeopleResourceName> ::= people/<String>
 <PeopleResourceNameList> ::= "<PeopleResourceName>(,<PeopleResourceName>)*"
@@ -124,8 +125,15 @@ gam user user@domain.com check serviceaccount
         (subject <String>)|
         (suffix <String>)|
         (userdefinedfield clear|(<String> <String>))|
-        (website clear|(app_install_page|blog|ftp|home|home_page|other|profile|reservations|work|<String> <URL> notprimary|primary))
+        (url|website clear|(app_install_page|blog|ftp|home|home_page|other|profile|reservations|work|<String> <URL> notprimary|primary))
 
+For address, email, phone and url, the type <String> can be empty.
+address "" formatted "My Address" primary
+email "" user@gmail.com primary
+phone "" "510-555-1212" primary
+url "" "https://www.domain.com" primary
+```
+```
 <PeopleFieldName> ::=
         addresses|
         ageranges|

docs/Users-Shared-Drives.md

@@ -15,7 +15,8 @@
 - [Display Shared Drive access](#display-shared-drive-access)
   - [Display Shared Drive access for specific Shared Drives](#display-shared-drive-access-for-specific-shared-drives)
   - [Display Shared Drive access for selected Shared Drives](#display-shared-drive-access-for-selected-shared-drives)
-- [Change User1 Shared Drive access to User2](#change-user1-shared-drive-access-to-user2)
+- [Change single User1 Shared Drive access to User2](#change-single-user1-shared-drive-access-to-user2)
+- [Bulk change User1 Shared Drive access to User2](#bulk-change-user1-shared-drive-access-to-user2)
 - [Display empty folders on a Shared Drive](#display-empty-folders-on-a-shared-drive)
 - [Delete empty folders on a Shared Drive](#delete-empty-folders-on-a-shared-drive)
 - [Empty the trash on a Shared Drive](#empty-the-trash-on-a-shared-drive)
@@ -73,6 +74,22 @@
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
 
+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
+
 <DriveFileACLRole> ::=
         manager|organizer|owner|
         contentmanager|fileorganizer|
@@ -293,7 +310,7 @@ gam <UserTypeEntity> show teamdrives
 ```
 By default, Gam displays all Teams Drives accessible by the user.
 * `matchname <RegularExpression>` - Display Shared Drives with names that match a pattern.
-* `(role|roles <SharedDriveACLRoleList>)* - Display Shared Drives where the user has one of the specified roles.
+* `(role|roles <SharedDriveACLRoleList>)*` - Display Shared Drives where the user has one of the specified roles.
 
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
@@ -375,7 +392,6 @@ When deleting permissions from JSON data, permissions with role `owner` true are
 These commands are used to display the ACLs on Shared Drives themselves, not the files/folders on the Shared Drives.
 
 ## Display Shared Drive access for specific Shared Drives
-These commands must be issued by a user with Shared Drive permission role organizer.
 ```
 gam <UserTypeEntity> show drivefileacls <DriveFileEntity>
         <PermissionMatch>* [<PermissionMatchAction>] [pmselect]
@@ -404,7 +420,6 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
 
 ## Display Shared Drive access for selected Shared Drives
-These commands must be issued by a user with Shared Drive permission role organizer.
 ```
 gam <UserTypeEntity> show teamdriveacls
         adminaccess [teamdriveadminquery|query <QueryTeamDrive>]
@@ -421,6 +436,10 @@ gam <UserTypeEntity> print teamdriveacls [todrive <ToDriveAttribute>*]
         [oneitemperrow] [<DrivePermissionsFieldName>*|(fields <DrivePermissionsFieldNameList>)]
         [formatjson [quotechar <Character>]]
 ```
+By default,only Shared Drives with `<UserTypeEntity>` as a member are displayed. To display all
+Shared Drives in the workspace, `<UserTypeEntity>` should specify a super admin and the `adminaccess`
+option shoud be used.
+
 By default, all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
 * `matchname <RegularExpression>` - Retrieve Shared Drives with names that match a pattern.
@@ -448,14 +467,27 @@ gam <UserTypeEntity> print emptydrivefolders [todrive <ToDriveAttribute>*]
         select <SharedDriveEntity>
 ```
 
-## Change User1 Shared Drive access to User2
+## Change single User1 Shared Drive access to User2
 ```
 # Get Shared Drives for User1
 gam redirect csv ./U1SharedDrives.csv user user1@domain.com print shareddriveacls pm emailaddress user1@domain.com em oneitemperrow
 # For each of those Shared Drives, delete User1 access
-gam redirect stdout ./DeleteU1SharedDriveAccess.txt multiprocess redirect stderr stdout gam delete drivefileacl "~id" "~permission.emailAddress"
+gam redirect stdout ./DeleteU1SharedDriveAccess.txt multiprocess redirect stderr stdout csv ./U1SharedDrives.csv gam delete drivefileacl "~id" "~permission.emailAddress"
 # For each of those Shared Drives, add User2 with the same role that User1 had
-gam redirect stdout ./AddU2SharedDriveAccess.txt multiprocess redirect stderr stdout gam create drivefileacl "~id" user user2@domain.com role "~permission.role"
+gam redirect stdout ./AddU2SharedDriveAccess.txt multiprocess redirect stderr stdout csv ./U1SharedDrives.csv gam create drivefileacl "~id" user user2@domain.com role "~permission.role"
+```
+
+## Bulk change User1 Shared Drive access to User2
+This requires GAM version 6.79.09 or higher.
+
+Make a CSV file Users.csv with two email address columns: User,Replace
+```
+# Get Shared Drives for all Users in CSV file
+gam redirect csv ./U1SharedDrives.csv multiprocess csv Users.csv gam user "~User" print shareddriveacls pm emailaddress "~User" em oneitemperrow addscvdata Replace "~Replace"
+# For each of those Shared Drives, delete User access
+gam redirect stdout ./DeleteU1SharedDriveAccess.txt multiprocess redirect stderr stdout csv ./U1SharedDrives.csv gam delete drivefileacl "~id" "~permission.emailAddress"
+# For each of those Shared Drives, add Replace with the same role that User had
+gam redirect stdout ./AddU2SharedDriveAccess.txt multiprocess redirect stderr stdout csv ./U1SharedDrives.csv gam create drivefileacl "~id" user "~Replace" role "~permission.role"
 ```
 
 ## Delete empty folders on a Shared Drive

docs/Users-Signout-Turnoff2SV.md

@@ -21,6 +21,7 @@ gam <UserTypeEntity> signout
 Turn off 2-Step Verification for a user.
 If successful, this call will turn off 2-Step Verification and also remove all registered second steps on the user account.
 This call will fail if **any** of the following is true:
+* the user is suspended
 * the user is not enrolled in 2-Step Verification.
 * the user has 2-Step Verification enforced.
 * the user is enrolled in the Advanced Protection Program.

docs/Users-Spreadsheets.md

@@ -133,7 +133,7 @@ CSV file Sheet.csv contains:
 User,spreadsheetId,JSON
 user@domain.com,1MOq6umgWSM7NF8-CQ-Aj3_n1DIu_GvyCcuLxxxxxx,'[{"range": "Sheet1!A1:C1", "values": [["1", "2", "3"]], "majorDimension": "ROWS"}, {"range": "Sheet1!A3:C3", "values": [["10/01/2017 10:30:00", true, "6"]], "majorDimension": "ROWS"}]'
 
-gam csv Sheet.csv quotechar "'" gam user ~User update sheetranges ~spreadsheetId json ~JSON userentered includevaluesinresponse
+gam csv Sheet.csv quotechar "'" gam user "~User" update sheetranges "~spreadsheetId" json "~JSON" userentered includevaluesinresponse
 ```
 ## Create spreadsheets
 ```
@@ -203,6 +203,17 @@ File Sheet.json contains:
 gam user testuser@domain.com update sheet <DriveFileItem> json file Sheet.json
 ```
 
+Rename a tab/sheet in a spreadsheet. 
+```
+Get the sheet IDs.
+gam user testuser@domain.com info sheet <DriveFileItem> fields sheets
+Get the desired sheetId from the output.
+File Sheet.json contains:
+{"requests": [{"updateSheetProperties": {"properties": {"sheetId": 1234567890, "title": "New Title"}, "fields": "title"}}]}
+
+gam user testuser@domain.com update sheet <DriveFileItem> json file Sheet.json
+```
+
 Delete a column from a tab in a spreadsheet.
 ```
 Get the sheet IDs.
@@ -220,18 +231,24 @@ gam user testuser@domain.com update sheet <DriveFileItem> json file Sheet.json
 gam <UserTypeEntity> info|show sheet <DriveFileEntity>
         [fields <SpreadsheetFieldList>] [sheetsfields <SpreadsheetSheetsFieldList>]
         (range <SpreadsheetRange>)* (rangelist <SpreadsheetRangeList>)*
-        [includegriddata [<Boolean>]]
+        [includegriddata [<Boolean>]] [shownames]
         [formatjson]
 ```
+By default, the Sheets API does not return the sheet file name, use the `shownames` option to have GAM
+make an additional API call to get and display the sheet file name.
+
 The output is formatted for human readability. Use the following option to produce JSON output for program parsing.
 * `formatjson` - Display output in JSON format.
 ```
 gam <UserTypeEntity> print sheet <DriveFileEntity> [todrive <ToDriveAttribute>*]
         [fields <SpreadsheetFieldList>] [sheetsfields <SpreadsheetSheetsFieldList>]
         (range <SpreadsheetRange>)* (rangelist <SpreadsheetRangeList>)*
-        [includegriddata [<Boolean>]]
+        [includegriddata [<Boolean>]] [shownames]
         [formatjson [quotechar <Character>]]
 ```
+By default, the Sheets API does not return the sheet file name, use the `shownames` option to have GAM
+make an additional API call to get and display the sheet file name.
+
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
@@ -452,8 +469,6 @@ gam csv SheetData.csv quotechar "'" gam user "~User" update sheetrange "~spreads
 ```
 
 ## Repair an uneditable sheet within a spreadsheet
-This example requires GAMADV-XTD3 version 6.30.07.
-
 Identify uneditable sheet; there is no `editors` field.
 ```
 $ gam user owner@domain.com info sheet 1234-y9d0nbckO_cnb3xyZhsIh0Hxd9WaqpGPBwxyz fields sheets sheetsfields protectedranges

docs/Users-Tasks.md

@@ -69,6 +69,8 @@ gam <UserTypeEntity> create task <TasklistEntity>
         <TaskAttribute>* [parent <TaskID>] [previous <TaskID>]
         [compact|formatjson|returnidonly]
 ```
+The API only supports all-day tasks; you should specify: `due YYYY-MM-DDT00:00:00Z`.
+
 By default, Gam displays the created task as an indented list of keys and values; the task notes text is displayed as individual lines.
 * `compact` - Display the task notes text with escaped carriage returns as \r and newlines as \n
 * `formatjson` - Display the task in JSON format
@@ -100,6 +102,9 @@ By default, Gam displays the moved task as an indented list of keys and values;
 * `formatjson` - Display the task in JSON format
 
 ## Display Tasks
+All commands that display tasks display the due date in GMT as the time portion
+is not supported by the API and converting the due date to local time may display the wrong date.
+
 ### Display selected tasks
 ```
 gam <UserTypeEntity> info task <TasklistIDTaskIDEntity>
@@ -119,6 +124,13 @@ gam <UserTypeEntity> show tasks [tasklists <TasklistEntity>]
         [orderby completed|due|updated]
         [countsonly|compact|formatjson]
 ```
+The API only supports dates in `duemin` and `duemax' but you must supply a null time:
+* `duemin YYYY-MM-DDT00:00:00Z` - Specify the starting due date
+* `duemax YYYY-MM-DDT00:00:00Z` - Specify one day beyond the ending due date
+
+For example: `duemin 2024-05-01T00:00:00Z duemax 2024-05-02T00:00:00Z` will
+display all tasks on 2024-05-01.
+
 By default, tasks are displayed in hierarchical order.
 * `orderby completed` - Display tasks in completed date order regardless of the hierarchy.
 * `orderby due` - Display tasks in due date order regardless of the hierarchy.
@@ -142,6 +154,13 @@ gam <UserTypeEntity> print tasks [tasklists <TasklistEntity>] [todrive <ToDriveA
         [orderby completed|due|updated]
         [countsonly | (formatjson [quotechar <Character>])]
 ```
+The API only supports dates in `duemin` and `duemax' but you must supply a null time:
+* `duemin YYYY-MM-DDT00:00:00Z` - Specify the starting due date
+* `duemax YYYY-MM-DDT00:00:00Z` - Specify one day beyond the ending due date
+
+For example: `duemin 2024-05-01T00:00:00Z duemax 2024-05-02T00:00:00Z` will
+display all tasks on 2024-05-01.
+
 By default, tasks are displayed in hierarchical order.
 * `orderby completed` - Display tasks in completed date order regardless of the hierarchy.
 * `orderby due` - Display tasks in due date order regardless of the hierarchy.

docs/Users-Tokens.md

@@ -3,6 +3,7 @@
 - [Definitions](#definitions)
 - [Delete a user's token](#delete-a-users-token)
 - [Display individual user's tokens](#display-individual-users-tokens)
+- [Display individual user's token counts](#display-individual-users-token-counts)
 - [Display aggregated user's tokens](#display-aggregated-users-tokens)
 
 ## API documentation
@@ -27,6 +28,9 @@ gam <UserTypeEntity> show tokens|token|3lo|oauth [clientid <ClientID>]
 gam print tokens|token [todrive <ToDriveAttributes>*] [clientid <ClientID>]
         [orderby clientid|id|appname|displaytext] [delimiter <Character>]
         [<UserTypeEntity>]
+gam show tokens|token [clientid <ClientID>]
+        [orderby clientid|id|appname|displaytext] [delimiter <Character>]
+        [<UserTypeEntity>]
 ```
 By default, all client tokens for a user are displayed, use `clientid <ClientID>` to display a specific client token.
 
@@ -43,6 +47,26 @@ This example shows which domain users have the Google Apps Sync for Microsoft Ou
 gam all users print token clientid 1095133494869.apps.googleusercontent.com
 ```
 
+## Display individual user's token counts
+```
+gam <UserTypeEntity> print tokens|token [todrive <ToDriveAttributes>*] [clientid <ClientID>]
+        usertokencounts
+gam <UserTypeEntity> show tokens|token|3lo|oauth [clientid <ClientID>]
+        usertokencounts
+gam print tokens|token [todrive <ToDriveAttributes>*] [clientid <ClientID>]
+        usertokencounts
+        [<UserTypeEntity>]
+gam show tokens|token [clientid <ClientID>]
+        usertokencounts
+        [<UserTypeEntity>]
+```
+
+### Example
+This example shows which domain users have any access tokens.
+```
+gam config csv_output_row_filter "tokenCount:count>0" all users print tokens usertokencounts
+```
+
 ## Display aggregated user's tokens
 ```
 gam <UserTypeEntity> print tokens|token [todrive <ToDriveAttributes>*] [clientid <ClientID>]

docs/Users.md

@@ -1,7 +1,7 @@
 # Users
 - [API documentation](#api-documentation)
-- [Name guidelines](#name-guidelines)
 - [Query documentation](#query-documentation)
+- [Name guidelines](#name-guidelines)
 - [Quoting rules](#quoting-rules)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function and Search function
 - [Definitions](#definitions)
@@ -37,6 +37,7 @@
 - [Print user domain counts](#print-user-domain-counts)
     - [Print domain counts for users in a specific domain and/or selected by a query](#print-domain-counts-for-users-in-a-specific-domain-and-or-selected-by-a-query)
     - [Print domain counts for users specified by `<UserTypeEntity>`](#print-domain-counts-for-users-specified-by-usertypeentity)
+- [Print user counts by OrgUnit](print-user-counts-by-orgunit)
 - [Print user list](#print-user-list)
 - [Display user counts](#display-user-counts)
 - [Verify domain membership]($verify-domain-membership)
@@ -45,12 +46,12 @@
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/schemas
 
-## Name guidelines
-* https://support.google.com/a/answer/9193374?hl=en
-
 ## Query documentation
 * https://developers.google.com/admin-sdk/directory/v1/guides/search-users
 
+## Name guidelines
+* https://support.google.com/a/answer/9193374
+
 ## Quoting rules
 Items in a list can be separated by commas or spaces; if an item itself contains a comma, a space or a single quote, special quoting must be used.
 Typically, you will enclose the entire list in double quotes and quote each item in the list as detailed below.
@@ -79,6 +80,22 @@ queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Stude
 * [`<UserTypeEntity>`](Collections-of-Users)
 * [Command data from Google Docs/Sheets/Storage](Command-Data-From-Google-Docs-Sheets-Storage)
 ```
+<StorageBucketName> ::= <String>
+<StorageObjectName> ::= <String>
+<StorageBucketObjectName> ::=
+        https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
+        gs://<StorageBucketName>/<StorageObjectName>|
+        <StorageBucketName>/<StorageObjectName>
+
+<UserGoogleDoc> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
+<UserGoogleSheet> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
+```
+```
 <DeliverySetting> ::=
         allmail|
         abridged|daily|
@@ -109,6 +126,11 @@ queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Stude
 <QueryUser> ::= <String>
         See: https://developers.google.com/admin-sdk/directory/v1/guides/search-users
 
+<FieldName> ::= <String>
+<SchemaName> ::= <String>
+<SchemaNameField> ::= <SchemaName>.<FieldName>
+<SchemaNameList> ::= "<SchemaName>|<SchemaFieldName>(,<SchemaName>|<SchemaFieldName>)*"
+
 <StorageBucketName> ::= <String>
 <StorageObjectName> ::= <String>
 <StorageBucketObjectName> ::=
@@ -233,7 +255,7 @@ queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Stude
                 protocol aim|gtalk|icq|jabber|msn|net_meeting|qq|
                 skype|yahoo|(custom_protocol <String>) <String>
                 notprimary|primary)|
-        (keyword mission|occupation|outlook|(custom <string>) <String>)|
+        (keyword mission|occupation|outlook|(custom <String>) <String>)|
         (location [type default|desk|<String>] area <String>
                 [building|buildingid <String>] [floor|floorname <String>]
                 [section|floorsection <String>] [desk|deskcode <String>] endlocation)|
@@ -244,7 +266,7 @@ queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Stude
                 [description <String>] [domain <String>]
                 [fulltimeequivalent <Integer>]
                 notprimary|primary)|
-        (otheremail home|other|work|<String> <String>)|
+        (otheremail home|other|work|(custom <String>)|<String> <String>)|
         (phone [type assistant|callback|car|company_main|grand_central|home|
                 home_fax|isdn|main|mobile|other|other_fax|pager|radio|telex|tty_tdd|
                 work|work_fax|work_mobile|work_pager|(custom <String>)]
@@ -256,10 +278,10 @@ queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Stude
                 [primary <Boolean>] endposix)|
         (relation admin_assistant|assistant|brother|child|domestic_partner|
                 dotted-line_manager|exec_assistant|father|friend|manager|mother|
-                parent|partner|referred_by|relative|sister|spouse|<String> <String>)|
+                parent|partner|referred_by|relative|sister|spouse|(custom <String>)|<String> <String>)|
         (sshkeys key <String> [expires <Integer>] endssh)|
         (website app_install_page|blog|ftp|home|home_page|other|
-                profile|reservations|resume|work|<String> <URL>
+                profile|reservations|resume|work|(custom <String>)|<String> <URL>
                 notprimary|primary)
 
 <UserClearAttribute> ::=
@@ -338,6 +360,10 @@ relation manager manageremail@domain.com
 externalid organization "Employee ID"
 
 ```
+`<UserMultiAttribute>.location.buildingid <String>` allows non-validated building IDs
+by specifying `nv:` at the beginning of `<String>`; e.g., `nv:Building X' sets the building ID to `Building X`.
+
+
 ## Passwords
 To set a user's password, you specify a `<Password>` string and a hash method that specifies how to interpret the string
 * `password random|uniquerandom` - A 25 character plain text string of ASCII uppercase/lowecase letters, digits and punctuation
@@ -454,7 +480,7 @@ If you specify `scalarnonempty`, empty values will be suppressed. This is most u
 
 For example, to suppress errors when empty values would cause an error or are simply undesirable:
 ```
-GeoData.Region scalarnonempty ~region GeoData.State scalarnonempty ~state GeoData.City scalarnonempty ~city
+GeoData.Region scalarnonempty "~region" GeoData.State scalarnonempty "~state" GeoData.City scalarnonempty "~city"
 ```
 ### Multivalued fields
 ```
@@ -483,7 +509,7 @@ clearschema <SchemaName>
 ```
 Clear a specific field in a schema:
 ```
-clearschema <SchemaName>.<FieldName>
+clearschema <SchemaNameField>
 ```
 
 ## Create a user
@@ -531,7 +557,7 @@ When creating a user, you can send a message with the account details to an emai
 If you create a user with `random password`, the `lograndompassword <FileName>` option causes GAM
 to append the user email address and random password to `<FileName>`. If `<FileName>` is `-`, the data is written to stdout.
 
-Option `ignorenullpassword` causes GAM to ignore options like `password ""` or `password ~password` where the
+Option `ignorenullpassword` causes GAM to ignore options like `password ""` or `password "~password"` where the
 CSV entry `password` is null; it must appear in the command before any null passwords.
 If `ignorenullpassword` and a null password are entered, the user will be assigned a random password.
 
@@ -560,8 +586,8 @@ OU needs to be already set with forced 2FA, else you can't create backup codes i
 These three commands should be run in sequence, as commands two and three are reliant on the previous command being run.
 ```
 gam redirect stdout CreateUsers.log multiprocess redirect stderr stdout csv CreateUsers.csv gam create user "~useremail" firstname "~firstname" lastname "~lastname" ou "~ou" password random notify "~~notifyemail"
-gam redirect stdout UpdateUsers.log multiprocess redirect stderr stdout csv CreateUsers.csv gam user ~useremail update backupcodes
-gam redirect stdout SendBackupCodes.log multiprocess redirect stderr stdout csv CreateUsers.csv gam user ~useremail print backupcodes | gam csv - gam sendemail "~notifyemail" subject "Backup codes for 2FA login" message "~verificationCodes"
+gam redirect stdout UpdateUsers.log multiprocess redirect stderr stdout csv CreateUsers.csv gam user "~useremail" update backupcodes
+gam redirect stdout SendBackupCodes.log multiprocess redirect stderr stdout csv CreateUsers.csv gam user "~useremail" print backupcodes | gam csv - gam sendemail "~notifyemail" subject "Backup codes for 2FA login" message "~verificationCodes"
 ```
 
 ## Specify a user's attributes with JSON data
@@ -609,7 +635,7 @@ gam update user <UserItem> [ignorenullpassword] <UserAttribute>*
         [updateoufromgroup <FileName> [charset <Charset>]
             [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [fields <FieldNameList>] [keyfield <FieldName>] [datafield <FieldName>]]
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName>|<SchemaNameField>]
         [createifnotfound] [notfoundpassword random|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -630,7 +656,7 @@ gam update users <UserTypeEntity> [ignorenullpassword] <UserAttribute>*
         [updateoufromgroup <FileName> [charset <Charset>]
             [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [fields <FieldNameList>] [keyfield <FieldName>] [datafield <FieldName>]]
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName>|<SchemaNameField>]
         [createifnotfound] [notfoundpassword random|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -651,7 +677,7 @@ gam <UserTypeEntity> update users [ignorenullpassword] <UserAttribute>*
         [updateoufromgroup <FileName> [charset <Charset>]
             [columndelimiter <Character>] [noescapechar <Boolean>] [quotechar <Character>]
             [fields <FieldNameList>] [keyfield <FieldName>] [datafield <FieldName>]]
-        [clearschema <SchemaName>] [clearschema <SchemaName>.<FieldName>]
+        [clearschema <SchemaName>|<SchemaNameField>]
         [createifnotfound] [notfoundpassword random|<Password>]
         (groups [<GroupRole>] [[delivery] <DeliverySetting>] <GroupEntity>)*
         [alias|aliases <EmailAddressList>]
@@ -703,19 +729,19 @@ The user aliases in `alias|aliases <EmailAddressList>` will be created.
 
 For example, you are given a CSV file Users.csv with these headers: email,firstname,lastname,password,ou,altemail
 ```
-gam csv Users.csv gam update user ~email firstname ~firstname lastname ~lastname password ~password ou ~ou createifnotfound notify ~altemail
+gam csv Users.csv gam update user "~email" firstname "~firstname" lastname "~lastname" password "~password" ou "~ou" createifnotfound notify "~altemail"
 ```
 The existing users (including their passwords) will be updated and the new users will be created; if `notify` is specified, a notification email message is sent as in (#create-a-user).
 
 If you don't want to update the passwords of the existing users but must supply a password for newly created users, use the `notfoundpassword` option.
 ```
-gam csv Users.csv gam update user ~email firstname ~firstname lastname ~lastname notfoundpassword ~password ou ~ou createifnotfound notify ~altemail
+gam csv Users.csv gam update user "~email" firstname "~firstname" lastname "~lastname" notfoundpassword "~password" ou "~ou" createifnotfound notify "~altemail"
 ```
 The existing users (but not their passwords) will be updated and the new users will be created; if `notify` is specified, a notification email message is sent as in (#create-a-user).
 
 If you don't want to force a password change of the existing users but do want newly created users to change their password, use the `setchangepasswordoncreate` option.
 ```
-gam csv Users.csv gam update user ~email firstname ~firstname lastname ~lastname notfoundpassword ~password ou ~ou createifnotfound notify ~altemail setchangepasswordoncreate true
+gam csv Users.csv gam update user "~email" firstname "~firstname" lastname "~lastname" notfoundpassword "~password" ou "~ou" createifnotfound notify "~altemail" setchangepasswordoncreate true
 ```
 
 ## Update a user's name
@@ -724,15 +750,15 @@ When updating a user's name, always update both the `firstname/givenname` and th
 ## Update a user's password
 When updating a user's password, you can send a message with the new password to an email address; this might be the user's secondary email address.
 
-In versions of GAMADV-XTD3 prior to 5.07.00, if you do `gam update users <UserTypeEntity>` or `gam <UserTypeEntity> update users` and
+In versions of GAM7 prior to 5.07.00, if you do `gam update users <UserTypeEntity>` or `gam <UserTypeEntity> update users` and
 specify `password random`, all of the users in `<UserTypeEntity>` are assigned the same random password;
-this is the same behavior as in Standard GAM. If you would like each of the users in `<UserTypeEntity>` to be
+this is the same behavior as in Legacy GAM. If you would like each of the users in `<UserTypeEntity>` to be
 assigned a unique random password, specify `password uniquerandom`.
 
 If you update a user with `password random|uniquerandom`, the `lograndompassword <FileName>` option causes GAM
 to append the user email address and random password to `<FileName>`. If `<FileName` is `-`, the data is written to stdout.
 
-Option `ignorenullpassword` causes GAM to ignore options like `password ""` or `password ~password` or `notfoundpassword ~password` where the
+Option `ignorenullpassword` causes GAM to ignore options like `password ""` or `password "~password"` or `notfoundpassword "~password"` where the
 CSV entry `password` is null; it must appear in the command before any null passwords.
 This option would typically be used when processing CSV files where only selected user's passwords are being updated.
 
@@ -803,7 +829,7 @@ $ gam redirect csv ./phones.csv group group@domain.com print users phones format
 ```
 Edit phones.csv and change the work number; update.
 ```
-$ gam csv ./phones.csv quotechar "'" gam update user ~primaryEmail json ~JSON
+$ gam csv ./phones.csv quotechar "'" gam update user "~primaryEmail" json "~JSON"
 ```
 ## Update a user's OU based on group membership
 This option would typically be used when an external service creates a Google user and assigns it to a group but does not place it in an OU.
@@ -949,7 +975,7 @@ Starting in version `5.23.01`, the variable `quick_info_user` was added to `gam.
 
 These existing options enable the display of additional information.
 * `(products|product <ProductIDList>)|(skus|sku <SKUIDList>)` - Display license information for a selected list of products/SKUs.
-* `schemas|custom|customschemas <SchemaNameList>` - Display the specified custom schemas
+* `schemas|custom|customschemas <SchemaNameList>` - Display all fields or selected fields of the specified custom schemas
 
 By default, Gam displays fields that only an adminstrator can view.
 * `userview` - Only display fields that other users in the domain can view.
@@ -1059,8 +1085,8 @@ By default, Gam displays only the primary email address for each user.
 * `allfields|basic` - Display all non custom schema fields for each user.
 * `full` - Display all fields including  all custom schema fields for each user.
 * `<UserFieldName>* [fields <UserFieldNameList>]` - Only display selected fields.
-* `schemas|custom all` - Get custom schema information for all schemas.
-* `schemas|custom <SchemaNameList>` - Get custom schema information for a selected list of schemas.
+* `schemas|custom all` - Display custom schema information for all schemas.
+* `schemas|custom <SchemaNameList>` - Display all fields or selected fields of the specified custom schemas
 
 By default, when aliases are displayed, all aliases are displayed. Use `aliasmatchpattern <RegularExpression>`
 to limit the display of aliases to those that match `<RegularExpression>`.
@@ -1238,6 +1264,15 @@ $ more UsersList.csv
  ["testuser1@domain.org",  "testuser2@domain.org",  "testuser3@domain.org",  "testuser4@domain.org"] 
 ```
 
+## Print user counts by OrgUnit
+Display the count of archived, suspended and total users in each OrgUnit; display a grand total.
+
+By default, all users in the workspace are counted; you can specify a domain to only count users in that domain.
+```
+gam print usercountsbyorgunit [todrive <ToDriveAttribute>*]
+        [domain <String>]
+```
+
 ## Display user counts
 Display the number of users in an entity.
 ```

docs/Using-GAM7-with-a-YubiKey.md

@@ -0,0 +1,72 @@
+# Using GAM7 with a YubiKey
+- [Thanks](#thanks)
+- [Yubikey ykman PIV Commands](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html)
+- [Introduction](#introduction)
+- [FAQs](#faqs)
+- [Setup Steps](#setup-steps)
+
+## Thanks
+
+Thanks to Jay Lee for the original version of this document.
+
+## Introduction
+GAM7 supports using a [YubiKey](https://www.yubico.com/products/yubikey-5-overview/) to generate and store the service account's private RSA key. Private keys generated by the YubiKey cannot be exported even to the computer running GAM7. When compared to the plain text oauth2service.json file with the private key stored in text, the YubiKey offers a more secure option that prevents digital theft and copying of the private key. Instead of reading the private key from the oauth2service.json file and signing requests itself, GAM7 will simply send signing requests to the YubiKey and get back the signature.
+
+GAM7 version 6.50.01 or higher is required. Best practice is to always use the [latest version of GAM7](https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Update-Advanced-GAM).
+
+## FAQs
+### Can I use a Google Titan or other brand security key?
+No, while Titan keys are great as security keys / U2F / 2SV, that is not the protocol being used by GAM7 here. GAM7 uses the PIV app of YubiKeys to work with service accounts. You need to use [a genuine Yubikey.](https://yubico.com/genuine/).
+
+### Does this protect the admin credentials GAM7 stores in oauth2.txt?
+No, the admin credentials GAM7 stores in oauth2.txt are not protected by the YubiKey as they are not using RSA private keys. Only the service account credentials normally stored in oauth2service.json are protected. The service account credentials are used for domain-wide delegation operations like managing Workspace user data in Drive, Gmail and Calendar. Note that GAM7 also has the ability to perform admin actions as a delegated admin service account (DASA). See [instructions for setting up DASA](https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-delegated-admin-service-account.md). When DASA is setup, GAM7 will use the service account to authenticate which can be protected by the YubiKey.
+
+### What if someone physically steals the YubiKey?
+The YubiKey can be configured with a PIN that must be entered in order for it to sign data with the private key. GAM7 stores this PIN string in the oauth2service.json file so it can use it as needed. What this means is that an attacker would need to steal *both* the physical YubiKey and the PIN stored in oauth2service.json. The recommendation is to store oauth2service.json and the rest of the GAM directory on an encrypted partition. The YubiKey itself should also be kept in a secure location.
+
+### Can I require a physical touch of the YubiKey before the private key can be used?
+Yes but in practice this does not work very well with GAM7. The YubiKey will need to be touched every time there is a GAM7 command running which for batch or cron jobs may be constant. GAM7 can use a PIN configured on the YubiKey in order to offer an additional layer of protection.
+
+### If I use a YubiKey, do I need to rotate the private key regularly?
+No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is no chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
+
+### What data does the service account private key have access to?
+When using domain-wide delegation with GAM7, the service account and anyone possessing the service account private key oauth2service.json file has access to the Gmail, Drive and Calendar data of ALL Workspace users in your domain. For this reason, whether using a YubiKey or not, you should take strong measures to protect the service account private key.
+
+## Setup Steps
+1. Upgrade to at least GAM7 6.50.01.
+2. **If you are using a new YubiKey or don't care about the PIV app data on the YubiKey**
+    1. Tell GAM7 to reset and configure the PIV app data on the YubiKey. This wipes all existing keys and configuration and then configures a private key and PIN for GAM7.
+      * Single YubiKey - `gam yubikey reset_piv`
+      * Multiple YubiKeys - `gam yubikey reset_piv yubikeyserialnumber <Number>`
+    2. During the PIV reset, GAM7 will print out a PIN for the private key, record this key.
+4. **If you are already using the YubiKey and wish to preserve the PIV app data and keys**
+    1. You need to configure one of the PIV slots for a private key GAM7 can use.
+      * [ykman piv keys generate](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html#ykman-piv-keys-options-command-args)
+        `ykman piv keys generate -P <Text> --pin-policy ALWAYS --touch-policy NEVER --algorithm RSA2048 9a new_pubkey.txt`
+      * Use `9a` for the `AUTHENTICATION` slot, `9c` for the `SIGNATURE` slot
+    2. You need to generate a certificate for that slot.
+      * [ykman piv certificates generate](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html#ykman-piv-certificates-generate-options-slot-public-key)
+        `ykman piv certificates generate -P <Text> --subject "GAM Service Account" -d 36500 9a new_pubkey.txt`
+      * Use `9a` for the `AUTHENTICATION` slot, `9c` for the `SIGNATURE` slot
+
+5. Now that you have a private key on your YubiKey, tell GAM7 to use that instead of the private_key stored in oauth2service.json. We can do that by rotating the key:
+```
+copy oauth2service.json to oauth2service.save
+gam create sakey yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
+```
+The yubikey argument tells GAM7 to use a private key on a plugged in YubiKey. The yubikey_pin argument tells GAM7 to prompt you to input the PIN that was set in the previous step. The yubikey_slot argument tells GAM7 which PIV slot to use on the YubiKey.
+
+If there are problems, you can go back to the original oauth2service.json.
+```
+copy oauth2service.json to oauth2service.yk
+copy oauth2service.save to oauth2service.json
+```
+
+6. Now you should be able to run GAM7 commands like:
+```
+gam user admin@example.com check serviceaccount
+```
+and see the YubiKey lights flash as the YubiKey interacts with GAM7 to sign the GAM7 authentication requests. If you look at the oauth2service.json file, you'll see it contains some new fields like yubikey_serial and yubikey_pin but no longer contains the private_key field where GAM7 would normally store the private key data.
+
+7. As a last step, since YubiKey-stored private keys do not need to be and should not be rotated, you can remove the service account's permissions to change it's own key. Navigate to the [Cloud Console](https://console.cloud.google.com/iam-admin/serviceaccounts) select the correct project and service account and on the Permissions tab, edit and remove the "Service Account Key Admin" permission that the service account has to itself.

docs/Using-GAM7-with-a-delegated-admin-service-account.md

@@ -0,0 +1,61 @@
+# Using GAM7 with a delegated admin service account
+- [Thanks](#thanks)
+- [Introduction](#introduction)
+- [Advantages](#advantages)
+- [Disadvantages](#disadvantages)
+- [Setup Steps](#setup-steps)
+
+## Thanks
+
+Thanks to Jay Lee for the original version of this document.
+
+## Introduction
+Delegated admin service accounts (DASA) are regular [GCP service accounts](https://cloud.google.com/iam/docs/service-accounts#what_are_service_accounts) that are granted a Workspace [delegated admin role](https://support.google.com/a/answer/33325). Service accounts have an email address like `gam-project-xuw-sp1-c4b@gam-project-xuw-sp1-c4b.iam.gserviceaccount.com` and are not part of a Workspace or Cloud Identity domain even if they are owned by a project in the domain’s organization. Service accounts cannot login to Google web services interactively, they are only able to call Google APIs.
+
+GAM7 version 6.50.00 or higher is required.
+
+## Advantages
+* DASA accounts don’t require a Workspace or Cloud Identity license.
+* DASA accounts don’t have a password login that can be phished or captured, they use [RSA private keys](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) to sign authentication requests which makes them very secure. You should however [rotate the key](https://jaylee.us/qwm) on a regular basis and keep it safe and secured!
+* When a DASA account makes admin changes, the Admin audit log properly shows that the DASA account made the change. This is not the case when using domain-wide delegation.
+* DASA accounts are granted [Google admin roles and permissions](https://support.google.com/a/answer/1219251) so that they are only able to perform the actions they are given permissions to perform. This is a simpler model than using both API scopes and admin roles to determine if GAM7 can perform an action.
+* When using a DASA account, GAM7 does not need to worry about OAuth, scopes, token refresh, consent screens, etc. DASA accounts can [simply generate a JWT token signed by their private key](https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth) and use the JWT as the authorization header on Google API calls. This method is both faster and less complex than regular OAuth.
+
+## Disadvantages
+* DASA accounts can only be delegated admins. [If a task requires super admin rights to perform](https://support.google.com/a/answer/2405986#:~:text=Only%20super%20administrators%20can...), DASA accounts won’t be able to do it.
+Not all Google Admin APIs work with DASA right now. For example, Google Vault API calls will fail with a DASA account.
+* DASA is a delegated admin and can make Workspace / Cloud Identity admin API calls, it does not replace domain-wide delegation (DwD) when using GAM7 commands that interact with Gmail, Drive and Calendar user data.
+* GAM7 support for DASA is still experimental and some things may fail. Please report your findings to the [GAM group](https://groups.google.com/g/google-apps-manager).
+
+## Setup Steps
+1. Upgrade to at least GAM7 6.50.00. Best practice is to always use the [latest version of GAM7](https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Update-Advanced-GAM).
+
+2. Follow the steps in `gam create project` up to the point where you are presented with a URL to the Cloud console to create a Client ID and secret. You don’t need to enter anything those, just press CTRL+C to quit the project creation.
+
+3. GAM will have created a Google Cloud project for you and a service account. The service account is stored in oauth2service.json. If you look at the contents of this file you’ll see a couple important things:
+   * client_email is the email address of your service account. Copy this address, we’ll use it to grant the service account delegated admin rights in your Workspace domain thus making it a DASA.
+   * private_key is the cryptographic key which is used to sign authorization requests. Google has a copy of the public key and uses it to validate that the API call is being made by the DASA account. Keep oauth2service.json safe and private! It’s the only file needed to use the DASA account!
+
+4. Now grant the service account delegated permissions. Head to [admin.google.com](https://admin.google.com/) > Account > Admin roles. If you don’t already have a delegated admin role created with the permissions you want the DASA account to have you can [use a system role or create your own](https://support.google.com/a/answer/33325).
+
+**Pro tip** GAM now has the ability to create an admin role that has all delegate permissions (Super delegate which is not the same as a super admin) as well as an admin role that has all permissions that can be scoped to an OrgUnit (Super OU delegate). With a regular GAM setup, try running:
+```
+gam create adminrole "Super Delegate" privileges all
+```
+or to create an admin role with all privileges that can be scoped to an OrgUnit:
+```
+gam create adminrole "Super OU Delegate" privileges all_ou
+```
+
+5. Now assign your service account the delegated admin role. You’ll need the service account email address from  step 3. With the role opened in the admin console, click "Assign service accounts" and enter the email address.
+
+6. Still in the admin console, head to Account > Account settings > Profile and record the Customer ID value. You’ll need this in the next steps.
+
+7. Now we need to tell GAM which Workspace / Cloud Identity domain to use. Remember, the DASA account in oauth2service.json is not a member of your domain. We can tell GAM7 which domain to use with gam.cfg variables:
+The following variables in `gam.cfg` must be set when `enable_dasa` is True: `admin_email`, `customer_id` and `domain`,
+`customer_id` may not be set to `my_customer`.
+
+
+```
+gam config enable_dasa true admin_email admin@domain.com customer_id <Customer ID from step 6> domain domain.com save
+```

docs/Using-GAMADV-XTD3-with-a-YubiKey.md

@@ -28,7 +28,7 @@ The YubiKey can be configured with a PIN that must be entered in order for it to
 Yes but in practice this does not work very well with GAMADV-XTD3. The YubiKey will need to be touched every time there is a GAMADV-XTD3 command running which for batch or cron jobs may be constant. GAMADV-XTD3 can use a PIN configured on the YubiKey in order to offer an additional layer of protection.
 
 ### If I use a YubiKey, do I need to rotate the private key regularly?
-No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is not chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
+No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is no chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
 
 ### What data does the service account private key have access to?
 When using domain-wide delegation with GAMADV-XTD3, the service account and anyone possessing the service account private key oauth2service.json file has access to the Gmail, Drive and Calendar data of ALL Workspace users in your domain. For this reason, whether using a YubiKey or not, you should take strong measures to protect the service account private key.

docs/Vault-Takeout.md

@@ -546,7 +546,7 @@ The `shownames` argument controls whether account and org unit names are display
 ## Vault Holds
 ## Create Vault Holds
 ```
-gam create vaulthold|hold matter <MatterItem> [name <String>] corpus drive|mail|groups|hangouts_chat
+gam create vaulthold|hold matter <MatterItem> [name <String>] corpus calendar|drive|mail|groups|hangouts_chat|voice
         [(accounts|groups|users <EmailItemList>) | (orgunit|org|ou <OrgUnit>)]
         [query <QueryVaultCorpus>]
         [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
@@ -560,10 +560,12 @@ Specify the name of the hold:
 * `default` - The hold will be named `GAM <corpus> Hold - <Time>`
 
 Specify the corpus of data, this option is required:
+* `calendar`
 * `drive`
 * `mail`
 * `groups`
 * `hangouts_chat`
+* `voice`
 
 Specify the search method, this option is required:
 * `accounts|groups|users <EmailAddressEntity>` - Search all accounts specified in `<EmailAddressEntity>`
@@ -657,7 +659,11 @@ By default, Gam displays the information as an indented list of keys and values.
 gam print vaultholds|holds [todrive <ToDriveAttributes>*] [matters <MatterItemList>]
         [fields <VaultHoldFieldNameList>] [shownames]
         [formatjson [quotechar <Character>]]
+        [oneitemperrow]
 ```
+By default, all accounts for a hold are displayed on a single row;
+use `oneitemperrow` to have each account displayed on a separate row.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 

docs/Version-and-Help.md

@@ -3,11 +3,11 @@
 Print the current version of Gam with details
 ```
 gam version
-GAMADV-XTD3 6.71.06 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
-Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
-Path: /Users/Admin/bin/gamadv-xtd3
+GAM 7.00.13 - https://github.com/GAM-team/GAM - pyinstaller
+GAM Team <google-apps-manager@googlegroups.com>
+Python 3.12.7 64-bit final
+MacOS Sonoma 14.5 x86_64
+Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 ```
@@ -15,11 +15,11 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAMADV-XTD3 6.71.06 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
-Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
-Path: /Users/Admin/bin/gamadv-xtd3
+GAM 7.00.13 - https://github.com/GAM-team/GAM - pyinstaller
+GAM Team <google-apps-manager@googlegroups.com>
+Python 3.12.7 64-bit final
+MacOS Sonoma 14.5 x86_64
+Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
 ```
@@ -27,17 +27,17 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAMADV-XTD3 6.71.06 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
-Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
-Path: /Users/Admin/bin/gamadv-xtd3
+GAM 7.00.13 - https://github.com/GAM-team/GAM - pyinstaller
+GAM Team <google-apps-manager@googlegroups.com>
+Python 3.12.7 64-bit final
+MacOS Sonoma 14.5 x86_64
+Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Your system time differs from admin.googleapis.com by less than 1 second
 OpenSSL 3.1.1 30 May 2023
 cryptography 41.0.1
-filelock 3.12.2
+filelock 3.12.7
 google-api-python-client 2.88.0
 google-auth-httplib2 0.1.0
 google-auth-oauthlib 1.0.0
@@ -55,7 +55,7 @@ Print the current and latest versions of Gam and:
 ```
 gam version checkrc
 GAM 5.35.08 - https://github.com/taers232c/GAMADV-XTD3
-Ross Scroggs <ross.scroggs@gmail.com>
+GAM Team <google-apps-manager@googlegroups.com>
 Python 3.8.1 64-bit final
 google-api-python-client 2.77.0
 httplib2 0.16.0
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Version Check:
   Current: 5.35.08
-   Latest: 6.71.06
+   Latest: 7.00.12
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-6.71.06
+7.00.13
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,11 +82,11 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 6.71.06 - https://github.com/taers232c/GAMADV-XTD3
-Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.2 64-bit final
-MacOS Sonoma 14.2.1 x86_64
-Path: /Users/Admin/bin/gamadv-xtd3
+GAM 7.00.13 - https://github.com/GAM-team/GAM
+GAM Team <google-apps-manager@googlegroups.com>
+Python 3.12.7 64-bit final
+MacOS Sonoma 14.5 x86_64
+Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Help: Syntax in file /Users/Admin/bin/gamadv-xtd3/GamCommands.txt