Start testing a new GAM install script

7.00.13
Update gam-install.sh
2026-06-22 23:21:37 +00:00 · 2024-10-03 16:56:47 +00:00 · 2024-10-03 09:29:35 +00:00 · 2024-10-02 18:16:24 -07:00 · 2024-10-02 18:09:19 -07:00 · 2024-10-02 15:37:18 -07:00
95 changed files with 7788 additions and 11010 deletions
--- a/.github/actions/entitlements.plist
+++ b/.github/actions/entitlements.plist
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+        <!-- These are required for binaries built by PyInstaller -->
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+</dict>
+</plist>
--- a/.github/actions/package_exclusions.txt
+++ b/.github/actions/package_exclusions.txt
@@ -2,6 +2,5 @@ oauth2.txt
 nobrowser.txt
 enabledasa.txt
 lastupdatecheck.txt
-*.json
 *.lck
 *.csv
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -31,7 +31,7 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
            jid: 1
            goal: build
            arch: x86_64
@@ -41,7 +41,7 @@ jobs:
            goal: build
            arch: aarch64
            openssl_archs: linux-aarch64
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
            jid: 3
            goal: build
            arch: x86_64
@@ -53,7 +53,7 @@ jobs:
            arch: aarch64
            openssl_archs: linux-aarch64
            staticx: yes
-          - os: macos-12
+          - os: macos-13
            jid: 5
            goal: build
            arch: x86_64
@@ -63,35 +63,30 @@ jobs:
            goal: build
            arch: aarch64
            openssl_archs: darwin64-arm64
-          - os: macos-14
-            jid: 7
-            goal: build
-            arch: universal2
-            openssl_archs: darwin64-arm64 darwin64-x86_64
          - os: windows-2022
-            jid: 8
+            jid: 7
            goal: build
            arch: Win64
            openssl_archs: VC-WIN64A
-          - os: ubuntu-22.04
+          - os: ubuntu-24.04
            goal: test
-            python: "3.8"
-            jid: 9
+            python: "3.13"
+            jid: 8
            arch: x86_64
-          - os: ubuntu-22.04
+          - os: ubuntu-24.04
            goal: test
            python: "3.9"
-            jid: 10
+            jid: 9
            arch: x86_64
-          - os: ubuntu-22.04
+          - os: ubuntu-24.04
            goal: test
            python: "3.10"
-            jid: 11
+            jid: 10
            arch: x86_64
-          - os: ubuntu-22.04
+          - os: ubuntu-24.04
            goal: test
            python: "3.11"
-            jid: 12
+            jid: 11
            arch: x86_64

    steps:
@@ -115,7 +110,7 @@ jobs:
        with:
          path: |
            cache.tar.xz
-          key: gam-${{ matrix.jid }}-20240620
+          key: gam-${{ matrix.jid }}-20241002

      - name: Untar Cache archive
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
@@ -201,6 +196,14 @@ jobs:
          #brew install swig
          #brew install ncurses

+      - name: MacOS import developer certificates for signing
+        if: runner.os == 'macOS'
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          keychain: signing_temp
+          p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
+
      - name: Windows Configure VCode
        uses: ilammy/msvc-dev-cmd@v1
        if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -293,7 +296,8 @@ jobs:
      - name: Rename GNU link on Windows
        if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
        shell: bash
-        run: mv /usr/bin/link /usr/bin/gnulink
+        run: |
+          mv -v /usr/bin/link /usr/bin/gnulink

      - name: Make OpenSSL
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -311,7 +315,7 @@ jobs:
              cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
              # install_sw saves us ages processing man pages :-)
              $MAKE install_sw
-              mv "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
+              mv -v "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
            done
            mkdir -vp "${OPENSSL_INSTALL_PATH}/lib"
            mkdir -vp "${OPENSSL_INSTALL_PATH}/bin"
@@ -331,7 +335,9 @@ jobs:
            # install_sw saves us ages processing man pages :-)
            $MAKE install_sw
          fi
-          echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
+          if [[ "${RUNNER_OS}" != "Windows" ]]; then
+            echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
+          fi
          echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
          case $arch in
            universal2)
@@ -351,8 +357,7 @@ jobs:
      - name: Run OpenSSL
        if: matrix.goal == 'build'
        run: |
-          "${OPENSSL_INSTALL_PATH}/bin/openssl" version
-          "${OPENSSL_INSTALL_PATH}/bin/openssl" version -f
+          "${OPENSSL_INSTALL_PATH}/bin/openssl" version -a
          file "${OPENSSL_INSTALL_PATH}/bin/openssl"

      - name: Get latest stable Python source
@@ -361,12 +366,7 @@ jobs:
          cd "${GITHUB_WORKSPACE}/src"
          git clone https://github.com/python/cpython.git
          cd "${PYTHON_SOURCE_PATH}"
-          # Pin Windows to 3.11.6 for the moment
-          # if [[ "${RUNNER_OS}" == "Windows" ]]; then
-          #   export LATEST_STABLE_TAG="v3.11.6"
-          # else
          export LATEST_STABLE_TAG=$(git tag --list | grep -v a | grep -v rc | grep -v b | sort -Vr | head -n1)
-          # fi
          git checkout "${LATEST_STABLE_TAG}"
          export COMPILED_PYTHON_VERSION=${LATEST_STABLE_TAG:1} # Trim the "v" prefix
          echo "COMPILED_PYTHON_VERSION=${COMPILED_PYTHON_VERSION}" >> $GITHUB_ENV
@@ -453,6 +453,7 @@ jobs:
      - name: Run Python
        run: |
          "${PYTHON}" -V
+          "${PYTHON}" -c "import ssl; print(f'Using {ssl.OPENSSL_VERSION}')"

      - name: Upgrade pip, wheel, etc
        run: |
@@ -504,16 +505,8 @@ jobs:
          git clone https://github.com/pyinstaller/pyinstaller.git
          cd pyinstaller
          export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
-          #V6.0.0 causes errors on staticx
-          #if [[ "${staticx}" == "yes" ]]; then
-          #  git checkout "v5.13.2"
-          #elif [[ "${RUNNER_OS}" == "Windows" ]]; then
-          #  git checkout "v5.13.2"
-          #elif [[ "${RUNNER_OS}" == "macOS" ]]; then
-          #  git checkout "v5.13.2"
-          #else
-          git checkout "${latest_release}"
-          #fi
+          # git checkout "${latest_release}"
+          git checkout "v6.9.0"
          # remove pre-compiled bootloaders so we fail if bootloader compile fails
          rm -rvf PyInstaller/bootloader/*-*/*
          cd bootloader
@@ -532,54 +525,60 @@ jobs:
      - name: Build GAM with PyInstaller
        if: matrix.goal != 'test'
        run: |
-          if [[ "${staticx}" == "yes" ]]; then
-            export distpath="./dist/gam"
-            export gampath="${distpath}"
-          else
-            export distpath="./dist"
-            export gampath="${distpath}/gam"
-          fi
-          mkdir -p -v "${gampath}"
+          export distpath="./dist/gam"
+          mkdir -p -v "${distpath}"
          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            export gampath=$($PYTHON -c "import os; print(os.path.realpath('$gampath'))")
+            # Tell our gam.spec to use our code sign certificate
+            export codesign_identity="Jay Lee"
+            # brew OpenSSL gets picked up by PyInstaller
+            # breaking our self-compiled version
+            brew uninstall --ignore-dependencies openssl
          elif [[ "${RUNNER_OS}" == "Windows" ]]; then
            # Work around issue where PyInstaller picks up python3.dll from other Python versions
            # https://github.com/pyinstaller/pyinstaller/issues/7102
            export PATH="$(dirname ${PYTHON}):/usr/bin"
-          else
-            export gampath=$(realpath "${gampath}")
          fi
-          export gam="${gampath}/gam"
-          echo "gampath=${gampath}" >> $GITHUB_ENV
-          # TEMP force everything back to one file.
-          export PYINSTALLER_BUILD_ONEFILE="yes"
-          export distpath="./dist/gam"
-          export gampath="${distpath}"
+          #if ([ "${staticx}" != "yes" ] && [ "$RUNNER_OS" != "Windows" ]); then
+          if [[ "$staticx" != "yes" ]]; then
+            export PYINSTALLER_BUILD_ONEDIR=yes
+          fi
          "${PYTHON}" -m PyInstaller --clean --noconfirm --distpath="${distpath}" gam.spec
+          if [[ "$PYINSTALLER_BUILD_ONEDIR" == "yes" ]]; then
+            mv -v "${distpath}/gam" "${distpath}/gam7"
+            export gampath="${distpath}/gam7"
+          else
+            mv -v "$distpath" "${distpath}7"
+            export gampath="${distpath}7"
+          fi
+          export gampath=$(realpath "$gampath")
+          echo "gampath ${gampath} results:"
+          ls -alRF "$gampath"
+          echo "---- WARNINGS FROM build/gam/warn-gam.txt"
          cat build/gam/warn-gam.txt
-          if [ -x "$(command -v realpath)" ]; then
-               realpath=realpath
-             else
-               brew install coreutils
-               realpath=grealpath
-             fi
-          export gam=$(realpath "$gam")
+          echo "---- Analysis FROM build/gam/Analysis-00.toc"
+          cat build/gam/Analysis-00.toc
+          echo "---- EXE data FROM build/gam/EXE-00.toc"
+          cat build/gam/EXE-00.toc
+          export gam="${gampath}/gam"
          if [[ "${RUNNER_OS}" == "Windows" ]]; then
            export gam=$(cygpath -w "$gam")
            echo "GAM on Windows at ${gam}"
+          else
+            export gam=$(realpath "$gam")
          fi
+          echo "gampath=${gampath}" >> $GITHUB_ENV
          echo "gam=${gam}" >> $GITHUB_ENV
          echo -e "GAM: ${gam}\nGAMPATH: ${gampath}"

      - name: Copy extra package files
        if: matrix.goal == 'build'
        run: |
-          cp -v cacerts.pem $gampath
-          cp -v LICENSE $gampath
-          cp -v GamCommands.txt $gampath
-          cp -v GamUpdate.txt $gampath
+          cp -v cacerts.pem "$gampath"
+          cp -v LICENSE "$gampath"
+          cp -v GamCommands.txt "$gampath"
+          cp -v GamUpdate.txt "$gampath"
          if [[ "${RUNNER_OS}" == "Windows" ]]; then
-              cp -v gam-setup.bat $gampath
+              cp -v gam-setup.bat "$gampath"
          fi

      - name: Install StaticX
@@ -600,9 +599,21 @@ jobs:
              ;;
          esac
          echo "ldlib=${ldlib}"
-          $PYTHON -m staticx -l "${ldlib}" "${gam}" "${gam}-staticx"
-          rm -v "${gam}"
-          mv -v "${gam}-staticx" "${gam}"
+          $PYTHON -m staticx -l "${ldlib}" "$gam" "${gam}-staticx"
+          rm -v "$gam"
+          mv -v "${gam}-staticx" "$gam"
+
+      - name: MacOS send GAM binary for Apple notarization
+        if: runner.os == 'macOS'
+        env:
+          ASP_NOTARIZE: ${{ secrets.ASP_NOTARIZE }}
+        run: |
+          # Apple wants some kind of "package" submitted so just add gam to a .zip
+          # name it something we can track and link in Apple's notarize process
+          zipfilename="./gam-${RUNNER_ARCH}-${GITHUB_RUN_ID}-${GITHUB_RUN_NUMBER}.zip"
+          zip -r "$zipfilename" "$gampath"
+          xcrun notarytool submit --apple-id "jay0lee@gmail.com" --password "$ASP_NOTARIZE" --team-id GZ85H2DRLM "$zipfilename"
+          rm -v "$zipfilename"

      - name: Basic Tests all jobs
        id: basictests
@@ -613,7 +624,45 @@ jobs:
          echo "GAM Version ${GAMVERSION}"
          echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV

-      - name: Attest Binary Provenance
+      - name: Configure service account auth
+        id: configserviceaccount
+        env:
+          PASSCODE: ${{ secrets.PASSCODE }}
+        run: |
+          source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz "${GAMCFGDIR}"
+          mv -v "${GAMCFGDIR}/oauth2.txt-gam-gha-${JID}" "${GAMCFGDIR}/oauth2.txt"
+          rm -v $GAMCFGDIR/oauth2.txt-gam*
+          $gam create signjwtserviceaccount
+
+      - name: Upload gam.exe Windows for signing
+        if: runner.os == 'Windows' && matrix.goal != 'test'
+        run: |
+          export folder_number=$(date +%s)
+          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
+          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$gam" parentid "$folder_id"
+          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
+          export signed_folder="SIGNED ${folder_number}"
+          zero_results="gam-win-signer@pdl.jaylee.us,0"
+          while true; do
+            result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
+            echo "$result_counts"
+            if [[ ! "$result_counts" =~ "$zero_results" ]]; then
+              echo "looks like we have results"
+              break
+            fi
+            echo "no results, sleeping 10..."
+            sleep 10
+          done
+          # download signed gam.exe
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name = 'gam.exe'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$gampath" targetname "signed-gam.exe" overwrite true acknowledgeabuse true
+          # delete signed folder on drive
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
+          # remove unsigned gam.exe and rename signed-gam.exe
+          rm -v -f "${gampath}/gam.exe"
+          mv -v -f "${gampath}/signed-gam.exe" "${gampath}/gam.exe"
+          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$gam"
+
+      - name: Attest gam executable was generated from this Action
        uses: actions/attest-build-provenance@v1
        if: matrix.goal == 'build'
        with:
@@ -623,28 +672,84 @@ jobs:
        if: runner.os != 'Windows' && matrix.goal == 'build'
        run: |
          if [[ "${RUNNER_OS}" == "macOS" ]]; then
-            GAM_ARCHIVE="gam-${GAMVERSION}-macos-${arch}.tar.xz"
+              GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-macos-${arch}.tar.xz"
          elif [[ "${RUNNER_OS}" == "Linux" ]]; then
            if [[ "${staticx}" == "yes" ]]; then
              libver="legacy"
            else
              libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
            fi
-            GAM_ARCHIVE="gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
+            GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
          fi
          echo "GAM Archive ${GAM_ARCHIVE}"
-          tar -C dist/ --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam
+          tar -C "${gampath}/.." --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam7

      - name: Windows package
        if: runner.os == 'Windows' && matrix.goal != 'test'
        run: |
-          cd dist/
-          GAM_ARCHIVE="../gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
-          /c/Program\ Files/7-Zip/7z.exe a -tzip $GAM_ARCHIVE gam "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
-          cd ..
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs
-          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/WixUIExtension.dll gam.wixobj -o "gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi" || true;
+          echo "started in $(pwd)"
+          cd "${gampath}/.."
+          echo "moved to $(pwd)"
+          GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
+          /c/Program\ Files/7-Zip/7z.exe a -tzip "$GAM_ARCHIVE" gam7 "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
+          cd ../..
+          echo "moved to $(pwd)"
+          export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi"
+          # auto-generate a lib.wxs based on the files PyInstaller created for the lib/ directory
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/heat.exe dir "${gampath}/lib" -ke -srd -cg Lib -gg -dr lib -directoryid lib -out lib.wxs
+          echo "-- begin lib.wxs --"
+          cat lib.wxs
+          echo "-- end lib.wxs --"
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs lib.wxs
+          /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/WixUIExtension.dll gam.wixobj lib.wixobj -b "${gampath}/lib" -o "$MSI_FILENAME" || true;
          rm -v -f *.wixpdb
+          rm -v -f *.wixobj
+          echo "MSI_FILENAME=${MSI_FILENAME}" >> $GITHUB_ENV
+
+      - name: Upload gam MSI Windows for signing
+        if: runner.os == 'Windows' && matrix.goal != 'test'
+        run: |
+          export folder_number=$(date +%s)
+          export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
+          $gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$MSI_FILENAME" parentid "$folder_id"
+          rm -f -v "$MSI_FILENAME"
+          $gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
+          export signed_folder="SIGNED ${folder_number}"
+          zero_results="gam-win-signer@pdl.jaylee.us,0"
+          while true; do
+            result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
+            echo "$result_counts"
+            if [[ ! "$result_counts" =~ "$zero_results" ]]; then
+              echo "looks like we have results"
+              break
+            fi
+            echo "no results, sleeping 10..."
+            sleep 10
+          done
+          # download signed package
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name contains '.msi'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$GITHUB_WORKSPACE" targetname "$MSI_FILENAME" overwrite true acknowledgeabuse true
+          # delete signed folder on drive
+          $gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
+          #"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$MSI_FILENAME"
+
+      - name: Attest that gam package files were generated from this Action
+        uses: actions/attest-build-provenance@v1
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal == 'build'
+        with:
+          subject-path: |
+            gam*.tar.xz
+            gam*.zip
+            gam*.msi
+
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@v4
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
+        with:
+          name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
+          path: |
+            gam*.tar.xz
+            gam*.zip
+            gam*.msi

      - name: Basic Tests build jobs only
        if: matrix.goal != 'test' && steps.cache-python-ssl.outputs.cache-hit != 'true'
@@ -668,12 +773,7 @@ jobs:

      - name: Live API tests push only
        if: (github.event_name == 'push' || github.event_name == 'schedule')
-        env:
-          PASSCODE: ${{ secrets.PASSCODE }}
        run: |
-          source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz "${GAMCFGDIR}"
-          mv -v "${GAMCFGDIR}/oauth2.txt-gam-gha-${JID}" "${GAMCFGDIR}/oauth2.txt"
-          rm -v $GAMCFGDIR/oauth2.txt-gam*
          export gam_user="gam-gha-${JID}@pdl.jaylee.us"
          echo "gam_user=${gam_user}" >> $GITHUB_ENV
          $gam config customer_id "C03uzfv2s" save
@@ -683,7 +783,6 @@ jobs:
          $gam oauth info
          $gam oauth refresh
          $gam config enable_dasa true save 
-          $gam create signjwtserviceaccount
          $gam checkconn
          $gam user "$gam_user" check serviceaccount
          $gam info domain
@@ -719,18 +818,18 @@ jobs:
          done
          driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
          echo "Created shared drive ${driveid}"
-          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random ou "${newou}" recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB-
+          # 9/17/24 - temp create in root due to Google API issues creating users in new OUs
+          $gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- # ou "${newou}"
+          $gam user $newuser add license workspaceenterpriseplus
          $gam user $newuser update photo https://dummyimage.com/400x600/000/fff
          $gam user $newuser get photo
          $gam user $newuser delete photo
          $gam create alias $newalias user $newuser
          $gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
-          $gam user $gam_user sendemail recipient $newuser subject "test message $newbase" message "GHA test message"
-          $gam user $gam_user sendemail recipient exchange@pdl.jaylee.us subject "test ${tstamp}" message "test message"
+          $gam user $gam_user sendemail recipient dev-null@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
          $gam config enable_dasa false save
-          $gam create contact firstname GHA lastname "$JID" email work "${newbase}@example.com" primary
+          #$gam create contact firstname GHA lastname "$JID" email work "${newbase}@example.com" primary
          $gam print contacts
-          $gam user $newuser add license workspaceenterpriseplus
          $gam print privileges
          $gam config enable_dasa true save
          $gam update cigroup $newgroup security memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
@@ -738,7 +837,8 @@ jobs:
          $gam update group $newgroup add owner $gam_user
          $gam update group $newgroup add member $newuser
          $gam config enable_dasa false save
-          $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
+          # 9/17/24 temp disable due to Google API sluggishness to see new users for admin commands
+          # $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
          $gam create admin $newgroup _HELP_DESK_ADMIN_ROLE org_unit "${newou}"
          $gam config csv_output_row_filter "assignedToUser:regex:${newuser}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
          $gam config csv_output_row_filter "assignedToGroup:regex:${newgroup}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
@@ -852,15 +952,17 @@ jobs:
          $gam user $gam_user show shareddrives asadmin
          $gam user $gam_user update shareddrive "${driveid}" ou "aaaGithub Actions" # so we can delete our OU...
          $gam user $gam_user delete shareddrive "${driveid}" nukefromorbit
+          ssoprofile=$($gam config debug_level 1 create inboundssoprofile name "El Goog ${newbase}" loginurl https://www.google.com logouturl https://www.google.com changepasswordurl https://www.google.com entityid ElGoog return_name_only)
+          if [ ${ssoprofile} != 'inProgress' ]; then
+            $gam create inboundssocredential profile "id:${ssoprofile}" generate_key
+            #$gam create inboundssoassignment profile "id:${ssoprofile}" orgunit "${newou}" mode SAML_SSO
+            #$gam delete inboundssoassignment "orgunit:${newou}"
+            $gam delete inboundssoprofile "id:${ssoprofile}"
+          fi
          echo "printer model count:"
-          ssoprofile=$($gam create inboundssoprofile name "El Goog ${newbase}" loginurl https://www.google.com logouturl https://www.google.com changepasswordurl https://www.google.com entityid ElGoog return_name_only)
-          $gam create inboundssocredential profile "id:${ssoprofile}" generate_key
-          #$gam create inboundssoassignment profile "id:${ssoprofile}" orgunit "${newou}" mode SAML_SSO
-          #$gam delete inboundssoassignment "orgunit:${newou}"
-          $gam delete inboundssoprofile "id:${ssoprofile}"
          $gam print printermodels | wc -l
          $gam print printers
-          printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by $(gam_user)" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
+          printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by ${gam_user}" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
          $gam info printer "$printerid"
          $gam delete printer "$printerid"
          $gam delete ou "${newou}"
@@ -876,25 +978,6 @@ jobs:
          fi
          tar cJvvf cache.tar.xz $tar_folders

-      - name: Attest Build Archive Provenance
-        uses: actions/attest-build-provenance@v1
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal == 'build'
-        with:
-          subject-path: |
-            src/gam*.tar.xz
-            src/gam*.zip
-            src/gam*.msi
-
-      - name: Archive production artifacts
-        uses: actions/upload-artifact@v4
-        if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
-        with:
-          name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
-          path: |
-            src/gam*.tar.xz
-            src/gam*.zip
-            src/gam*.msi
-
  merge:
    if: (github.event_name == 'push' || github.event_name == 'schedule')
    runs-on: ubuntu-latest
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -38,11 +38,11 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
    #   make release

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 GAM is a command line tool for Google Workspace admins to manage domain and user settings quickly and easily.

-![Build Status](https://github.com/GAM-team/GAM/workflows/Build%20and%20test%20GAM/badge.svg)
+[![Build StatusM](https://github.com/GAM-team/GAM/actions/workflows/build.yml/badge.svg)](https://github.com/GAM-team/GAM/actions/workflows/build.yml)

 # Quick Start

@@ -32,7 +32,7 @@ There is a public chat room hosted in Google Chat. [Instructions to join](https:

 # Author

-GAM is maintained by [Jay Lee](mailto:jay0lee@gmail.com). Please direct "how do I?" questions to [Google Groups].
+GAM is maintained by [Jay (James) Lee](mailto:jay0lee@gmail.com) and [Ross Scroggs](mailto:ross.scroggs@gmail.com). Please direct "how do I?" questions to [Google Groups].

 [GAM release]: https://github.com/GAM-team/GAM/releases
 [GitHub Releases]: https://github.com/GAM-team/GAM/releases
--- a/docs/Authorization.md
+++ b/docs/Authorization.md
@@ -225,14 +225,14 @@ perform these steps and then you should be able to authorize and use your projec
 * Click on Grant Access
 * Enter the new admin address in Principals
 * Click in the Select a role box
-* Type orgpolicy.policies.update in the Filter box
+* Type organization policy administrator in the Filter box
 * Click Organization Policy Administrator
 * Click Save
 * In the upper left click the three lines to the left of Google Cloud and select IAM & Admin
 * Under IAM & Admin select IAM
 * Click the down arrow in the box to the right of Google Cloud
 * Click the three dots at the right and select Manage Resources
-* Click the three dots and the end of the line for the GAM project just created
+* Click the three dots at the end of the line for the GAM project just created
 * Click Settings
 * Click Organization Policies in the left column
 * Now you should be at "Policies for Gam Project"
@@ -786,7 +786,7 @@ There are several methods for generating private keys:
 * `localkeysize 1024` - Gam generates a 1024 bit key; this is not recommended
 * `localkeysize 2048` - Gam generates a 2048 bit key; this is the default
 * `localkeysize 4096` - Gam generates a 4096 bit key
-* `yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]` - [Using GAMADV-XTD3 with a YubiKey](Using-GAMADV-XTD3-with-a-YubiKey)
+* `yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE yubikey_serialnumber <Number>)]` - [Using GAM7 with a YubiKey](Using-GAM7-with-a-YubiKey)

 When `localkeysize` is specified, the optional argument `validityhours <Number>` sets the length of time during which the key will be valid and should be used when the [GCP constraints/iam.serviceAccountKeyExpiryHours organization policy](https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts#limit_key_expiry) is in use. Note that in order to account for system clock skew, GAM sets the key to be valid two minutes earlier than the current system time and thus it will also expire two minutes earlier.

@@ -1088,6 +1088,9 @@ You can limit both client and service account access.
 You can repeat these steps if you want to configure multiple limited users;
 substitute a unique value for `limited` in each of the steps.

+In the Admin console, define a new Admin role with the desired privileges,
+assign it to the limited user and indicate whether it is for all Org Units or a specific Org Unit.
+
 On your computer, perform these initial steps:

 Make a subdirectory `limited` under the directory specified in `gam.cfg config_dir`
--- a/docs/BNF-Syntax.md
+++ b/docs/BNF-Syntax.md
@@ -1,7 +1,7 @@
 # Syntax

 ## BNF Syntax
-This Wiki describes the GAM command line syntax in modified BNF.
+This Wiki describes the GAM7 command line syntax in modified BNF.
 * https://en.wikipedia.org/wiki/Backus-Naur_Form

 Skip the History section and start reading at Introduction.
--- a/docs/Basic-Items.md
+++ b/docs/Basic-Items.md
@@ -391,6 +391,8 @@
 <Marker> ::= <String>
 <MatterItem> ::= <UniqueID>|<String>
 <MatterState> ::= open|closed|deleted
+<MeetConferenceName> ::= conferenceRecords/<String>
+<MeetSpaceName> ::= spaces/<String> | <String>
 <MessageContent> ::=
        (message|textmessage|htmlmessage <String>)|
        (file|textfile|htmlfile <FileName> [charset <Charset>])|
--- a/docs/CSV-Output-Filtering.md
+++ b/docs/CSV-Output-Filtering.md
@@ -122,7 +122,7 @@ where you get more columns than is desirable.
 * `csv_output_header_filter` - Used to select the column headers to include in the output
 * `csv_output_header_drop_filter` - Used to select the column headers to exclude from the output

-Typically, you would use the option that involes typing the fewest column names but both options can be used.
+Typically, you would use the option that involves typing the fewest column names but both options can be used.
 When both options are used, `csv_output_header_drop_filter` is processed first, then `csv_output_header_filter`.

 Field names are specified by regular expressions; at its simplest, you specify a complete field name.
--- a/docs/Calendars-Events.md
+++ b/docs/Calendars-Events.md
@@ -176,6 +176,7 @@ Client access works when accessing Resource calendars.
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative

 <EventType> ::=
+        birthday|
        default|
        focustime|
        fromgmail|
@@ -241,6 +242,7 @@ Client access works when accessing Resource calendars.
        (attendee <EmailAddress>)|
        (attendeestatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddress>)|
        available|
+        (birthday <Date>)|
        (color <EventColorName>)|
        (colorindex|colorid <EventColorIndex>)|
        (description <String>)|
@@ -261,7 +263,7 @@ Client access works when accessing Resource calendars.
        (privateproperty <PropertyKey> <PropertyValue>)|
        (range <Date> <Date>)|
        (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
-        (reminder <Number> email|popup))|
+        (reminder <Number> email|popup)|
        (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
        (sequence <Integer>)|
        (sharedproperty <PropertyKey> <PropertyValue>)|
--- a/docs/Chrome-Browser-Cloud-Management.md
+++ b/docs/Chrome-Browser-Cloud-Management.md
@@ -193,7 +193,8 @@ Select the fields to be displayed:
 * `annotated` - Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default
 * `allfields/full` - Display all fields
-* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Displaya selected list of fields
+* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields

 By default, Gam displays the information as an indented list of keys and values:
 - `formatjson` - Display the fields in JSON format.
@@ -232,7 +233,8 @@ Select the fields to be displayed:
 * `annotated` - Display these fields: deviceId,annotatedAssetId,annotatedLocation,annotatedNotes,annotatedUser
 * `basic` - Display all fields except: browsers, lastDeviceUsers, lastStatusReportTime, machinePloicies; this is the default
 * `allfields/full` - Display all fields
-* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Displaya selected list of fields
+* `<BrowserFieldName>* [fields <BrowserFieldNameList>]` - Display a selected list of fields
+  * Note that `ou, org and orgunit` are both command line options and field names; use `fields` to include them in the selected list of fields

 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
 * `formatjson` - Display the fields in JSON format.
--- a/docs/Chrome-Policies.md
+++ b/docs/Chrome-Policies.md
@@ -7,13 +7,17 @@
  - [Definitions](#definitions)
  - [Display a specific Chrome policy schema](#display-a-specific-chrome-policy-schema)
  - [Display all or filtered Chrome policy schemas](#display-all-or-filtered-chrome-policy-schemas)
-  - [Display Chrome policy schemas in same format as Standard GAM](#display-chrome-policy-schemas-in-same-format-as-standard-gam)
+  - [Display Chrome policy schemas in same format as Legacy GAM](#display-chrome-policy-schemas-in-same-format-as-legacy-gam)
  - [Create a Chrome policy image](#create-a-chrome-policy-image)
  - [Update Chrome policy](#update-chrome-policy)
  - [Delete Chrome policy](#delete-chrome-policy)
  - [Display Chrome policies](#display-chrome-policies)
  - [Copy simple policies set directly in one OU to another OU](#copy-simple-policies-set-directly-in-one-ou-to-another-ou)
  - [Copy simple and complex policies set directly in one OU to another OU](#copy-simple-and-complex-policies-set-directly-in-one-ou-to-another-ou)
+  - [Copy simple and complex policies set directly in one OU to multiple other OUs](#copy-simple-and-complex-policies-set-directly-in-one-ou-to-multiple-other-ous)
+  - [Copy simple policies in one Group to another Group](#copy-simple-policies-in-one-group-to-another-group)
+  - [Copy simple and complex policies in one Group to another Group](#copy-simple-and-complex-policies-in-one-group-to-another-group)
+  - [Copy simple and complex policies in one Group to multiple other Groups](#copy-simple-and-complex-policies-in-one-group-to-multiple-other-groups)
  - [Create Chrome network](#create-chrome-network)
  - [Delete Chrome network](#delete-chrome-network)
  - [Chrome Policy Schema Table](#chrome-policy-schema-table)
@@ -114,7 +118,7 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

-## Display Chrome policy schemas in same format as Standard GAM
+## Display Chrome policy schemas in same format as Legacy GAM
 ```
 gam show chromeschemas std
        [filter <String>]
@@ -154,11 +158,12 @@ gam create chromepolicyimage <ChromePolicyImageSchemaName> <FileName>
 ```

 ## Update Chrome policy
-You can update a policy for all devices/users within an OU or for a specific printer or application within an OU.
+You can update a policy for all devices/users within an OU, users with a group or for a specific printer or application within an OU.
 ```
 gam update chromepolicy [convertcrnl]
        (<SchemaName> ((<Field> <Value>)+ | <JSONData>))+
-        ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
+        ((ou|orgunit <OrgUnitItem>)|(group <GroupItem>))
+        [(printerid <PrinterID>)|(appid <AppID>)]
 ```
 You update a schema by specifying its name and one or more fields and values or by using
 JSON data to specify the field values. 
@@ -199,6 +204,16 @@ gam update chromepolicy convertcrnl chrome.devices.DisabledDeviceReturnInstructi
 ```

 ### Examples
+Restrict use of Chromebooks in an OU to a specific list of users.
+```
+gam update chromepolicy chrome.devices.SignInRestriction deviceAllowNewUsers RESTRICTED_LIST userAllowlist "user1@domain.com,user2@domain.com" ou "<Path/To/Ou>"
+```
+
+Restrict use of Chromebooks in an OU to users in a specific domain.
+```
+gam update chromepolicy chrome.devices.SignInRestriction deviceAllowNewUsers RESTRICTED_LIST userAllowlist "*@domain.com" ou "<Path/To/Ou>"
+```
+
 Restrict student users from adding additional printers and set default printing to black and white.
 ```
 gam update chromepolicy chrome.users.UserPrintersAllowed userPrintersAllowed false chrome.users.DefaultPrintColor printingColorDefault MONOCHROME orgunit "/Students" 
@@ -225,31 +240,32 @@ gam update chromepolicy chrome.users.ManagedBookmarksSetting  json file bookmark
 ```

 ## Delete Chrome policy
-You can delete a policy for all devices/users within an OU or for a specific printer or application within an OU.
+You can delete a policy for all devices/users within an OU, users with a group  or for a specific printer or application within an OU.
 ```
 gam delete chromepolicy
        (<SchemaName> [<JSONData>])+
-        ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
+        ((ou|orgunit <OrgUnitItem>)|(group <GroupItem>))
+        [(printerid <PrinterID>)|(appid <AppID>)]
 ```
 ## Display Chrome policies
-You can display policies for all devices/users within an OU or for a specific printer or application within an OU.
+You can display policies for all devices/users within an OU, users with a group or for a specific printer or application within an OU.

 ### Display as an indented list of keys and values.
 ```
 gam show chromepolicies
-        ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
-        [filter <String>] [namespace <NamespaceList>]
-        [show all|direct|inherited]
+        ((ou|orgunit <OrgUnitItem> [show all|direct|inherited])|(group <GroupItem>))
+        [(printerid <PrinterID>)|(appid <AppID>)]
+        [filter <StringList>] [namespace <NamespaceList>]
        [formatjson]
 ```
-By default, all Chrome policies for the OU are displayed.
+By default, all Chrome policies for the OU or group are displayed.
 * `filter <String>` - Display policies based on fields like its resource name, description and additionalTargetKeyNames.
-* `show all` - Display policies regardless of where set; this is the default
-* `show direct` - Display policies set directly in the OU
-* `show inherited` - Display policies set in a parent OU
+* `show all` - For OUs, display policies regardless of where set; this is the default
+* `show direct` - For OUs, display policies set directly in the OU
+* `show inherited` - For OUs, display policies set in a parent OU

 These are the default namespaces; use `namespace <NamespaceList>` to override.
-* `default`
+* `default` - When OU specified
  * chrome.users
  * chrome.users.apps
  * chrome.users.appsconfig
@@ -266,6 +282,12 @@ These are the default namespaces; use `namespace <NamespaceList>` to override.
  * chrome.networks.wifi
  * chrome.printers
  * chrome.printservers
+* `default` - When group specified
+  * chrome.users
+  * chrome.users.apps
+  * chrome.users.appsconfig
+  * chrome.printers
+  * chrome.printservers
 * `appid <AppID>`
  * chrome.users.apps
  * chrome.devices.kiosk.apps
@@ -279,16 +301,16 @@ By default, Gam displays the information as an indented list of keys and values.
 ### Display as a CSV file.
 ```
 gam print chromepolicies [todrive <ToDriveAttribute>*]
-        ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
+        ((ou|orgunit <OrgUnitItem> [show all|direct|inherited])|(group <GroupItem>))
+        [(printerid <PrinterID>)|(appid <AppID>)]
        [filter <String>] [namespace <NamespaceList>]
-        [show all|direct|inherited]
        [[formatjson [quotechar <Character>]]
 ```
-By default, all Chrome policies for the OU are displayed.
+By default, all Chrome policies for the OU or group are displayed.
 * `filter <String>` - Display policies based on fields like its resource name, description and additionalTargetKeyNames.
-* `show all` - Display policies regardless of where set; this is the default
-* `show direct` - Display policies set directly in the OU
-* `show inherited` - Display policies set in a parent OU
+* `show all` - For OUs, display policies regardless of where set; this is the default
+* `show direct` - For OUs, display policies set directly in the OU
+* `show inherited` - For OUs, display policies set in a parent OU

 These are the default namespaces; use `namespace <NamespaceList>` to override.
 * `default`
@@ -325,8 +347,6 @@ gam redirect csv ChromePolicies.csv print chromepolicies ou "/Path/To/OU1"
 gam config csv_input_row_filter "direct:boolean:true" csv ChromePolicies.csv gam update chromepolicy "~name" "~fields.0.name" "~fields.0.value" "~fields.1.name" "~fields.1.value" ou "/Path/To/OU2"
 ```
 ## Copy simple and complex policies set directly in one OU to another OU
-Version `6.21.02` is required.
-
 Display direct policies, update all
 ```
 gam redirect csv ChromePolicies.csv print chromepolicies ou "/Path/To/OU1" show direct formatjson quotechar "'"
@@ -338,6 +358,51 @@ gam redirect csv ChromePolicies.csv print chromepolicies ou "/Path/To/OU1" forma
 gam config csv_input_row_filter "direct:boolean:true" csv ChromePolicies.csv quotechar "'" gam update chromepolicy "~name" json "~JSON" ou "/Path/To/OU2"
 ```

+## Copy simple and complex policies set directly in one OU to multiple other OUs
+Display direct policies, update all
+```
+gam redirect csv ChromePolicies.csv print chromepolicies ou "/Path/To/OU1" show direct formatjson quotechar "'"
+```
+Make a batch file (SetPolicies.bat) with a line for each target OU
+```
+gam csv ChromePolicies.csv quotechar "'" gam update chromepolicy "~name" json "~JSON" ou "/Path/To/OU2"
+gam csv ChromePolicies.csv quotechar "'" gam update chromepolicy "~name" json "~JSON" ou "/Path/To/OU3"
+...
+```
+Execute batch
+```
+gam redirect stdout ./SetPolicies.log multiprocess redirect stderr stdout tbatch SetPolicies.bat
+```
+
+## Copy simple policies in one Group to another Group
+Display all policies, update all
+```
+gam redirect csv ChromePolicies.csv print chromepolicies group group1@domain.com
+gam csv ChromePolicies.csv gam update chromepolicy "~name" "~fields.0.name" "~fields.0.value" "~fields.1.name" "~fields.1.value" group group2@domain.com
+```
+## Copy simple and complex policies in one Group to another Group
+Display all policies, update all
+```
+gam redirect csv ChromePolicies.csv print chromepolicies group group1@domain.com formatjson quotechar "'"
+gam csv ChromePolicies.csv quotechar "'" gam update chromepolicy "~name" json "~JSON" group group2@domain.com
+```
+
+## Copy simple and complex policies in one Group to multiple other Groups
+Display all policies, update all
+```
+gam redirect csv ChromePolicies.csv print chromepolicies group group1@domain.com formatjson quotechar "'"
+```
+Make a batch file (SetPolicies.bat) with a line for each target group
+```
+gam csv ChromePolicies.csv quotechar "'" gam update chromepolicy "~name" json "~JSON" group group2@domain.com
+gam csv ChromePolicies.csv quotechar "'" gam update chromepolicy "~name" json "~JSON" group group3@domain.com
+...
+```
+Execute batch
+```
+gam redirect stdout ./SetPolicies.log multiprocess redirect stderr stdout tbatch SetPolicies.bat
+```
+
 ## Create Chrome network
 See: [Chrome Policy Schema Table](#chrome-policy-schema-table) for the allowed network settings.
 * chrome.networks.ethernet.Details: Ethernet network configuration details.
@@ -506,6 +571,11 @@ chrome.devices.ContentProtection: Allow web services to request proof that the d
    true: Ensures ChromeOS devices in your organization will verify their identity to content providers.
    false: Does not ensure ChromeOS devices in your organization will verify their identity to content providers. Some premium content may be unavailable to your users.

+chrome.devices.DeviceAllowEnterpriseRemoteAccessConnections: Enterprise remote access connections.
+  deviceAllowEnterpriseRemoteAccessConnections: TYPE_BOOL
+    true: Enable remote access connections from enterprise admins.
+    false: Prevent remote access connections from enterprise admins.
+
 chrome.devices.DeviceAuthenticationUrlAllowlist: Blocked URL exceptions on the sign-in / lock screens.
  deviceAuthenticationUrlAllowlist: TYPE_LIST
    Blocked URL exceptions. Any URL that matches an entry in this exception list will be allowed, even if it matches a line in the blocked URLs. Wildcards ("*") are allowed when appended to a URL, but cannot be entered alone. Maximum of 1000 URLs.
@@ -604,11 +674,6 @@ chrome.devices.DeviceLoginScreenExtensionManifestVTwoAvailability: Manifest v2 e
    ENABLE: Enable manifest V2 extensions on the sign-in screen.
    ENABLE_FOR_FORCED_EXTENSIONS: Enable force-installed manifest V2 extensions on the sign-in screen.

-chrome.devices.DeviceLoginScreenGeolocationAccessLevel: Geolocation on the login screen.
-  deviceLoginScreenGeolocationAccessLevel: TYPE_ENUM
-    DISALLOWED: Do not allow geolocation access on log-in screen.
-    ALLOWED: Allow geolocation access on log-in screen.
-
 chrome.devices.DeviceLoginScreenPrivacyScreenEnabled: Privacy screen on sign-in screen.
  deviceLoginScreenPrivacyScreenEnabled: TYPE_ENUM
    UNSET: Allow the user to decide.
@@ -646,6 +711,12 @@ chrome.devices.DevicePciPeripheralDataAccessEnabled: Data access protection for
    FALSE: Enable data access protection.
    TRUE: Disable data access protection.

+chrome.devices.DevicePostQuantumKeyAgreementEnabled: Post-quantum TLS.
+  devicePostQuantumKeyAgreementEnabled: TYPE_ENUM
+    UNSET: Use the default Chrome setting.
+    FALSE: Do not allow post-quantum key agreement in TLS connections.
+    TRUE: Allow post-quantum key agreement in TLS connections.
+
 chrome.devices.DevicePowerwashAllowed: Powerwash.
  devicePowerwashAllowed: TYPE_BOOL
    true: Allow powerwash to be triggered.
@@ -1023,6 +1094,12 @@ chrome.devices.kiosk.CursorHighlightEnabled: Kiosk cursor highlight.
    ACCESSIBILITY_DISABLED: Disable cursor highlight.
    ACCESSIBILITY_ENABLED: Enable cursor highlight.

+chrome.devices.kiosk.DeviceWeeklyScheduledSuspend: Device sleep mode.
+  hours: TYPE_INT32
+  minutes: TYPE_INT32
+  seconds: TYPE_INT32
+  nanos: TYPE_INT32
+
 chrome.devices.kiosk.DictationEnabled: Kiosk dictation.
  dictationEnabled: TYPE_ENUM
    DEFAULT_USER_CHOICE: Allow the user to decide.
@@ -1405,12 +1482,15 @@ chrome.devices.managedguest.apps.PermissionsAndUrlAccess: Allows setting of allo
  blockedPermissions: TYPE_LIST
    {'value': '', 'description': 'Allow all permissions. If empty string is set, it must be the only value set for the policy.'}
  allowedPermissions: TYPE_LIST
-    {'value': 'alarms', 'description': 'Alarms.'}
+    {'value': 'activeTab', 'description': 'Active tab.'}
  blockedHosts: TYPE_LIST
    Sets extension hosts that should be blocked.
  allowedHosts: TYPE_LIST
    Sets extension hosts that should be allowed. Allowed hosts override blocked hosts.

+chrome.devices.managedguest.apps.SkipDocumentScanConfirmation: Allows the app to skip the confirmation dialog when using the Document Scan API.
+  skipDocumentScanConfirmation: TYPE_BOOL
+
 chrome.devices.managedguest.apps.SkipPrintConfirmation: Allows the app to skip the confirmation dialog when sending print jobs via the Chrome Printing API.
  skipPrintConfirmation: TYPE_BOOL

@@ -1554,6 +1634,11 @@ chrome.devices.managedguest.CpuTaskScheduler: CPU task scheduler.
    CONSERVATIVE: Optimize for stability.
    PERFORMANCE: Optimize for performance.

+chrome.devices.managedguest.CssCustomStateDeprecatedSyntaxEnabled: CSS custom state deprecated syntax.
+  cssCustomStateDeprecatedSyntaxEnabled: TYPE_BOOL
+    true: Allow deprecated syntax.
+    false: Do not allow deprecated syntax.
+
 chrome.devices.managedguest.CursorHighlightEnabled: Cursor highlight.
  cursorHighlightEnabled: TYPE_ENUM
    UNSET: Allow the user to decide.
@@ -1618,9 +1703,6 @@ chrome.devices.managedguest.DeleteKeyModifier: Control the shortcut used to trig
    NONE: Setting a shortcut for the "Delete" action is disabled.
    ALT: Delete shortcut setting uses the shortcut that contains the alt modifier.
    SEARCH: Delete shortcut setting uses the shortcut that contains the search modifier.
-  deleteKeyModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.devices.managedguest.DeletePrintJobHistoryAllowed: Print job history deletion.
  deletePrintJobHistoryAllowed: TYPE_BOOL
@@ -1632,6 +1714,10 @@ chrome.devices.managedguest.DeveloperTools: Developer tools.
    ALWAYS_ALLOW_DEVELOPER_TOOLS: Always allow use of built-in developer tools.
    ALLOW_DEVELOPER_TOOLS_EXCEPT_FORCE_INSTALLED: Allow use of built-in developer tools except for force-installed extensions and component extensions.
    NEVER_ALLOW_DEVELOPER_TOOLS: Never allow use of built-in developer tools.
+  extensionDeveloperModeSettings: TYPE_ENUM
+    UNSET: Use 'developer tools availability' selection.
+    ALLOW: Allow use of developer tools on extensions page.
+    DISALLOW: Do not allow use of developer tools on extensions page.

 chrome.devices.managedguest.DeviceAllowMgsToStoreDisplayProperties: Persist display settings.
  deviceAllowMgsToStoreDisplayProperties: TYPE_BOOL
@@ -1718,10 +1804,10 @@ chrome.devices.managedguest.EncryptedClientHelloEnabled: TLS encrypted ClientHel
    true: Enable the TLS Encrypted ClientHello experiment.
    false: Disable the TLS Encrypted ClientHello experiment.

-chrome.devices.managedguest.EnhancedNetworkVoicesInSelectToSpeakAllowed: Allow the enhanced network text-to-speech voices in Select-to-speak.
+chrome.devices.managedguest.EnhancedNetworkVoicesInSelectToSpeakAllowed: Select-to-speak.
  enhancedNetworkVoicesInSelectToSpeakAllowed: TYPE_BOOL
-    true: Allow the user to decide.
-    false: Disallow enhanced network text-to-speech voices when using Select-to-Speak.
+    true: Allow sending text to Google servers for enhanced Select-to-speak.
+    false: Do not allow sending text to Google servers for enhanced Select-to-speak.

 chrome.devices.managedguest.EnterpriseHardwarePlatformApiEnabled: Enterprise Hardware Platform API.
  enterpriseHardwarePlatformApiEnabled: TYPE_BOOL
@@ -1772,9 +1858,6 @@ chrome.devices.managedguest.FElevenKeyModifier: Control the shortcut used to tri
    ALT: F11 settings use the shortcut that contains the alt modifier.
    SHIFT: F11 settings use the shortcut that contains the shift modifier.
    CTRL_SHIFT: F11 settings use the shortcut that contains the modifiers ctrl and shift.
-  fElevenKeyModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.devices.managedguest.FileOrDirectoryPickerWithoutGestureAllowedForOrigins: File/directory picker without user gesture.
  fileOrDirectoryPickerWithoutGestureAllowedForOrigins: TYPE_LIST
@@ -1833,9 +1916,6 @@ chrome.devices.managedguest.FTwelveKeyModifier: Control the shortcut used to tri
    SHIFT: F12 settings use the shortcut that contains the shift modifier.
    CTRL_SHIFT: F12 settings use the shortcut that contains the modifiers ctrl and shift.
    UNSET: Allow the user to decide.
-  fTwelveKeyModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.devices.managedguest.FullscreenAllowed: Fullscreen mode.
  fullscreenAllowed: TYPE_BOOL
@@ -1881,9 +1961,6 @@ chrome.devices.managedguest.HomeAndEndKeysModifier: Control the shortcut used to
    NONE: Home/End settings are disabled.
    ALT: Home/End settings use the shortcut that contains the alt modifier.
    SEARCH: Home/End settings use the shortcut that contains the search modifier.
-  homeAndEndKeysModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.devices.managedguest.HomeButton: Home button.
  showHomeButton: TYPE_ENUM
@@ -1903,20 +1980,6 @@ chrome.devices.managedguest.HstsPolicyBypassList: HSTS policy bypass list.
  hstsPolicyBypassList: TYPE_LIST
    List of hostnames that will bypass the HSTS policy check . Enter a list of hostnames that will be exempt from the HSTS policy check.

-chrome.devices.managedguest.IdleSettings: Idle settings.
-  mgsActionOnDeviceIdle: TYPE_ENUM
-    SLEEP: Sleep.
-    LOGOUT: Logout.
-    SHUTDOWN: Shutdown.
-    DO_NOTHING: Do nothing.
-  mgsIdleTimeoutMinutes: TYPE_STRING
-    Idle time in minutes. Leave empty for system default.
-  mgsActionOnLidClose: TYPE_ENUM
-    SLEEP: Sleep.
-    LOGOUT: Logout.
-    SHUTDOWN: Shutdown.
-    DO_NOTHING: Do nothing.
-
 chrome.devices.managedguest.IdleSettingsExtended: Idle settings.
  lidCloseAction: TYPE_ENUM
    SLEEP: Sleep.
@@ -1975,9 +2038,6 @@ chrome.devices.managedguest.InsertKeyModifier: Control the shortcut used to trig
  insertKeyModifier: TYPE_ENUM
    NONE: Setting a shortcut for the "Insert" action is disabled.
    SEARCH: Insert shortcut setting uses the shortcut that contains the search modifier.
-  insertKeyModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.devices.managedguest.IntensiveWakeUpThrottlingEnabled: Javascript IntensiveWakeUpThrottling.
  intensiveWakeUpThrottlingEnabled: TYPE_ENUM
@@ -2021,6 +2081,11 @@ chrome.devices.managedguest.KerberosTickets: Kerberos tickets.
    true: Enable kerberos.
    false: Disable kerberos.

+chrome.devices.managedguest.KeyboardFocusableScrollersEnabled: Keyboard focusable scrollers.
+  keyboardFocusableScrollersEnabled: TYPE_BOOL
+    true: Allow scrollers to be focusable by default.
+    false: Do not allow scrollers to be focusable by default.
+
 chrome.devices.managedguest.KeyboardFocusHighlightEnabled: Keyboard focus highlighting.
  keyboardFocusHighlightEnabled: TYPE_ENUM
    UNSET: Allow the user to decide.
@@ -2043,6 +2108,14 @@ chrome.devices.managedguest.LensDesktopNtpSearchEnabled: New Tab page Google Len
    true: Show the Google Lens button in the search box on the New Tab page.
    false: Do not show the Google Lens button in the search box on the New Tab page.

+chrome.devices.managedguest.LensOnGalleryEnabled: Lens Gallery App integration.
+  lensOnGalleryEnabled: TYPE_BOOL
+    true: Enable Lens integration.
+    false: Disable Lens integration.
+  lensOnGalleryEnabledSettingGroupPolicyMode: TYPE_ENUM
+    MANDATORY: Do not allow users to override.
+    RECOMMENDED: Allow users to override.
+
 chrome.devices.managedguest.LensRegionSearchEnabled: Google Lens region search.
  lensRegionSearchEnabled: TYPE_BOOL
    true: Enable Google Lens region search.
@@ -2190,9 +2263,6 @@ chrome.devices.managedguest.PageUpAndPageDownKeysModifier: Control the shortcut
    NONE: PageUp/PageDown settings are disabled.
    ALT: PageUp/PageDown settings use the shortcut that contains the alt modifier.
    SEARCH: PageUp/PageDown settings use the shortcut that contains the search modifier.
-  pageUpAndPageDownKeysModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.devices.managedguest.PaymentMethodQueryEnabled: Payment methods.
  paymentMethodQueryEnabled: TYPE_BOOL
@@ -2232,8 +2302,8 @@ chrome.devices.managedguest.Popups: Pop-ups.
 chrome.devices.managedguest.PostQuantumKeyAgreementEnabled: Post-quantum TLS.
  postQuantumKeyAgreementEnabled: TYPE_ENUM
    UNSET: Use the default Chrome setting.
-    FALSE: Do not allow Kyber key agreement for TLS.
-    TRUE: Allow Kyber key agreement for TLS.
+    FALSE: Do not allow post-quantum key agreement in TLS connections.
+    TRUE: Allow post-quantum key agreement in TLS connections.

 chrome.devices.managedguest.PpapiSharedImagesForVideoDecoderAllowed: Allow Pepper to use shared images for video decoding.
  ppapiSharedImagesForVideoDecoderAllowed: TYPE_BOOL
@@ -2343,6 +2413,11 @@ chrome.devices.managedguest.PromptForDownloadLocation: Download location prompt.
    FALSE: Do not ask the user (downloads start immediately).
    TRUE: Ask the user where to save the file before downloading.

+chrome.devices.managedguest.QrCodeGeneratorEnabled: QR Code Generator.
+  qrCodeGeneratorEnabled: TYPE_BOOL
+    true: Enable QR Code Generator.
+    false: Disable QR Code Generator.
+
 chrome.devices.managedguest.QuickAnswersEnabled: Quick Answers.
  quickAnswersEnabled: TYPE_BOOL
    true: Enable Quick Answers.
@@ -2602,6 +2677,7 @@ chrome.devices.managedguest.SimpleProxySettings: Proxy mode.
  simpleProxyMode: TYPE_ENUM
    USER_CONFIGURED: Allow user to configure.
    DIRECT: Never use a proxy.
+    SYSTEM: Use system proxy settings.
    AUTO_DETECT: Always auto detect the proxy.
    FIXED_SERVERS: Always use the proxy specified in 'simpleProxyServerUrl'.
    PAC_SCRIPT: Always use the proxy auto-config specified in 'simpleProxyPacUrl'.
@@ -2650,6 +2726,11 @@ chrome.devices.managedguest.SslVersionMin: Minimum SSL version enabled.
    TL_SV_1_2: TLS 1.2.
    SSL_V_3: SSL3.

+chrome.devices.managedguest.StandardizedBrowserZoomEnabled: Zoom Behavior.
+  standardizedBrowserZoomEnabled: TYPE_BOOL
+    true: Standard CSS zoom.
+    false: Legacy CSS zoom.
+
 chrome.devices.managedguest.StartupBrowserLaunch: Browser launch on startup.
  startupBrowserWindowLaunchSuppressed: TYPE_BOOL
    true: Do not launch the browser on startup.
@@ -2705,6 +2786,12 @@ chrome.devices.managedguest.SystemFeaturesDisableMode: Disabled system features
    BLOCKED: Show disabled app icons.
    HIDDEN: Hide app icons.

+chrome.devices.managedguest.SystemShortcutBehavior: Override system shortcuts.
+  systemShortcutBehavior: TYPE_ENUM
+    DEFAULT: Do not override system shortcuts.
+    SHOULD_IGNORE_COMMON_VDI_SHORTCUTS: Override some system shortcuts.
+    SHOULD_IGNORE_COMMON_VDI_SHORTCUTS_FULLSCREEN_ONLY: Override some system shortcuts while in fullscreen.
+
 chrome.devices.managedguest.TabDiscardingExceptions: Exceptions to tab discarding.
  tabDiscardingExceptions: TYPE_LIST
    URL pattern exceptions to tab discarding. Specifies URL patterns where any URL matching one or more of these patterns will never be discarded by the browser.
@@ -3519,12 +3606,15 @@ chrome.users.apps.PermissionsAndUrlAccess: Allows setting of allowed and blocked
  blockedPermissions: TYPE_LIST
    {'value': '', 'description': 'Allow all permissions. If empty string is set, it must be the only value set for the policy.'}
  allowedPermissions: TYPE_LIST
-    {'value': 'alarms', 'description': 'Alarms.'}
+    {'value': 'activeTab', 'description': 'Active tab.'}
  blockedHosts: TYPE_LIST
    Sets extension hosts that should be blocked.
  allowedHosts: TYPE_LIST
    Sets extension hosts that should be allowed. Allowed hosts override blocked hosts.

+chrome.users.apps.SkipDocumentScanConfirmation: Allows the app to skip the confirmation dialog when using the Document Scan API.
+  skipDocumentScanConfirmation: TYPE_BOOL
+
 chrome.users.apps.SkipPrintConfirmation: Allows the app to skip the confirmation dialog when sending print jobs via the Chrome Printing API.
  skipPrintConfirmation: TYPE_BOOL

@@ -3555,7 +3645,7 @@ chrome.users.appsconfig.AppExtensionInstallSources: App and extension install so

 chrome.users.appsconfig.BlockExtensionsByPermission: Permissions and URLs.
  extensionBlockedPermissions: TYPE_LIST
-    {'value': 'alarms', 'description': 'Alarms.'}
+    {'value': 'activeTab', 'description': 'Active tab.'}
  runtimeBlockedHosts: TYPE_LIST
    Runtime blocked hosts. This is a list of patterns for matching against hostnames. URLs that match one of these patterns cannot be modified by apps and extensions. This includes injecting Javascript, altering and viewing webRequests / webNavigation, viewing and altering cookies, exceptions to the same-origin policy, etc. The format is similar to full URL patterns except no paths may be defined. e.g. "*://*.example.com". Maximum of 100 URLs.
  runtimeAllowedHosts: TYPE_LIST
@@ -4136,6 +4226,11 @@ chrome.users.CrossOriginWebAssemblyModuleSharingEnabled: Allow WebAssembly cross
    true: Allow WebAssembly modules to be sent cross-origin.
    false: Prevent WebAssembly modules to be sent cross-origin.

+chrome.users.CssCustomStateDeprecatedSyntaxEnabled: CSS custom state deprecated syntax.
+  cssCustomStateDeprecatedSyntaxEnabled: TYPE_BOOL
+    true: Allow deprecated syntax.
+    false: Do not allow deprecated syntax.
+
 chrome.users.CursorHighlightEnabled: Cursor highlight.
  cursorHighlightEnabled: TYPE_ENUM
    UNSET: Allow the user to decide.
@@ -4209,15 +4304,17 @@ chrome.users.DeleteKeyModifier: Control the shortcut used to trigger the Delete
    NONE: Setting a shortcut for the "Delete" action is disabled.
    ALT: Delete shortcut setting uses the shortcut that contains the alt modifier.
    SEARCH: Delete shortcut setting uses the shortcut that contains the search modifier.
-  deleteKeyModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.users.DeletePrintJobHistoryAllowed: Print job history deletion.
  deletePrintJobHistoryAllowed: TYPE_BOOL
    true: Allow print job history to be deleted.
    false: Do not allow print job history to be deleted.

+chrome.users.DeletingUndecryptablePasswordsEnabled: Delete undecryptable passwords.
+  deletingUndecryptablePasswordsEnabled: TYPE_BOOL
+    true: Enable deleting undecryptable passwords.
+    false: Disable deleting undecryptable passwords.
+
 chrome.users.DeskApi: Desk API for third-party ChromeOS desk control.
  deskApiThirdPartyAccessEnabled: TYPE_BOOL
    true: Enable Desk API for third-party ChromeOS desk control.
@@ -4235,6 +4332,10 @@ chrome.users.DeveloperTools: Developer tools.
    ALWAYS_ALLOW_DEVELOPER_TOOLS: Always allow use of built-in developer tools.
    ALLOW_DEVELOPER_TOOLS_EXCEPT_FORCE_INSTALLED: Allow use of built-in developer tools except for force-installed extensions and component extensions.
    NEVER_ALLOW_DEVELOPER_TOOLS: Never allow use of built-in developer tools.
+  extensionDeveloperModeSettings: TYPE_ENUM
+    UNSET: Use 'developer tools availability' selection.
+    ALLOW: Allow use of developer tools on extensions page.
+    DISALLOW: Do not allow use of developer tools on extensions page.

 chrome.users.DeviceEnrollment: Device enrollment.
  autoDevicePlacementEnabled: TYPE_BOOL
@@ -4332,6 +4433,11 @@ chrome.users.DriveFileSyncAvailable: ChromeOS file sync.
    DISABLED: Do not show the ChromeOS file sync feature.
    VISIBLE: Show the ChromeOS file sync feature.

+chrome.users.DynamicCodeSettings: Dynamic Code.
+  dynamicCodeSettings: TYPE_ENUM
+    DEFAULT: Use the default Chrome setting.
+    DISABLED_FOR_BROWSER: Do not create dynamic code.
+
 chrome.users.EcheAllowed: App Streaming.
  echeAllowed: TYPE_BOOL
    true: Allow users to launch App Streaming.
@@ -4433,9 +4539,6 @@ chrome.users.FElevenKeyModifier: Control the shortcut used to trigger F11.
    ALT: F11 settings use the shortcut that contains the alt modifier.
    SHIFT: F11 settings use the shortcut that contains the shift modifier.
    CTRL_SHIFT: F11 settings use the shortcut that contains the modifiers ctrl and shift.
-  fElevenKeyModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.users.FetchKeepaliveDurationSecondsOnShutdown: Keepalive duration.
  duration: TYPE_STRING
@@ -4514,9 +4617,6 @@ chrome.users.FTwelveKeyModifier: Control the shortcut used to trigger F12.
    SHIFT: F12 settings use the shortcut that contains the shift modifier.
    CTRL_SHIFT: F12 settings use the shortcut that contains the modifiers ctrl and shift.
    UNSET: Allow the user to decide.
-  fTwelveKeyModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.users.FullscreenAlertEnabled: Fullscreen alert.
  fullscreenAlertEnabled: TYPE_BOOL
@@ -4584,8 +4684,8 @@ chrome.users.GssapiLibraryName: GSSAPI library name.

 chrome.users.HardwareAccelerationModeEnabled: GPU.
  hardwareAccelerationModeEnabled: TYPE_BOOL
-    true: Enable hardware acceleration.
-    false: Disable hardware acceleration.
+    true: Enable graphics acceleration.
+    false: Disable graphics acceleration.

 chrome.users.HelpMeWriteSettings: Help me write.
  helpMeWriteSettings: TYPE_ENUM
@@ -4605,14 +4705,17 @@ chrome.users.HighEfficiencyModeEnabled: High efficiency mode.
    FALSE: Disable high efficiency mode.
    TRUE: Enable high efficiency mode.

+chrome.users.HistorySearchSettings: History search settings.
+  historySearchSettings: TYPE_ENUM
+    ALLOWED: Allow using AI-powered history search.
+    ALLOWED_WITHOUT_LOGGING: Allow using AI-powered history search without data collection.
+    DISABLED: Fully disable AI-powered history search.
+
 chrome.users.HomeAndEndKeysModifier: Control the shortcut used to trigger the Home/End "six pack" keys.
  homeAndEndKeysModifier: TYPE_ENUM
    NONE: Home/End settings are disabled.
    ALT: Home/End settings use the shortcut that contains the alt modifier.
    SEARCH: Home/End settings use the shortcut that contains the search modifier.
-  homeAndEndKeysModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.users.HomeButton: Home button.
  showHomeButton: TYPE_ENUM
@@ -4647,21 +4750,6 @@ chrome.users.HttpsUpgradesEnabled: Automatic HTTPS upgrades.
    true: Allow HTTPS upgrades.
    false: Do not allow HTTPS upgrades.

-chrome.users.IdleSettings: Idle settings.
-  idleTimeoutMinutes: TYPE_STRING
-    Idle time in minutes. Leave empty for system default.
-  actionOnDeviceIdle: TYPE_ENUM
-    SLEEP: Sleep.
-    LOGOUT: Logout.
-    LOCK: Lock Screen.
-  actionOnLidClose: TYPE_ENUM
-    SLEEP: Sleep.
-    LOGOUT: Logout.
-  lockOnSleep: TYPE_ENUM
-    UNSET: Allow the user to decide.
-    FALSE: Don't lock screen.
-    TRUE: Lock screen.
-
 chrome.users.IdleSettingsExtended: Idle settings.
  lidCloseAction: TYPE_ENUM
    SLEEP: Sleep.
@@ -4770,9 +4858,6 @@ chrome.users.InsertKeyModifier: Control the shortcut used to trigger the Insert
  insertKeyModifier: TYPE_ENUM
    NONE: Setting a shortcut for the "Insert" action is disabled.
    SEARCH: Insert shortcut setting uses the shortcut that contains the search modifier.
-  insertKeyModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.users.IntegratedWebAuthenticationAllowed: Login credentials for network authentication.
  integratedWebAuthenticationAllowed: TYPE_BOOL
@@ -4871,6 +4956,11 @@ chrome.users.KerberosTickets: Kerberos tickets.
    true: Customize Kerberos configuration.
    false: Use default Kerberos configuration.

+chrome.users.KeyboardFocusableScrollersEnabled: Keyboard focusable scrollers.
+  keyboardFocusableScrollersEnabled: TYPE_BOOL
+    true: Allow scrollers to be focusable by default.
+    false: Do not allow scrollers to be focusable by default.
+
 chrome.users.KeyboardFocusHighlightEnabled: Keyboard focus highlighting.
  keyboardFocusHighlightEnabled: TYPE_ENUM
    UNSET: Allow the user to decide.
@@ -4908,6 +4998,14 @@ chrome.users.LensDesktopNtpSearchEnabled: New Tab page Google Lens button.
    true: Show the Google Lens button in the search box on the New Tab page.
    false: Do not show the Google Lens button in the search box on the New Tab page.

+chrome.users.LensOnGalleryEnabled: Lens Gallery App integration.
+  lensOnGalleryEnabled: TYPE_BOOL
+    true: Enable Lens integration.
+    false: Disable Lens integration.
+  lensOnGalleryEnabledSettingGroupPolicyMode: TYPE_ENUM
+    MANDATORY: Do not allow users to override.
+    RECOMMENDED: Allow users to override.
+
 chrome.users.LensRegionSearchEnabled: Google Lens region search.
  lensRegionSearchEnabled: TYPE_BOOL
    true: Enable Google Lens region search.
@@ -4933,6 +5031,11 @@ chrome.users.LockScreen: Lock screen.
    true: Allow locking screen.
    false: Do not allow locking screen.

+chrome.users.LockScreenAutoStartOnlineReauth: Lock screen online reauthentication.
+  lockScreenAutoStartOnlineReauth: TYPE_BOOL
+    true: Show users the online reauthentication screen.
+    false: Show users interstitial screens prior to online reauthentication.
+
 chrome.users.LockScreenMediaPlaybackEnabled: Lock screen media playback.
  lockScreenMediaPlaybackEnabled: TYPE_BOOL
    true: Allow users to play media when the device is locked.
@@ -4962,7 +5065,7 @@ chrome.users.ManagedBookmarksSetting: Managed bookmarks.

 chrome.users.MaxConnectionsPerProxy: Max connections per proxy.
  maxConnectionsPerProxy: TYPE_INT64
-    Maximium number of concurrent connections to the proxy server. Specifies the maximal number of simultaneous connections to the proxy server. The value of this policy should be lower than 100 and higher than 6 and the default value is 32.
+    Maximum number of concurrent connections to the proxy server. Specifies the maximal number of simultaneous connections to the proxy server. The value of this policy should be lower than 100 and higher than 6 and the default value is 32.

 chrome.users.MaxInvalidationFetchDelay: Policy fetch delay.
  duration: TYPE_STRING
@@ -5156,9 +5259,6 @@ chrome.users.PageUpAndPageDownKeysModifier: Control the shortcut used to trigger
    NONE: PageUp/PageDown settings are disabled.
    ALT: PageUp/PageDown settings use the shortcut that contains the alt modifier.
    SEARCH: PageUp/PageDown settings use the shortcut that contains the search modifier.
-  pageUpAndPageDownKeysModifierSettingGroupPolicyMode: TYPE_ENUM
-    MANDATORY: Do not allow users to override.
-    RECOMMENDED: Allow users to override.

 chrome.users.ParcelTrackingEnabled: Parcel tracking.
  parcelTrackingEnabled: TYPE_BOOL
@@ -5212,6 +5312,11 @@ chrome.users.PdfUseSkiaRendererEnabled: Renderer for PDF files.
    FALSE: Use AGG renderer for PDF files.
    TRUE: Use Skia renderer for PDF files.

+chrome.users.PdfViewerOutOfProcessIframeEnabled: PDF viewer.
+  pdfViewerOutOfProcessIframeEnabled: TYPE_BOOL
+    true: PDF viewer uses out-of-process iframe.
+    false: PDF viewer uses guest view.
+
 chrome.users.PersistentQuotaEnabled: Persistent quota for webkitRequestFileSystem.
  persistentQuotaEnabled: TYPE_BOOL
    true: Enable persistent quota.
@@ -5288,8 +5393,8 @@ chrome.users.Popups: Pop-ups.
 chrome.users.PostQuantumKeyAgreementEnabled: Post-quantum TLS.
  postQuantumKeyAgreementEnabled: TYPE_ENUM
    UNSET: Use the default Chrome setting.
-    FALSE: Do not allow Kyber key agreement for TLS.
-    TRUE: Allow Kyber key agreement for TLS.
+    FALSE: Do not allow post-quantum key agreement in TLS connections.
+    TRUE: Allow post-quantum key agreement in TLS connections.

 chrome.users.PpapiSharedImagesForVideoDecoderAllowed: Allow Pepper to use shared images for video decoding.
  ppapiSharedImagesForVideoDecoderAllowed: TYPE_BOOL
@@ -5345,6 +5450,11 @@ chrome.users.PrintingBackgroundGraphicsDefault: Background graphics printing def
    DISABLED: Disable background graphics printing mode by default.
    ENABLED: Enable background graphics printing mode by default.

+chrome.users.PrintingLpacSandboxEnabled: Printing LPAC Sandbox.
+  printingLpacSandboxEnabled: TYPE_BOOL
+    true: Run printing services in LPAC sandbox when available.
+    false: Run printing services in a less secure sandbox.
+
 chrome.users.PrintingMaxSheetsAllowed: Maximum sheets.
  value: TYPE_INT64

@@ -5459,6 +5569,11 @@ chrome.users.PromptOnMultipleMatchingCertificates: Prompt when multiple certific
    true: Prompt the user to select the client certificate whenever the auto-selection policy matches multiple certificates.
    false: Only prompt the user when no certificate matches the auto-selection.

+chrome.users.QrCodeGeneratorEnabled: QR Code Generator.
+  qrCodeGeneratorEnabled: TYPE_BOOL
+    true: Enable QR Code Generator.
+    false: Disable QR Code Generator.
+
 chrome.users.QuickAnswersEnabled: Quick Answers.
  quickAnswersEnabled: TYPE_BOOL
    true: Enable Quick Answers.
@@ -5803,7 +5918,7 @@ chrome.users.ShowCastSessionsStartedByOtherDevices: Show media controls for Goog
    FALSE: Do not show media controls for Google Cast sessions started by other devices.
    TRUE: Show media controls for Google Cast sessions started by other devices.

-chrome.users.ShowDisplaySizeScreenEnabled: Controls whether display size setting screen is displayed during sign-in.
+chrome.users.ShowDisplaySizeScreenEnabled: Display size setting during sign-in.
  showDisplaySizeScreenEnabled: TYPE_ENUM
    UNSET: Use the default Chrome setting.
    FALSE: Do not display the display size setting screen during sign-in.
@@ -5820,7 +5935,7 @@ chrome.users.ShowLogoutButton: Show sign-out button in tray.
    true: Show sign-out button in tray.
    false: Do not show sign-out button in tray.

-chrome.users.ShowTouchpadScrollScreenEnabled: Controls whether touchpad scroll direction screen is displayed during sign-in.
+chrome.users.ShowTouchpadScrollScreenEnabled: Touchpad scroll setting during sign-in.
  showTouchpadScrollScreenEnabled: TYPE_BOOL
    true: Display the touchpad scroll direction screen during sign-in.
    false: Do not display the touchpad scroll direction screen during sign-in.
@@ -5844,6 +5959,7 @@ chrome.users.SimpleProxySettings: Proxy mode.
  simpleProxyMode: TYPE_ENUM
    USER_CONFIGURED: Allow user to configure.
    DIRECT: Never use a proxy.
+    SYSTEM: Use system proxy settings.
    AUTO_DETECT: Always auto detect the proxy.
    FIXED_SERVERS: Always use the proxy specified in 'simpleProxyServerUrl'.
    PAC_SCRIPT: Always use the proxy auto-config specified in 'simpleProxyPacUrl'.
@@ -5935,6 +6051,11 @@ chrome.users.SslVersionMin: Minimum SSL version enabled.
    TL_SV_1_2: TLS 1.2.
    SSL_V_3: SSL3.

+chrome.users.StandardizedBrowserZoomEnabled: Zoom Behavior.
+  standardizedBrowserZoomEnabled: TYPE_BOOL
+    true: Standard CSS zoom.
+    false: Legacy CSS zoom.
+
 chrome.users.StartupPages: Pages to load on startup.
  restoreOnStartupUrls: TYPE_LIST
    Startup pages. Example: https://example.com.
@@ -5982,6 +6103,9 @@ chrome.users.SyncSettingsCbcm: Chrome Sync and Roaming Profiles (Chrome Browser
    {'value': 'browsing_history', 'description': 'Browsing history.'}
  roamingProfileLocationCbcm: TYPE_STRING
    Roaming profile directory. Configures the directory that Google Chrome will use for storing the roaming copy of the profiles.
+  profileReauthPrompt: TYPE_ENUM
+    DO_NOT_PROMPT: Do not prompt for re-authentication after authentication expiration.
+    PROMPT_IN_TAB: Prompt for re-authentication in a tab after authentication expiration.

 chrome.users.SyncSettingsCros: Chrome Sync (ChromeOS).
  syncDisabledCros: TYPE_BOOL
@@ -5996,6 +6120,12 @@ chrome.users.SystemFeaturesDisableList: Disabled system features.
  systemFeaturesDisableList: TYPE_LIST
    {'value': 'camera', 'description': 'Camera.'}

+chrome.users.SystemShortcutBehavior: Override system shortcuts.
+  systemShortcutBehavior: TYPE_ENUM
+    DEFAULT: Do not override system shortcuts.
+    SHOULD_IGNORE_COMMON_VDI_SHORTCUTS: Override some system shortcuts.
+    SHOULD_IGNORE_COMMON_VDI_SHORTCUTS_FULLSCREEN_ONLY: Override some system shortcuts while in fullscreen.
+
 chrome.users.SystemTerminalSshAllowed: SSH in terminal system app.
  systemTerminalSshAllowed: TYPE_ENUM
    UNSET: Use the default Chrome setting.
@@ -6169,8 +6299,6 @@ chrome.users.UserDownloadDirectory: Download location.
    LOCAL_FOLDER_DEFAULT: Set local Downloads folder as default, but allow user to change.
    GOOGLE_DRIVE_DEFAULT: Set Google Drive as default, but allow user to change.
    GOOGLE_DRIVE_FORCED: Force Google Drive.
-    ONEDRIVE_DEFAULT: Set OneDrive as default, but allow user to change.
-    ONEDRIVE_FORCED: Force OneDrive.

 chrome.users.UserEnrollmentNudging: Initial sign-in.
  userEnrollmentNudging: TYPE_ENUM
@@ -6377,4 +6505,5 @@ chrome.users.ZstdContentEncodingEnabled: Zstd compression.
  zstdContentEncodingEnabled: TYPE_BOOL
    true: Allow zstd-compressed web content.
    false: Do not allow zstd-compressed web content.
-```
+
+```
--- a/docs/ChromeOS-Devices.md
+++ b/docs/ChromeOS-Devices.md
@@ -71,7 +71,7 @@ gam <Command> cros <CrOSEntity> ...
 ```
 The first form allows more powerful selection of devices with `<CrOSTypeEntity>`.

-The second form is backwards compatible with Standard GAM and selection with `<CrOSEntity>` is limited.
+The second form is backwards compatible with Legacy GAM and selection with `<CrOSEntity>` is limited.

 ## Definitions
 * [`<CrOSTypeEntity>`](Collections-of-ChromeOS-Devices)
@@ -253,6 +253,9 @@ Enter `id:` as the operator. For example, if you are searching for the serial nu

 Partial serial number searches are supported, as long as you enter at least three characters in the serial number.

+All serial number searches are partial, be careful that you don't enter a partial serial number by mistake
+when actioning/modifying devices as you will affect multiple devices rather than the single desired device.
+
 ### Status
 To view all provisioned or deprovisioned devices, select the status from the left drop-down, and all of the devices that fit this criterion will appear in the view. Alternatively, you can do the following searches from the All devices view:

@@ -391,7 +394,7 @@ given if invalid CrOS deviceIds are specified.
 ### Example: Add ChromeOS devices to a single OU
 Suppose you have a CSV file cros.csv with a single column: deviceId
 ```
-gam update ou /Students/2022 add cros_csvfile cros.csv:deviceId quickcrosmove
+gam update ou /Students/2022 add croscsvfile cros.csv:deviceId quickcrosmove
 ```

 ### Example: Add ChromeOS devices to multiple OUs
@@ -465,7 +468,7 @@ gam getcommand cros <CrOSEntity> commandid <CommandID> [times_to_check_status <I
 ### Action Examples
 Remove user profile data from the device; the device will remain enrolled and connected.
 User data not synced to the Cloud including Downloads, Android app data and Crostini Linux VMs will be permanently lost.
-Commands with issuecommand directly after gam will work with standard GAM & GAMADV-XTD3, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAMADV-XTD3. 
+Commands with issuecommand directly after gam will work with Legacy GAM & GAM7, whereas commands where the issuecommand is after the cros <CrOSTypeEntity> will work only with GAM7. 
 ```
 gam issuecommand cros dd1d659a-0ea4-4e94-905e-4726c7a5f1e9 command wipe_users doit
 ```
--- a/docs/Classroom-Courses.md
+++ b/docs/Classroom-Courses.md
@@ -134,6 +134,7 @@ gam user user@domain.com check|update serviceaccount
        creationtime|
        creator|creatoruserid|
        id|
+        individualstudentsoptions|
        materials|
        scheduledtime|
        state|
@@ -154,6 +155,7 @@ gam user user@domain.com check|update serviceaccount
        creator|creatoruserid|
        description|
        id|
+        individualstudentsoptions|
        materials|
        scheduledtime|
        state|
@@ -179,6 +181,7 @@ gam user user@domain.com check|update serviceaccount
        duedate|
        duetime|
        id|
+        individualstudentsoptions|
        materials|
        maxpoints|
        scheduledtime|
@@ -187,6 +190,7 @@ gam user user@domain.com check|update serviceaccount
        title|
        topicid|
        updatetime|
+        workid|
        worktype
 <CourseWorkFieldNameList> ::= "<CourseWorkFieldName>(,<CourseWorkFieldName>)*"

@@ -270,11 +274,14 @@ The options `name <String>` and `teacher <UserItem>` are required when creating
 gam create|add course [id|alias <CourseAlias>] <CourseAttribute>*
        [copyfrom <CourseID>
            [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
            [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
            [workstates <CourseWorkStateList>]
-                [individualstudentassignments copy|delete|maptoall]
+                [individualstudentcoursework copy|delete|maptoall]
                [removeduedate [<Boolean>]]
                [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
            [copymaterialsfiles [<Boolean>]]
            [copytopics [<Boolean>]]
            [markdraftaspublished [<Boolean>]]
@@ -285,11 +292,14 @@ gam create|add course [id|alias <CourseAlias>] <CourseAttribute>*
 gam update course <CourseID> <CourseAttribute>+
        [copyfrom <CourseID>
            [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
            [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
            [workstates <CourseWorkStateList>]
-                [individualstudentassignments copy|delete|maptoall]
+                [individualstudentcoursework copy|delete|maptoall]
                [removeduedate [<Boolean>]]
                [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
            [copymaterialsfiles [<Boolean>]]
            [copytopics [<Boolean>]]
            [markdraftaspublished [<Boolean>]]
@@ -299,11 +309,14 @@ gam update course <CourseID> <CourseAttribute>+
 gam update courses <CourseEntity> <CourseAttribute>+
        [copyfrom <CourseID>
            [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
            [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
            [workstates <CourseWorkStateList>]
-                [individualstudentassignments copy|delete|maptoall]
+                [individualstudentcoursework copy|delete|maptoall]
                [removeduedate [<Boolean>]]
                [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
            [copymaterialsfiles [<Boolean>]]
            [copytopics [<Boolean>]]
            [markdraftaspublished [<Boolean>]]
@@ -314,15 +327,25 @@ gam update courses <CourseEntity> <CourseAttribute>+
 `copyfrom <CourseID>` allows copying of course announcements, work, topics and members from one course to another.
 * Accouncements - By default, no course announcements are copied
    * `announcementstates <CourseAnnouncementStateList>` - Copy class announcements with the specified states
+        * `individualstudentannouncements copy` - Copy individual student announcements; this is the default. You will get an error if a student is not a member of the course
+        * `individualstudentannouncements delete` - Delete individual student announcements
+        * `individualstudentannouncements maptoall` - Map individual student announcements to all student announcements
 * Materials - By default, no course materials are copied
    * `materialstates <CourseMaterialsStateList>` - Copy class materials with the specified states
+        * `individualstudentmaterials copy` - Copy individual student materials; this is the default. You will get an error if a student is not a member of the course
+        * `individualstudentmaterials delete` - Delete individual student materials
+        * `individualstudentmaterials maptoall` - Map individual student materials to all student materials
 * Work - By default, no course work is copied
    * `workstates <CourseWorkStateList>` - Copy class work with the specified states
-        * `individualstudentassignments copy` - Copy individual student assignments; this is the default. You will get an error if the student is not a member of the course.
-        * `individualstudentassignments delete` - Delete individual student assignments
-        * `individualstudentassignments maptoall` - Map individual student assignments to all student assignments
+        * `individualstudentcoursework copy` - Copy individual student coursework; this is the default. You will get an error if the student is not a member of the course
+        * `individualstudentcoursework delete` - Delete individual student coursework
+        * `individualstudentcoursework maptoall` - Map individual student coursework to all student coursework
        * `removeduedate false` - Remove due dates before the current time; this is the default
        * `removeduedate|removeduedate true` - Remove all due dates
+* For convenience, setting `individualstudentassignments` sets all the following to the same value:
+    * `individualstudentannouncements`
+    * `individualstudentmaterials`
+    * `individualstudentcoursework`
 * Announcements, Materials and Work Materials files
    * `copymaterialsfiles false` - Copy links to files referenced by materials in the `copyfrom` course; this is the default
    * `copymaterialsfiles|copymaterialsfiles true` - Copy files referenced by materials in the `copyfrom` course
@@ -354,7 +377,7 @@ Drive files with `shareMode` `Each student will get a copy` don't seem to be abl

 ## Delete courses
 Classes can only be deleted when they are in the ARCHIVED state; to delete a class, you can update its state to ARCHIVED
-and then delete it or you can specify that it be archived as part of the delete command.
+and then delete it or you can specify that it be archived as parot of the delete command.
 ```
 gam delete course <CourseID> [archived]
 gam delete courses <CourseEntity> [archived]
@@ -472,8 +495,9 @@ gam print course-announcements [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
        (courseannouncementids <CourseAnnouncementIDEntity>)|(announcementstates <CourseAnnouncementStateList>)*
        (orderby <CourseAnnouncementOrderByFieldName> [ascending|descending])*)
-        [creatoremail] [fields <CourseAnnouncementFieldNameList>] [formatjson [quotechar <Character>]]
+        [creatoremail] [fields <CourseAnnouncementFieldNameList>]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-announcements` command displays course announcement information for all courses.

@@ -502,6 +526,8 @@ By default, all course announcement fields are displayed; use the following opti
 * `creatoremail` - Display course announcement creator email; requires an additional API call per course announcement.
 * `fields <CourseAnnouncementFieldNameList>` - Select specific fields to display.

+Use the `countsonly` option to display the number of announcements in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

@@ -517,8 +543,9 @@ gam print course-materials [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
        (materialids <CourseMaterialIDEntity>)|(materialstates <CourseMaterialStateList>)*
        (orderby <CourseMaterialOrderByFieldName> [ascending|descending])*)
-        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>] [formatjson [quotechar <Character>]]
+        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-materials` command displays course materials information for all courses.

@@ -548,6 +575,8 @@ By default, all course materials fields are displayed; use the following options
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseMaterialsFieldNameList>` - Select specific fields to display.

+Use the `countsonly` option to display the number of course materials in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

@@ -562,8 +591,8 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 gam print course-topics [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
        (coursetopicids <CourseTopicIDEntity>)
-        [formatjson [quotechar <Character>]]
        [timefilter updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-topics` command displays course topic information for all courses.

@@ -588,6 +617,8 @@ To get information about course topics updated within a particular time frame, u
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
 For the filter to apply, `timefilter` and at least one of `start|starttime` and `end|endtime` must be specified.

+Use the `countsonly` option to display the number of topics in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

@@ -603,8 +634,10 @@ gam print course-work [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
        (workids <CourseWorkIDEntity>)|(workstates <CourseWorkStateList>)*
        (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
-        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>] [formatjson [quotechar <Character>]]
+        [showcreatoremails] [showtopicnames] [fields <CourseWorkFieldNameList>]
+        [showstudentsaslist [<Boolean>]] [delimiter <Character>]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-work` command displays course work information for all courses.

@@ -625,7 +658,7 @@ To get information about course work created/updated/scheduled within a particul
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
 For the filter to apply, `timefilter` and at least one of `start|starttime` and `end|endtime` must be specified.

-By default, all pub`lished course work for a course is displayed; use the following options to select specific course work.
+By default, all published course work for a course is displayed; use the following options to select specific course work.
 * `workids <CourseWorkIDEntity>` - Display course work with the IDs specified in `<CourseWorkIDEntity>`.
 * `workstates <CourseWorkStateList>` - Display course work with any of the specified states.

@@ -634,6 +667,11 @@ By default, all course work fields are displayed; use the following options to m
 * `showtopicnames` - Display topic names; requires and additional API call per course.
 * `fields <CourseWorkFieldNameList>` - Select specific fields to display.

+By default, when course work is assigned to individual students, the student IDs are displayed in multiple indexed columns.
+Use options `showstudentsaslist [<Boolean>]` and `delimiter <Character>` to display the student IDs is a single column as a delimited list.
+
+Use the `countsonly` option to display the number of course works in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

@@ -650,8 +688,9 @@ gam print course-submissions [todrive <ToDriveAttribute>*]
        (workids <CourseWorkIDEntity>)|(workstates <CourseWorkStateList>)*
        (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
        (submissionids <CourseSubmissionIDEntity>)|(submissionstates <CourseSubmissionStateList>)*) [late|notlate]
-        [fields <CourseSubmissionFieldNameList>] [showuserprofile] [formatjson [quotechar <Character>]]
+        [fields <CourseSubmissionFieldNameList>] [showuserprofile]
        [timefilter creationtime|updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 ```
 By default, the `print course-submissions` command displays course submission information for all course work for all courses.

@@ -676,7 +715,7 @@ By default, all course submissions for a course work is displayed; use the follo
 * `late` - Display course submissions marked late.
 * `notlate` - Display course submissions not marked late.

-To get information about course submissionss created/updated within a particular time frame, use the following options.
+To get information about course submissions created/updated within a particular time frame, use the following options.
 * `timefilter creationtime|updatetime` - select which event to filter
 * `start|starttime <Date>|<Time>` - specify the start of the time frame; if not specified, the time frame will be open ended at the start
 * `end|endtime <Date>|<Time>` - specify the end of the time frame; if not specified, the time frame will be open ended at the end
@@ -689,6 +728,8 @@ By default, only the numeric userId is displayed; use the `showuserprofile` opti
 You can only get profile information if the scope `https://www.googleapis.com/auth/classroom.profile.emails` is enabled
 for service account access; verify with `gam <UserTypeEntity> update serviceaccount`.

+Use the `countsonly` option to display the number of submissions in a course but not their details.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

--- a/docs/Collections-of-ChromeOS-Devices.md
+++ b/docs/Collections-of-ChromeOS-Devices.md
@@ -50,6 +50,8 @@

 <UserGoogleDoc> ::=
        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
 <UserGoogleSheet> ::=
        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>

--- a/docs/Collections-of-Items.md
+++ b/docs/Collections-of-Items.md
@@ -200,12 +200,17 @@ Data fields identified in a `csvkmd` argument.
        all_shortcuts |
        all_3p_shortcuts |
        all_items |
+        my_docs |
        my_files |
        my_folders |
        my_forms |
        my_google_files |
        my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
        my_shortcuts |
+        my_slides |
        my_3p_shortcuts |
        my_items |
        my_top_files |
--- a/docs/Collections-of-Users.md
+++ b/docs/Collections-of-Users.md
@@ -55,6 +55,8 @@

 <UserGoogleDoc> ::=
        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
 <UserGoogleSheet> ::=
        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
 ```
@@ -88,8 +90,6 @@
        <SharedDriveIDEntity> |
        <SharedDriveNameEntity>

-<SheetEntity> ::= <String>|id:<Number>
-
 <UserTypeEntity> ::=
        (all users|users_ns|users_susp|users_ns_susp)|
        (user <UserItem>)|
--- a/docs/Command-Logging-Progress.md
+++ b/docs/Command-Logging-Progress.md
@@ -35,7 +35,7 @@ The log file being written to is always `gam.log`. When this log file is filled,

 Commands are logged at completion with a timestamp, return code and the command line
 ```
-2021-08-01T19:350:30.777-07:00,0,/Users/admin/bin/gamadv-xtd3/gam info domain
+2021-08-01T19:350:30.777-07:00,0,/Users/admin/bin/gam7/gam info domain
 ```

 Commands that generate sub-commands, `gam batch|tbatch|csv|loop`, log the initial command with a return code of `*`,
@@ -44,14 +44,14 @@ the sub-command lines and the initial command with a numeric return code.
 $ gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv gam info user "~primaryEmail" quick name
 2021-08-01T19:50:38.151-07:00,0/6,Using 6 processes...
 $ more ~/.gam/gam.log
-2021-08-01T19:50:38.120-07:00,*,/Users/admin/bin/gamadv-xtd3/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
+2021-08-01T19:50:38.120-07:00,*,/Users/admin/bin/gam7/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
 2021-08-01T19:50:39.144-07:00,0,gam info user testuser2 quick name
 2021-08-01T19:50:39.358-07:00,0,gam info user testuser3 quick name
 2021-08-01T19:50:39.358-07:00,0,gam info user testuser1 quick name
 2021-08-01T19:50:39.401-07:00,0,gam info user testuser5 quick name
 2021-08-01T19:50:39.459-07:00,56,gam info user testuserx quick name
 2021-08-01T19:50:39.470-07:00,0,gam info user testuser4 quick name
-2021-08-01T19:50:39.483-07:00,0,/Users/admin/bin/gamadv-xtd3/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
+2021-08-01T19:50:39.483-07:00,0,/Users/admin/bin/gam7/gam redirect stdout usernames.csv multiprocess redirect stderr stdout csv users.csv showcmds false gam info user "~primaryEmail" quick name
 ```

 ## Command Progress
--- a/docs/Downloads-Installs-GAM7.md
+++ b/docs/Downloads-Installs-GAM7.md
@@ -0,0 +1,56 @@
+# Downloads-Installs-GAM7
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
+Choose one of the following:
+
+* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
+  - Start a terminal session and execute one of the following commands:
+  - New install, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install)`
+  - New install, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -d <Path>`
+  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
+  - Update to latest version, do not create project or authorizations, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
+
+By default, a folder, `gam7`, is created in the default or specified path and the files are downloaded into that folder.
+Add the `-s` option to the end of the above commands to suppress creating the `gam7` folder; the files are downloaded directly into the default or specified path.
+
+* Executable Archive, Manual, Linux/Google Cloud Shell
+  - `gam-7.wx.yz-linux-x86_64-glibc2.35.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-x86_64-legacy.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Raspberry Pi/ChromeOS ARM devices
+  - `gam-7.wx.yz-linux-aarch-glibc2.31.tar.xz`
+  - `gam-7.wx.yz-linux-aarch-legacy.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS versions Big Sur, Monterey, Ventura - M1/M2
+  - `gam-7.wx.yz-macos-aarch.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Mac OS, versions Big Sur, Monterey, Ventura - Intel
+  - `gam-7.wx.yz-macos-x86_64.tar.xz`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal session.
+
+* Executable Archive, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.zip`
+  - Download the archive, extract the contents into some directory.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+* Source, all platforms
+  - `Source code(zip)`
+  - `Source code(tar.gz)`
+  - Download the archive, extract the contents into some directory.
+  - Start a terminal/Command Prompt/PowerShell session.
--- a/docs/Downloads-Installs.md
+++ b/docs/Downloads-Installs.md
@@ -1,5 +1,5 @@
 # Downloads-Installs
-You can download and install the current GAMADV-XTD3 release from the [GitHub Releases](https://github.com/taers232c/GAMADV-XTD3/releases) page. Choose one of the following:
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/taers232c/GAMADV-XTD3/releases) page. Choose one of the following:

 * Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
  - Start a terminal session and execute one of the following commands:
--- a/docs/Drive-File-Selection.md
+++ b/docs/Drive-File-Selection.md
@@ -55,12 +55,17 @@
        all_shortcuts |
        all_3p_shortcuts |
        all_items |
+        my_docs |
        my_files |
        my_folders |
        my_forms |
        my_google_files |
        my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
        my_shortcuts |
+        my_slides |
        my_3p_shortcuts |
        my_items |
        my_top_files |
@@ -78,7 +83,7 @@

 <SharedDriveID> ::= <String>
 <SharedDriveName> ::= <String>
-<SharedDriveIDEntity> ::= (teamdriveid <DriveFileItem>) | (teamdriveid:<DriveFileItem>)
+<SharedDriveIDEntity> ::= (teamdriveid <SharedDriveID>) | (teamdriveid:<SharedDriveID>)
 <SharedDriveNameEntity> ::= (teamdrive <SharedDriveName>) | (teamdrive:<SharedDriveName>)
 <SharedDriveFileNameEntity> ::= (teamdrivefilename <DriveFileName>) | (teamdrivefilename:<DriveFileName>)

@@ -214,7 +219,7 @@ By default, all types of files and folders are displayed; you can specify a list
 <MimeTypeList> ::= "<MimeType>(,<MimeType>)*"
 ```
 This is the mapping from `<MimeTypeShortcut>` to MIME type.
-* `gdoc|gdocument` - 'application/vnd.google-apps.document
+* `gdoc|gdocument` - application/vnd.google-apps.document
 * `gdrawing` - application/vnd.google-apps.drawing
 * `gfile` - application/vnd.google-apps.file
 * `gfolder|gdirectory` - application/vnd.google-apps.folder
@@ -246,30 +251,37 @@ The options combine ownership and broad MIME type selections.
 ```
 <DriveFileQueryShortcut> ::=
        all_files | all_folders | all_google_files | all_non_google_files | all_items |
-        my_files | my_folders | my_google_files | my_non_google_files | my_items |
+        my_docs | my_files | my_folders | my_forms | my_google_files | my_non_google_files | my_items |
+        my_presentations | my_publishable_items | my_sheets | my_slides |
        my_top_files | my_top_folders | my_top_items |
        others_files | others_folders | others_google_files | others_non_google_files | others_items |
        writable_files
 ```
-* all_files - "mimeType != application/vnd.google-apps.folder"
-* all_folders - "mimeType = application/vnd.google-apps.folder"
-* all_google_files - "mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* all_files - "mimeType != 'application/vnd.google-apps.folder'"
+* all_folders - "mimeType = 'application/vnd.google-apps.folder'"
+* all_google_files - "mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * all_non_google_files - "not mimeType contains 'vnd.google'"
 * all_items - "" (An empty query specifies all files and folders)
-* my_files - "'me' in owners and mimeType != application/vnd.google-apps.folder"
-* my_folders - "'me' in owners and mimeType = application/vnd.google-apps.folder"
-* my_google_files - "'me' in owners and mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* my_docs - "'me' in owners and mimeType = 'application/vnd.google-apps.document'"
+* my_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder'"
+* my_folders - "'me' in owners and mimeType = 'application/vnd.google-apps.folder'"
+* my_forms - "'me' in owners and mimeType = 'application/vnd.google-apps.form'"
+* my_google_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * my_non_google_files - "'me' in owners and not mimeType contains 'vnd.google'"
+* my_presentations - "'me' in owners and mimeType = 'application/vnd.google-apps.presentation'"
+* my_publishable_items - "'me' in owners and (mimeType = 'application/vnd.google-apps.document' or mimeType = 'application/vnd.google-apps.form' or mimeType = 'application/vnd.google-apps.presentation' or mimeType = 'application/vnd.google-apps.spreadsheet')"
+* my_sheets - "'me' in owners and mimeType = 'application/vnd.google-apps.spreadsheet'"
+* my_slides - "'me' in owners and mimeType = 'application/vnd.google-apps.presentation'"
 * my_items - "'me' in owners"
-* my_top_files - "'me' in owners and mimeType != application/vnd.google-apps.folder and 'root' in parents"
-* my_top_folders - "'me' in owners and mimeType = application/vnd.google-apps.folder and 'root' in parents"
+* my_top_files - "'me' in owners and mimeType != 'application/vnd.google-apps.folder' and 'root' in parents"
+* my_top_folders - "'me' in owners and mimeType = 'application/vnd.google-apps.folder' and 'root' in parents"
 * my_top_items - "'me' in owners and 'root' in parents"
-* others_files - "not 'me' in owners and mimeType != application/vnd.google-apps.folder"
-* others_folders - "not 'me' in owners and mimeType = application/vnd.google-apps.folder"
-* others_google_files - "not 'me' in owners and mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* others_files - "not 'me' in owners and mimeType != 'application/vnd.google-apps.folder'"
+* others_folders - "not 'me' in owners and mimeType = 'application/vnd.google-apps.folder'"
+* others_google_files - "not 'me' in owners and mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * others_non_google_files - "not 'me' in owners and not mimeType contains 'vnd.google'"
 * others_items - "not 'me' in owners"
-* writable_files - "'me' in writers and mimeType != application/vnd.google-apps.folder"
+* writable_files - "'me' in writers and mimeType != 'application/vnd.google-apps.folder'"

 ## Select based on file size
 For these filters, GAM processes then after the list of files is downloaded. You can combine these
@@ -291,7 +303,7 @@ Use [Permission matches](#permission-matches) to limit the display to files with
 ### Examples
 ```
 gam user testuser show fileinfo query "name='Test File'"
-gam user testuser show fileinfo query:"name='Test Folder' and mimeType=application/vnd.google-apps.folder"
+gam user testuser show fileinfo query:"name='Test Folder' and mimeType='application/vnd.google-apps.folder'"
 gam user testuser print filelist my_non_google_files
 ```
 ## Select root folder
@@ -353,9 +365,9 @@ See: [Drive Query](https://developers.google.com/drive/api/v3/search-files)
        all_files | all_folders | all_google_files | all_non_google_files | all_items
 ```
 Keyword to query mappings for `<DriveFileQueryShortcut>`:
-* all_files - "mimeType != application/vnd.google-apps.folder"
-* all_folders - "mimeType = application/vnd.google-apps.folder"
-* all_google_files - "mimeType != application/vnd.google-apps.folder and mimeType contains 'vnd.google'"
+* all_files - "mimeType != 'application/vnd.google-apps.folder'"
+* all_folders - "mimeType = 'application/vnd.google-apps.folder'"
+* all_google_files - "mimeType != 'application/vnd.google-apps.folder' and mimeType contains 'vnd.google'"
 * all_non_google_files - "not mimeType contains 'vnd.google'"
 * all_items - "" (An empty query specifies all files and folders)

--- a/docs/Drive-REST-API-v3.md
+++ b/docs/Drive-REST-API-v3.md
@@ -4,7 +4,7 @@ Many of the changes are internal to Gam and have no visible effect. Google has m
 A variable, `drive_v3_native_names` (default value is True), has been added to `gam.cfg` to control the field names on output: when True, the v3 native field names are used; when False, the v3 native field names are mapped to the v2 field names.

 If you have scripts that process the output from these print commands, you may have to make modifications to your scripts.
-Run your print/show commands with a version of Standard Gam and save the output.
+Run your print/show commands with a version of Legacy Gam and save the output.
 With drive_v3_native_names = False, run your print/show commands with this version of Gam and compare the output to that saved in the previous run;
 modify your scripts that process the output as appropriate.

--- a/docs/Find-File-Owner.md
+++ b/docs/Find-File-Owner.md
@@ -47,7 +47,7 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara

 ## Display File Ownership for Old files
 If the above commands fail, you can try to loop through all accounts, however this might take a long time if you are on a large Google Workspace Account.
-
+If any lines are displayed, the file owner is in the `owners.0.emailAddress` column.
 ```
 gam config auto_batch_min 1 multiprocessexit rc=0 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select id <DriveFileID> fields id,name,owners.emailaddress norecursion showownedby any
 gam config auto_batch_min 1 multiprocessexit rc=0 redirect csv - multiprocess redirect stderr null multiprocess all users print filelist select name <DriveFileName> fields id,name,owners.emailaddress norecursion showownedby any
--- a/docs/GAM-Return-Codes.md
+++ b/docs/GAM-Return-Codes.md
@@ -1,6 +1,6 @@
 # GAM Return Codes

-These are the return codes used by GAMADV-XTD3.
+These are the return codes used by GAM7.

 ```
 SUCCESS_RC = 0
--- a/docs/GAM7-on-Android-Devices.md
+++ b/docs/GAM7-on-Android-Devices.md
@@ -0,0 +1,16 @@
+# GAM7 on Android Devices
+GAM7 now runs on 64-bit Android devices such as Google's Pixel phones. The installation requires an app that adds the Linux environment to Android such as [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US).
+
+_Note: Chromebooks / Chrome OS devices should install GAM7 using [these instructions](GAM7-on-Chrome-OS-Devices)._
+
+1. Install the [UserLAnd](https://play.google.com/store/apps/details?id=tech.ula&hl=en_US) app.
+2. Click Debian to install a Debian environment.
+3. Set a username and password.
+4. Choose SSH for connection type.
+5. Once setup, login with the password to get to a Linux shell.
+6. Run the following commands to install prerequisites:
+```
+    sudo apt update
+    sudo apt install curl python3
+```
+7. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
--- a/docs/GAM7-on-Chrome-OS-Devices.md
+++ b/docs/GAM7-on-Chrome-OS-Devices.md
@@ -0,0 +1,14 @@
+# GAM7 on Chrome OS Devices
+Chrome OS devices that [support Linux apps](https://support.google.com/chromebook/answer/9145439?hl=en) can run GAM7. This includes Intel/AMD x86_64 Chromebooks as well as ARM-based Chromebooks with Mediatek or Rockchip 64-bit CPUs.
+
+1. [Set up Linux on your Chromebook](https://support.google.com/chromebook/answer/9145439?hl=en).
+1. From the Terminal app, run the following commands:
+```
+    sudo apt update
+    sudo apt install xz-utils
+```
+3. [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
+
+# Google cloud shell
+
+Note that from a Chrome OS device, it might be just as easy to use [Google Cloud Shell](https://cloud.google.com/shell). Especially if you are concerned about network connectivity and/or bandwidth, using a shell instance within Google's server infrastructure is always going to be less resource intensive than sending data back and forth between a Google API and your local machine on your local network.
--- a/docs/GamUpdates.md
+++ b/docs/GamUpdates.md
@@ -1,14 +1,352 @@
-# Update GAMADV-XTD3 to latest version
+# Update GAM7 to latest version
 Automatic update to the latest version on Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS:
 - Do not create project or authorizations, default path `$HOME/bin`
-  - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l`
+  - `bash <(curl -s -S -L https://git.io/gam-install) -l`
 - Do not create project or authorizations, specify a path
-  - `bash <(curl -s -S -L https://raw.githubusercontent.com/taers232c/GAMADV-XTD3/master/src/gam-install.sh) -l -d <Path>`
+  - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`

-By default, a folder, `gamadv-xtd3`, is created in the default or specified path and the files are downloaded into that folder.
-Add the `-s` option to the end of the above commands to suppress creating the `gamadv-xtd3` folder; the files are downloaded directly into the default or specified path.
+By default, a folder, `gam7`, is created in the default or specified path and the files are downloaded into that folder.
+Add the `-s` option to the end of the above commands to suppress creating the `gam7` folder; the files are downloaded directly into the default or specified path.

-See [Downloads-Installs](https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads-Installs) for Windows or other options, including manual installation
+See [Downloads-Installs-GAM7](https://github.com/taers232c/GAMADV-XTD3/wiki/Downloads-Installs) for Windows or other options, including manual installation
+
+### 7.00.13
+
+Version bump in order to confirm MSI installs are operating properly
+
+### 7.00.12
+
+Updated option `showlastmodification` to `gam <UserTypeEntity> print|show filecounts` to handle
+the case where all users owning files are suspended. In this case the `lastModifyingUser` column
+will show the user's display name as the API doesn't return the user's email address.
+
+Updated support for `Folders with limited access`; this is a work in progress.
+
+Windows builds now use PyInstaller's onedir config for improved performance. You may notice a lib
+folder now exists underneath the GAM install path. GAM commands should start significantly faster.
+
+### 7.00.11
+
+Updated to Python 3.12.7 where possible.
+
+### 7.00.10
+
+Handled the following error that occurs when `gam create user` is immediateley followed by `gam update user`.
+```
+ERROR: 412: conditionNotMet - User creation is not complete.
+```
+
+Updated support for `Folders with limited access`; this is a work in progress.
+
+### 7.00.09
+
+Added initial support for `Folders with limited access`; you must be enrolled in the Beta preview.
+
+Updated `api_call_tries_limit` variable to `gam.cfg` that limits the number of tries
+for Google API calls that return an error that indicates a retry should be performed.
+The default value is 10 and the range of allowable values is 3-30.
+
+### 7.00.08
+
+Fixed bug in `gam <UserTypeEntity> delete groups` that caused the command to fail when `enable_dasa = true` in `gam.cfg`.
+
+### 7.00.07
+
+Updated `<PeopleContactAttribute>` fields `address,email,phone,url` to allow an empty type field.
+```
+address "" formatted "My Address" primary
+email "" user@gmail.com primary
+phone "" "510-555-1212" primary
+url "" "https://www.domain.com" primary
+```
+
+### 7.00.06
+
+Updated `gam <UserTypeEntity> create|update chatspace` to support the new permissions settings
+for Chat spaces that are in Developer Preview.
+
+* See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces#Space.FIELDS.predefined_permission_settings
+
+### 7.00.05
+
+Fixed bug that caused an error when creating a calendar birthday event.
+
+### 7.00.04
+
+Improved performance of `gam report users orgunit <OrgUnitPath>` when `showorgunit` is not specified.
+
+Added option `birthday <Date>` to `gam <UserTypeEntity> create event <UserCalendarEntity>` that adds
+an annual recurring event to the calendar.
+
+Added `birthday` to `<EventType>` for use in various calendar event commands.
+
+### 7.00.03
+
+Updated `gam delete ou` and `gam print admins` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+### 7.00.02
+
+Added option `showlastmodification` to `gam <UserTypeEntity> print|show filecounts` that adds
+the following fields to the output: `lastModifiedFileId,lastModifiedFileName,lastModifyingUser,lastModifiedTime`;
+these are for the most recently modified file.
+
+Added option `keepforever [<Boolean>]` to `gam <UserTypeEntity> update filerevisions` that allows setting
+`Keep forever` in revisions.
+
+Upgraded to Python 3.12.6 where possible.
+
+### 7.00.01
+
+Added option `shownames` to `gam <UserTypeEntity> print|show sheet` that causes GAM
+to make an additional API call to get and display the sheet file name that is not supplied by the Sheets API.
+
+### 7.00.00
+
+Merged GAM-Team version
+
+### 6.81.02
+
+Updated `gam update group postmaster@domain.com` to handle the error that is generated.
+
+### 6.81.01
+
+Fixed bug in `gam <UserTypeEntity> create meetspace` that caused errors
+due to Developer Preview options being included.
+
+### 6.81.00
+
+Added support for groups when defining Chrome policies.
+
+Added support for the Meet API.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Meet
+
+Added option `countsonly` to the following course commands that displays
+the number of items in a course but not the details of the items.
+```
+gam print course-announcements
+gam print course-materials
+gam print course-submissions
+gam print course-topics
+gam print course-work
+```
+
+### 6.80.21
+
+Updated `gam <UserTypeEntity> archive messages` to handle the following error:
+```
+googleapiclient.errors.MediaUploadSizeError: Media larger than: 26214400
+```
+
+### 6.80.20
+
+Updated `gam report usage user` and `gam report users`  to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+### 6.80.19
+
+Fixed bug in `gam create inboundssoprofile` that caused a trap due to
+an unexpected API result.
+
+Updated `gam create inboundssoprofile ... returnnameonly` to return `inProgress` if the API
+does not return a complete result.
+
+Upgraded to OpenSSL 3.3.2 where possible.
+
+### 6.80.18
+
+Updated `gam print|show admins` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+
+### 6.80.17
+
+Updated `gam <UserTypeEntity> modify messages` to improve error handling.
+
+### 6.80.16
+
+Fixed bug in `gam print vaultcounts` that caused a trap.
+
+### 6.80.15
+
+Fixed bug in `gam <UserTypeEntity> print filelist ... countsrowfilter` that caused a trap.
+
+Added option `continueoninvalidquery [<Boolean>]` to `gam <UserTypeEntity> print filelist|filecounts` that can be used
+in special cases where a query  of the form `query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels"
+causes Google to issue an error saying that the query is invalid when, in fact, it is but the user does not have a
+license that suppprts drive file labels. When `continueoninvalidquery` is true, GAM prints an error message and
+proceeds to the next user rather that terminating as it does now. Of course, if the query really is invalid, you will
+get the message for every user.
+
+### 6.80.14
+
+Updated `gam <UserTypeEntity> print messages|threads` to display all default headers
+even if no messages are to be displayed. This eliminates error messages of the following form
+that occurred because only the headers `User,threadId,id` were displayed.
+```
+WARNING: csv_output_row_filter column "^Date$" does not match any output columns
+```
+
+### 6.80.13
+
+Added `my_publishable_items` to `<DriveFileQueryShortcut>` that can be used in
+`gam <UserTypeEntity> print filerevisions` to select only those items that can be
+published to the web: documents, forms, presentations(slides), spreadsheets. With row filtering,
+this allows identification of files that have been published outside your domain.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Files-Display#display-files-published-to-the-web
+
+### 6.80.12
+
+Updated `gam print vaultcounts` to correctly display accounts with errors.
+
+### 6.80.11
+
+Updated `gam <UserTypeEntity> delete|purge|trash|untrash <DriveFileEntity> shortcutandtarget`
+that when `<DriveFileEntity` is a shortcut, to have GAM validate that the shortcut and target can be
+successfully processed before proceeding.
+
+### 6.80.10
+
+Added option `followshortcuts [<Boolean>]` to `gam <UserTypeEntity> print|show fileinfo|filepath <DriveFileEntity>`
+that when true and `<DriveFileEntity` is a shortcut, causes GAM to display information about the target of the shortcut rather than the shortcut itself.
+
+Added option `shortcutandtarget [<Boolean>]` to `gam <UserTypeEntity> delete|purge|trash|untrash <DriveFileEntity>`
+that when true and `<DriveFileEntity` is a shortcut, causes GAM to process the shortcut and the target of the shortcut.
+
+### 6.80.09
+
+Added options `allschemas|(schemas|custom|customschemas <SchemaNameList>)` to `gam print group-members`
+that display any custom schema values for the group members.
+
+### 6.80.08
+
+Updated `gam print|show oushareddrives` to display the Shared Drive ID, name and orgUnitPath as
+individual, separate entities in the output.
+
+### 6.80.07
+
+Updated `dateheaderformat iso` in `gam <UserTypeEntity> info|print|show messages` to include a colon
+between the hours and minutes in the timezone portion of the string as in all other time strings.
+
+### 6.80.06
+
+Added option `tdreturnidonly [<Boolean>]` to `<ToDriveAttribute>` that when true (the default), causes GAM to display
+only the uploaded file ID to stdout. This can be captured and used in subsequent commands, `tdfileid <DriveFileID>` that will update the same file.
+
+### 6.80.05
+
+Added  option `individualstudentcoursework copy|delete|maptoall` to `gam create|update course ... copyfrom`
+that controls how individual student coursework in the `copyfrom` course is processed.
+* `individualstudentcoursework copy` - Copy individual student coursework; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentcoursework delete` - Delete individual student coursework
+* `individualstudentcoursework maptoall` - Map individual student coursework to all student coursework
+
+For convenience, setting `individualstudentassignments` sets all of the following to the same value:
+* `individualstudentannouncements`
+* `individualstudentmaterials`
+* `individualstudentcoursework`
+
+### 6.80.04
+
+Cleaned up progress messages in `gam create|update course ... copyfrom`.
+
+### 6.80.03
+
+Added option `stripcrsfromname` to `gam <UserTypeEntity> print driveactivity` that causes carriage returns,
+linefeeds and nulls to be stripped from file names.
+
+### 6.80.02
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print filecounts` that adds
+additional columns of data to the CSV file output.
+
+Added  options `individualstudentannouncements copy|delete|maptoall` and `individualstudentmaterials copy|delete|maptoall`
+to `gam create|update course ... copyfrom` that controls how individual student announcements and materials in the `copyfrom` course are processed.
+* `individualstudentannouncements copy` - Copy individual student announcements; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentannouncements delete` - Delete individual student announcements
+* `individualstudentannouncements maptoall` - Map individual student announcements to all student announcements
+* `individualstudentmaterials copy` - Copy individual student materials; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentmaterials delete` - Delete individual student materials
+* `individualstudentmaterials maptoall` - Map individual student materials to all student materials
+
+### 6.80.01
+
+Added options `showstudentsaslist [<Boolean>]` and `delimiter <Character>` to `gam print course-work`.
+By default, when course work is assigned to individual students, the student IDs are displayed in multiple indexed columns.
+Use these options to display the student IDs in a single column as a delimited list.
+
+Updated `gam <UserTypeEntity> vacation [<Boolean>]` to make `<Boolean>` optional; this allows changes
+to other fields without affecting the current responder state.
+
+Updated `gam <UserTypeEntity> print|show vacation` to avoid a trap when invalid start or end dates
+have been entered in the Gmail user interface. Invalid dates are represented as `1970-01-01`.
+
+### 6.80.00
+
+Fixed bug in `gam <UserTypeEntity> print users ... license ... formatjson` that caused a trap.
+
+Upgraded to Python 3.12.5 where possible.
+
+### 6.79.12
+
+Fixed bug in `gam user admin@domain.com print chatspaces asadmin` that caused the following error:
+```
+Chat Admin: admin@domain.com(asadmin), Print Failed: This method doesn't support non-admin user authentication. Authenticate with an admin account.
+```
+
+### 6.79.11
+
+Fixed bug in `gam <UserItem> print|show chatmembers` where the `filter <String>` was not applied.
+
+### 6.79.10
+
+Updated commands to handle a trap that occurs when oauth2service.json specifies a YubiKey but the YubiKey is not inserted.
+
+### 6.79.09
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print teamdriveacls` that adds
+additional columns of data to the CSV file output. This can be used when ACLs for selected users are to be
+replaced with a different user email address.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Shared-Drives#bulk-change-user1-shared-drive-access-to-user2
+
+### 6.79.08
+
+Clarified action to perform messages when creating/deleting/updating licenses.
+
+### 6.79.07
+
+Added option `totalonly` to `gam <UserTypeEntity> print|show groups` that displays
+the user email address and the total number of groups to which it belongs. This is in
+contrast to `countsonly` that has to make an additional API call per group per user to get the user's role.
+When `countsonly` is specified, an additional column `Total` is displayed that is the sum
+of the role counts.
+
+### 6.79.06
+
+Fixed bug in `gam calendars <CalendarEntity> update event ... removeattendee <EmailAddress>` that caused a trap
+if the event had no attendees.
+
+### 6.79.05
+
+Updated `gam <UserTypeEntity> empty drivetrash <SharedDriveEntity>` to handle this error that
+occurs when the user is not a Manager of the Shared Drive.
+```
+ERROR: 403: insufficientFilePermissions - The user does not have sufficient permissions for this file.
+```
+
+### 6.79.04
+
+Added options `filename <FileName>` and `movetoou <OrgUnitItem>` to `gam check ou <OrgUnitItem>`
+that causes GAM to create a batch file of GAM commands that will move any remaining items
+in `ou <OrgUnitItem>` to `movetoou <OrgUnitItem>`; executing the batch file will then allow
+`ou <OrgUnitItem>` to be deleted if desired.

 ### 6.79.03

@@ -4946,7 +5284,7 @@ converting `<SMTPDateHeader>` values to the `gam.cfg timezone`.

 Updated option `dateheaderformat iso|rfc2822|<String>` to `gam <UserTypeEntity> print|show messages|threads` that allows
 reformatting of the message `Date` header value from RFC2822 format to the the following:
-* `iso` - Format is `%Y-%m-%dT%H:%M:%S%z`
+* `iso` - Format is `%Y-%m-%dT%H:%M:%S%:z`
 * `rfc2822` - Format is `%a, %d %b %Y %H:%M:%S %z`
 * `<String>` - Format according to: https://docs.python.org/3/library/datetime.html#strftime-and-strptime-format-codes

--- a/docs/Groups-Membership.md
+++ b/docs/Groups-Membership.md
@@ -25,6 +25,24 @@

 ## Definitions
 See [Collections of Items](Collections-of-Items)
+
+* [Command data from Google Docs/Sheets/Storage](Command-Data-From-Google-Docs-Sheets-Storage)
+```
+<StorageBucketName> ::= <String>
+<StorageObjectName> ::= <String>
+<StorageBucketObjectName> ::=
+        https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
+        gs://<StorageBucketName>/<StorageObjectName>|
+        <StorageBucketName>/<StorageObjectName>
+
+<UserGoogleDoc> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
+<UserGoogleSheet> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
+```
 ```
 <DeliverySetting> ::=
        allmail|
@@ -597,6 +615,7 @@ gam print group-members [todrive <ToDriveAttribute>*]
        [types <GroupTypeList>]
        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
        [userfields <UserFieldNameList>]
+        [allschemas|(schemas|custom|customschemas <SchemaNameList>)]
        [(recursive [noduplicates])|includederivedmembership] [nogroupemail]
        [peoplelookup|(peoplelookupuser <EmailAddress>)]
        [unknownname <String>] [cachememberinfo [Boolean]]
@@ -661,7 +680,10 @@ these options specify which fields to display:
 * `<MembersFieldName>*` - Individual field names
 * `fields <MembersFieldNameList>` - A comma separated list of field names
    * `delivery|deliverysettings` - Specify this field to get delivery information; an additional API call per member is required
-* `userfields <UserFieldNameList>` - For members that are users, display these user fields; an additional API call per member is required
+
+For members that are users, you can specify additional information to display; an additional API call per member is required
+* `userfields <UserFieldNameList>` - Display specific user fields
+* `allschemas|(schemas|custom|customschemas <SchemaNameList>)` - Display all or specific custom schema values

 The additional API calls can be reduced with the `cachememberinfo` option; a single API call is made for each user/group
 and the data is cached to eliminate to need to repeat the API call; this consumes more memory but dramatically reduces the number of API calls.
--- a/docs/Groups.md
+++ b/docs/Groups.md
@@ -584,7 +584,7 @@ gam print grouptree <GroupEntity> [todrive <ToDriveAttribute>*]
 ```
 By default, the group parent emails and names are displayed in multiple indexed columns.
 Use options `showparentsaslist [<Boolean>]` and `delimiter <Character>` to display
-the group parent emails and names in two columns as delimited lists .
+the group parent emails and names in two columns as delimited lists.

 #### Examples
 ```
--- a/docs/Home.md
+++ b/docs/Home.md
@@ -1,70 +1,61 @@
 - [Introduction](#introduction)
 - [Requirements](#requirements)
- [Installation - First time GAM installation](#installation---first-time-gam-installation)
- [Installation - Upgrading from a GAM version other than a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3](#installation---upgrading-from-a-gam-version-other-than-a-prior-version-of-gamadv-x-or-gamadv-xtd-or-gamadv-xtd3)
- [Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3](#installation---upgrading-from-a-prior-version-of-gamadv-x-or-gamadv-xtd-or-gamadv-xtd3)
+- [Installation - First time GAM7 installation](#installation---first-time-gam7-installation)
+- [Installation - Upgrading from Legacy GAM](#installation---upgrading-from-legacy-gam)

 # Introduction
-GAMADV-XTD3 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.
+GAM7 is a free, open source command line tool for Google Workspace Administrators to manage domain and user settings quickly and easily.

-GAMADV-XTD3 is built with Python 3; as Python 2 support ends on 2020-01-01, this is the version of Advanced GAM that new/existing users should install.
+This page provides simple instructions for downloading, installing and starting to use GAM7.

-This page provides simple instructions for downloading, installing and starting to use GAMADV-XTD3.
+GAM7 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.

-GAMADV-XTD3 requires paid, or Education/Non-profit, editions of Google Workspace. G Suite Legacy Free Edition has limited API support and not all GAM commands work.
+GAM7 is a rewrite/extension of Jay Lee's [Legacy GAM], without his efforts, this version wouldn't exist.

-GAMADV-XTD3 is a rewrite/extension of Jay Lee's [GAM], without his efforts, this version wouldn't exist.
-
-GAMADV-XTD3 is backwards compatible with [GAM], meaning that if your command works with regular GAM, it will also work with GAMADV-XTD3. There may be differences in output, but the syntax is compatible.
+GAM7 is backwards compatible with [Legacy GAM], meaning that if your command works with Legacy GAM, it will also work with GAM7. There may be differences in output, but the syntax is compatible.

 # Documentation
-Basic GAM documentation is hosted in the [GitHub Wiki]. Documentation specifically for GAMADV-XTD3 is hosted in the [GitHub GAMADV-XTD3 Wiki] and in Gam*.txt files.
+Documentation for GAM7 is hosted in the [GitHub GAM7 Wiki] and in Gam*.txt files.
+Legacy GAM documentation is hosted in the [GitHub Legacy Wiki].

 # Mailing List / Discussion group
 The GAM mailing list / discussion group is hosted on [Google Groups].  You can join the list and interact via email, or just post from the web itself.

 # Source Repository
-The official GAMADV-XTD3 source repository is on [GitHub] in the master branch.
+The official GAM7 source repository is on [GitHub] in the master branch.

 # Author
-GAMADV-XTD3 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.
+GAM7 is maintained by <a href="mailto:ross.scroggs@gmail.com">Ross Scroggs</a>.

 # Requirements
-To run all commands properly, GAMADV-XTD3 requires three things:
-* An API project which identifies your install of GAMADV-XTD3 to Google and keeps track of API quotas.
+To run all commands properly, GAM7 requires three things:
+* An API project which identifies your install of GAM7 to Google and keeps track of API quotas.
 * Authorization to act as your Google Workspace Administrator in order to perform management functions like add users, modify group settings and membership and pull domain reports.
 * A special service account that is authorized to act on behalf of your users in order to modify user-specific settings and data such as Drive files, Calendars and Gmail messages and settings like signatures.

-# Installation - First time GAM installation
+# Installation - First time GAM7 installation
 Use these steps if you have never used any version of GAM in your domain. They will create a GAM project
 and all necessary authentications.

 * Download: [Downloads-Installs](Downloads-Installs)
-* Configuration: [GAM Configuration](gam.cfg)
+* Configuration: [GAM7 Configuration](gam.cfg)
 * Install: [How to Install Advanced GAM](How-to-Install-Advanced-GAM)

-# Installation - Upgrading from a GAM version other than a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3
-Use these steps if you have used any version of GAM in your domain. They will update your GAM project
+# Installation - Upgrading from Legacy GAM
+Use these steps if you have used any version of Legacy GAM in your domain. They will update your GAM project
 and all necessary authentications.

 * Download: [Downloads-Installs](Downloads-Installs)
-* Configuration: [GAM Configuration](gam.cfg)
-* Upgrade: [How to Upgrade from Standard GAM](How-to-Upgrade-from-Standard-GAM)
+* Configuration: [GAM7 Configuration](gam.cfg)
+* Upgrade: [How to Upgrade from Legacy GAM](How-to-Upgrade-from-Legacy-GAM)

-# Installation - Upgrading from a prior version of GAMADV-X or GAMADV-XTD or GAMADV-XTD3
-Use these steps if you already use GAMADV-X or GAMADV-XTD or GAMADV-XTD3. The updates may tell you to update your GAM project
-or authentications because new features have been included.
+You can install multiple versions of GAM and GAM7 in different parallel directories.

-* Updates: [GAM Updates]
-* Download: [Downloads-Installs](Downloads-Installs)
-
-You can install multiple versions of GAM and GAMADV-XTD3 in different parallel directories.
-
-[GAM]: https://github.com/GAM-team/GAM
-[GitHub Releases]: https://github.com/taers232c/GAMADV-XTD3/releases
-[GitHub]: https://github.com/taers232c/GAMADV-XTD3/tree/master
-[GitHub Wiki]: https://github.com/GAM-team/GAM/wiki/
-[GitHub GAMADV-XTD3 Wiki]: https://github.com/taers232c/GAMADV-XTD3/wiki/
+[Legacy GAM]: https://github.com/GAM-team/GAM/releases?q=6.58&expanded=true
+[GAM7]: https://github.com/GAM-team/GAM
+[GitHub Releases]: https://github.com/GAM-team/GAM/releases
+[GitHub]: https://github.com/GAM-team/GAM/tree/master
+[GitHub Legacy Wiki]: https://github.com/GAM-team/GAM/wiki/
+[GitHub GAM7 Wiki]: https://github.com/taers232c/GAMADV-XTD3/wiki/
 [Google Groups]: https://groups.google.com/group/google-apps-manager
 [GAM Updates]: https://github.com/taers232c/GAMADV-XTD3/wiki/GamUpdates
-
--- a/docs/How-to-Install-GAM7.md
+++ b/docs/How-to-Install-GAM7.md
@@ -0,0 +1,938 @@
+# Installing GAM7
+Use these steps if you have never used any version of GAM in your domain. They will create your GAM project
+and all necessary authentications.
+
+- [Downloads-Installs](Downloads-Installs)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+- [GAM Configuration](gam.cfg)
+
+## Linux and MacOS and Google Cloud Shell
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions.
+
+### Set a configuration directory
+
+The default GAM configuration directory is /Users/admin/.gam; for more flexibility you
+probably want to select a non-hidden location. This example assumes that the GAM
+configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMConfig
+```
+
+Add the following line:
+```
+export GAMCFGDIR="/Users/admin/GAMConfig"
+```
+to one of these files based on your shell:
+```
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+You need to make sure the GAM configuration directory actually exists. Test that like this:
+```
+ls -l $GAMCFGDIR
+```
+
+### Set a working directory
+
+You should establish a GAM working directory; you will store your GAM related
+data in this folder and execute GAM commands from this folder. You should not use
+/Users/admin/bin/gam7 or /Users/admin/GAMConfig for this purpose.
+This example assumes that the GAM working directory will be /Users/admin/GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+
+Make the directory:
+```
+mkdir -p /Users/admin/GAMWork
+```
+
+### Set an alias
+You should set an alias to point to /Users/admin/bin/gam7/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
+
+Add the following line:
+```
+alias gam="/Users/admin/bin/gam7/gam"
+```
+to one of these files based on your shell:
+```
+~/.bash_aliases
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+### Set a symlink
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
+```
+ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
+```
+
+### Initialize GAM7; this should be the first GAM7 command executed.
+```
+admin@server:/Users/admin$ gam config drive_dir /Users/admin/GAMWork verify
+Created: /Users/admin/GAMConfig
+Created: /Users/admin/GAMConfig/gamcache
+Config File: /Users/admin/GAMConfig/gam.cfg, Initialized
+Section: DEFAULT
+  ...
+  cache_dir = /Users/admin/GAMConfig/gamcache
+  ...
+  config_dir = /Users/admin/GAMConfig
+  ...
+  drive_dir = /Users/admin/GAMWork
+  ...
+
+admin@server:/Users/admin$
+```
+### Verify initialization, this was a successful installation.
+```
+admin@server:/Users/admin$ ls -l $GAMCFGDIR
+total 48
+-rw-r-----+ 1 admin  staff  1069 Mar  3 09:23 gam.cfg
+drwxr-x---+ 2 admin  staff    68 Mar  3 09:23 gamcache
+-rw-rw-rw-+ 1 admin  staff     0 Mar  3 09:23 oauth2.txt.lock
+admin@server:/Users/admin$ 
+```
+### Create your project with local browser
+```
+admin@server:/Users/admin$ gam create project
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?client_id=CLI...response_type=code
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: /Users/admin/GAMConfig/oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+admin@server:/Users/admin$ 
+```
+### Create your project without local browser (Google Cloud Shell for instance)
+```
+admin@server:/Users/admin$ gam config no_browser true save
+admin@server:/Users/admin$ gam create project
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: client_secrets_json, Value: /Users/admin/GAMConfig/client_secrets.json, Not Found
+WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Item: oauth2service_json, Value: /Users/admin/GAMConfig/oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?re... m&prompt=consent
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: /Users/admin/GAMConfig/oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+admin@server:/Users/admin$ 
+```
+### Enable GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+admin@server:/Users/admin$ gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
+
+admin@server:/Users/admin$ 
+```
+
+If clicking on the link in the instructions does not work (i.e. you get a 404 or 400 error message, instead of something about 'unable to connect') the URL in the link is too long. Most likely, you have selected all scopes. Try again with fewer scopes until it works. (there is no harm in repeatedly trying)
+
+### Enable GAM7 service account access.
+```
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
+$ gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.go...huser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+admin@server:/Users/admin$
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+admin@server:/Users/admin$ gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+admin@server:/Users/admin$ 
+```
+### Update gam.cfg with some basic values
+* `customer_id` - Having this data keeps Gam from having to make extra API calls
+* `domain` - This allows you to omit the domain portion of email addresses
+* `timezone local` - Gam will convert all UTC times to your local timezone
+```
+admin@server:/Users/admin$ gam info domain
+Customer ID: C01234567
+Primary Domain: domain.com
+Customer Creation Time: 2007-06-06T15:47:55.444Z
+Primary Domain Verified: True
+Default Language: en
+...
+
+admin@server:/Users/admin$ gam config customer_id C01234567 domain domain.com timezone local save verify
+Config File: /Users/admin/GAMConfig/gam.cfg, Saved
+Section: DEFAULT
+  ...
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
+  ...
+
+admin@server:/Users/admin$
+```
+
+## Windows
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+### Set a configuration directory
+
+The default GAM configuration directory is C:\Users\<UserName>\.gam; for more flexibility you
+probably want to select a non user-specific location. This example assumes that the GAM
+configuration directory will be C:\GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+* Make the C:\GAMConfig directory before proceeding.
+
+### Set a working directory
+
+You should extablish a GAM working directory; you will store your GAM related
+data in this folder and execute GAM commands from this folder. You should not use
+C:\GAM7 or C:\GAMConfig for this purpose.
+This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+* Make the C:\GAMWork directory before proceeding.
+
+### Set system path and GAM configuration directory
+You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If C:\GAM7 is already on the Path, skip the next three steps
+  Click New
+  Enter C:\GAM7
+  Click OK
+Click New
+Set Variable name: GAMCFGDIR
+Set Variable value: C:\GAMConfig
+Click OK
+Click OK
+Click OK
+Exit Control Panel
+```
+
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
+### Initialize GAM7; this should be the first GAM7 command executed.
+```
+C:\>gam config drive_dir C:\GAMWork verify
+Created: C:\GAMConfig
+Created: C:\GAMConfig\gamcache
+Config File: C:\GAMConfig\gam.cfg, Initialized
+Section: DEFAULT
+  ...
+  cache_dir = C:\GAMConfig\gamcache
+  ...
+  config_dir = C:\GAMConfig
+  ...
+  drive_dir = C:\GAMWork
+  ...
+
+C:\>
+```
+### Verify initialization, this was a successful installation.
+```
+C:\>dir %GAMCFGDIR%
+ Volume in drive C has no label.
+ Volume Serial Number is 663F-DA8B
+
+ Directory of C:\GAMConfig
+
+03/03/2017  10:16 AM    <DIR>          .
+03/03/2017  10:16 AM    <DIR>          ..
+03/03/2017  10:15 AM             1,125 gam.cfg
+03/03/2017  10:15 AM    <DIR>          gamcache
+03/03/2017  10:15 AM                 0 oauth2.txt.lock
+               2 File(s)         15,769 bytes
+               3 Dir(s)  110,532,562,944 bytes free
+C:\>
+```
+
+### Create your project with local browser
+```
+C:\>gam create project
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oaut...pe=code
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: C:\GAMConfig\oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+C:\>
+```
+### Create your project without local browser (headless server for instance)
+```
+C:\>gam config no_browser true save
+C:\>gam create project
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: client_secrets_json, Value: C:\GAMConfig\client_secrets.json, Not Found
+WARNING: Config File: C:\GAMConfig\gam.cfg, Item: oauth2service_json, Value: C:\GAMConfig\oauth2service.json, Not Found
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+Creating project "GAM Project"...
+Checking project status...
+Project: gam-project-abc-def-ghi, Enable 23 APIs
+  API: admin.googleapis.com, Enabled (1/23)
+  API: alertcenter.googleapis.com, Enabled (2/23)
+  API: appsactivity.googleapis.com, Enabled (3/23)
+  API: audit.googleapis.com, Enabled (4/23)
+  API: calendar-json.googleapis.com, Enabled (5/23)
+  API: chat.googleapis.com, Enabled (6/23)
+  API: classroom.googleapis.com, Enabled (7/23)
+  API: contacts.googleapis.com, Enabled (8/23)
+  API: drive.googleapis.com, Enabled (9/23)
+  API: driveactivity.googleapis.com, Enabled (10/23)
+  API: gmail.googleapis.com, Enabled (11/23)
+  API: groupsmigration.googleapis.com, Enabled (12/23)
+  API: groupssettings.googleapis.com, Enabled (13/23)
+  API: iam.googleapis.com, Enabled (14/23)
+  API: iap.googleapis.com, Enabled (15/23)
+  API: licensing.googleapis.com, Enabled (16/23)
+  API: people.googleapis.com, Enabled (17/23)
+  API: pubsub.googleapis.com, Enabled (18/23)
+  API: reseller.googleapis.com, Enabled (19/23)
+  API: sheets.googleapis.com, Enabled (20/23)
+  API: siteverification.googleapis.com, Enabled (21/23)
+  API: storage-api.googleapis.com, Enabled (22/23)
+  API: vault.googleapis.com, Enabled (23/23)
+Setting GAM project consent screen...
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Enabled
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Generating new private key
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Extracting public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Done generating private key and public certificate
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Service Account Key: SVCACCTKEY, Uploaded
+Service Account OAuth2 File: C:\GAMConfig\oauth2service.json, Service Account Key: SVCACCTKEY, Updated
+Project: gam-project-abc-def-ghi, Service Account: gam-project-abc-def-ghi@gam-project-abc-def-ghi.iam.gserviceaccount.com, Has rights to rotate own private key
+Please go to:
+
+https://console.cloud.google.com/apis/credentials/oauthclient?project=gam-project-abc-def-ghi
+
+1. Choose "Desktop App" or "Other" for "Application type".
+2. Enter "GAM" or another desired value for "Name".
+3. Click the blue "Create" button.
+4. Copy your "client ID" value that shows on the next page.
+
+Enter your Client ID: CLIENTID
+
+5. Go back to your browser and copy your "client secret" value.
+Enter your Client Secret: CLIENTSECRET
+6. Go back to your browser and click OK to close the "OAuth client" popup if it's still open.
+That's it! Your GAM Project is created and ready to use.
+
+C:\>
+```
+### Enable GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+C:\>gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
+
+C:\>
+```
+### Enable GAM7 service account access.
+```
+C:\>gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwide...thuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+C:\>
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+C:\>gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+C:\>
+```
+### Update gam.cfg with some basic values
+* `customer_id` - Having this data keeps Gam from having to make extra API calls
+* `domain` - This allows you to omit the domain portion of email addresses
+* `timezone local` - Gam will convert all UTC times to your local timezone
+```
+C:\>gam info domain
+Customer ID: C01234567
+Primary Domain: domain.com
+Customer Creation Time: 2007-06-06T15:47:55.444Z
+Primary Domain Verified: True
+Default Language: en
+...
+
+C:\>gam config customer_id C01234567 domain domain.com timezone local save verify
+Config File: C:\GAMConfig\gam.cfg, Saved
+Section: DEFAULT
+  ...
+  customer_id = C01234567
+  ...
+  domain = domain.com
+  ...
+  timezone = local
+  ...
+
+C:\>
+```
--- a/docs/How-to-Uninstall-GAM7.md
+++ b/docs/How-to-Uninstall-GAM7.md
@@ -0,0 +1,127 @@
+# Uninstalling GAM7
+
+- [Get Project Info](#get-project-info)
+- [Remove Client API access](#remove-client-api-access)
+- [Remove Service Account API access](#remove-service-account-api-access)
+- [Delete GAM Project](#delete-gam-project)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+
+## Get Project Info
+```
+gam version
+```
+
+Note the `Config File:` path to `gam.cfg`. In that folder will be a file `oauth2service.json`; look at its contents.
+You want these two lines:
+```
+"client_id": "123691089974044844789"
+"project_id": "gam-project-123-456-789"
+```
+
+## Remove Client API access
+```
+gam oauth delete
+```
+
+## Remove Service Account API access
+In a browser, go to `https://admin.google.com`, login and go to the Security/API Controls/Domain-wide Delegation page.
+Find the `Client ID` that matches the `client_id` value from `oauth2service.json`, hover over it and click `Delete`.	
+
+## Delete GAM Project
+In a browser, go to `https://console.cloud.google.com/cloud-resource-manager`, login. Find the `ID` that matches
+the `project_id` value from `oauth2service.json`; click the three dots at the right end of the line and click `Delete`.
+In the box that pops up, put the `project_id` value in ther `Project ID*` field and click `SHUT DOWN`
+
+## Linux and MacOS and Google Cloud Shell
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions.
+
+### Delete executable directory
+
+```
+rm -fr /Users/admin/bin/gam7
+```
+
+### Delete configuration directory
+
+The default GAM configuration directory is /Users/admin/.gam; for more flexibility you
+probably want to select a non-hidden location. This example assumes that the GAM
+configuration directory will be /Users/admin/GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+```
+rm -fr /Users/admin/GAMConfig
+```
+
+### Delete  working directory
+
+This example assumes that the GAM working directory is be /Users/admin/GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+```
+rm -fr /Users/admin/GAMConfig
+```
+
+### Remove executable alias and GAM configuration export
+
+Remove the following line:
+```
+alias gam="/Users/admin/bin/gam7/gam"
+export GAMCFGDIR="/Users/admin/GAMConfig"
+```
+from these files based on your shell:
+```
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+## Windows
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+### Delete executable directory
+
+In File Explorer, delete the `C:\GAM7` folder.
+
+### Delete configuration directory
+
+The default GAM configuration directory is C:\Users\<UserName>\.gam; for more flexibility you
+probably want to select a non user-specific location. This example assumes that the GAM
+configuration directory will be C:\GAMConfig; If you've chosen another directory,
+substitute that value in the directions.
+
+In File Explorer, delete the `C:\GAMConfig` folder.
+
+### Delete working directory
+
+This example assumes that the GAM working directory will be C:\GAMWork; If you've chosen
+another directory, substitute that value in the directions.
+
+In File Explorer, delete the `C:\GAMWork` folder.
+
+### Reset system path and GAM configuration directory
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If C:\GAM7 is not on the Path, click Cancel and skip the next three steps
+  Click C:\GAM7
+  Click Delete
+  Click OK
+If GAMCFGDIR is not in System variables, skip the next two steps
+  Click GAMCFGDIR
+  Click Delete
+Click OK
+Click OK
+Exit Control Panel
+```
+
--- a/docs/How-to-Update-Advanced-GAM-to-GAM7.md
+++ b/docs/How-to-Update-Advanced-GAM-to-GAM7.md
@@ -0,0 +1,120 @@
+# Installation - Update Advanced GAM to GAM7
+
+- [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+
+## Linux and MacOS and Google Cloud Shell
+
+This example assumes that GAMADV-XTD3 was installed in /Users/admin/bin/gamadv-xtd3.
+If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
+
+Rename install directory.
+```
+mv /Users/admin/bin/gamadv-xtd3 /Users/admin/bin/gam7
+```
+
+See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page. Choose one of the following:
+
+* Executable Archive, Automatic, Linux/Mac OS/Google Cloud Shell/Raspberry Pi/ChromeOS
+  - Start a terminal session and execute one of the following commands:
+  - Update to latest version, do not create project or authorizations, default path `$HOME/bin`
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l`
+  - Update to latest version, do not create project or authorizations, specify a path
+    - `bash <(curl -s -S -L https://git.io/gam-install) -l -d <Path>`
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+### Update gam  alias
+You should set an alias to point to /Users/admin/bin/gam/gam so you can operate from the /Users/admin/GAMWork directory.
+Aliases aren't available in scripts, so you may want to set a symlink instead, see below.
+
+Change the following line:
+```
+alias gam="/Users/admin/bin/gamadv-xtd3/gam"
+```
+to
+```
+alias gam="/Users/admin/bin/gam7/gam"
+```
+in one of these files based on your shell:
+```
+~/.bash_aliases
+~/.bash_profile
+~/.bashrc
+~/.zshrc
+~/.profile
+```
+
+Issue the following command replacing `<Filename>` with the name of the file you edited:
+```
+source <Filename>
+```
+
+### Set a symlink if desired
+Set a symlink in `/usr/local/bin` (or some other location on $PATH) to point to GAM. 
+```
+ln -s "/Users/admin/bin/gam7/gam" /usr/local/bin/gam
+```
+
+### Test
+```
+gam version
+```
+
+## Windows
+
+You can download and install the current GAM7 release from the [GitHub Releases](https://github.com/GAM-team/GAM/releases/latest) page.
+
+This example assumes that GAMADV-XTD3 was installed in C:\GAMADV-XTD3.
+If GAMADV-XTD3 was installed in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+Rename install directory.
+```
+ren C:\GAMADV-STD3 C:\GAM7
+```
+
+See: [Downloads-Installs-GAM7](Downloads-Installs-GAM7)
+
+* Executable Archive, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.zip`
+  - Download the archive, extract the contents into C:\GAM7.
+  - Start a Command Prompt/PowerShell session.
+
+* Executable Installer, Manual, Windows 64 bit
+  - `gam-7.wx.yz-windows-x86_64.msi`
+  - Download the installer and run it.
+  - Start a Command Prompt/PowerShell session.
+
+### Update system path
+You should set the system path to point to C:\GAM7 so you can operate from the C:\GAMWork directory.
+```
+Start Control Panel
+Click System
+Click Advanced system settings
+Click Environment Variables...
+Click Path under System variables
+Click Edit...
+If you have an existing entry referencing GAMADV-XTD3:
+  Click that entry
+  Click Delete
+If C:\GAM7 is already on the Path, skip the next three steps
+  Click New
+  Enter C:\GAM7
+  Click OK
+Click OK
+Click OK
+Exit Control Panel
+```
+
+At this point, you should restart Command Prompt so that it has the updated path and environment variables.
+
+### Test
+```
+gam version
+```
--- a/docs/How-to-Update-GAM7.md
+++ b/docs/How-to-Update-GAM7.md
@@ -0,0 +1,581 @@
+# Updating GAM7
+Use these steps to update your version of GAM7.
+
+- [Downloads-Installs](Downloads-Installs)
+- [Linux and MacOS and Google Cloud Shell](#linux-and-mac-os-and-google-cloud-shell)
+- [Windows](#windows)
+- [GAM Configuration](gam.cfg)
+
+## Linux and MacOS and Google Cloud Shell
+
+### Download the latest version
+
+This example assumes that GAM7 has been installed in /Users/admin/bin/gam7.
+If you've installed GAM7 in another directory, substitute that value in the directions when downloading.
+
+See: [Downloads-Installs](Downloads-Installs)
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+In these examples, the user home folder is shown as /Users/admin; adjust according to your
+specific situation; e.g., /home/administrator.
+
+### Update your project with local browser to include the additional APIs that GAM7 uses.
+This step may be omitted if you are updating from a recent version.
+```
+admin@server:/Users/admin/bin/gam7 gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+If your browser is on a different machine then press CTRL+C,
+set no_browser = true in gam.cfg and re-run this command.
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+admin@server:/Users/admin/bin/gam7
+```
+### Update your project without local browser (Google Cloud Shell for instance) to include the additional APIs that GAM7 uses
+This step may be omitted if you are updating from a recent version.
+```
+admin@server:/Users/admin/bin/gam7 gam config no_browser true save
+admin@server:/Users/admin/bin/gam7 gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s): gam-project-abc-123-xyz? admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+admin@server:/Users/admin/bin/ga7
+```
+### Update GAM7 client access
+
+You select a list of scopes, GAM7 uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+admin@server:/Users/admin/bin/gam7 ./gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: /Users/admin/GAMConfig/oauth2.txt, Created
+
+admin@server:/Users/admin/bin/gam7 
+```
+### Update GAM7 service account access.
+```
+admin@server:/Users/admin/bin/gam7 ./gam user admin@domain.com check serviceaccount
+$ gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=SVCACCTID&overwriteClientId=true&dn=domain.com&authuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+admin@server:/Users/admin/bin/gam7
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+admin@server:/Users/admin/bin/gam7 ./gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+admin@server:/Users/admin/bin/gam7 
+```
+
+## Windows
+
+### Download the latest version
+
+This example assumes that GAM7 has been installed in C:\GAM7.
+If you've installed GAM7 in another directory, substitute that value in the directions when downloading.
+
+See: [Downloads-Installs](Downloads-Installs)
+
+In these examples, your Google Super admin is shown as admin@domain.com; replace with the
+actual email adddress.
+
+This example assumes that GAM7 has been installed in C:\GAM7; if you've installed
+GAM7 in another directory, substitute that value in the directions.
+
+These steps assume Command Prompt, adjust if you're using PowerShell.
+
+### Update your project with local browser to include the additional APIs that GAM7 uses.
+This step may be omitted if you are updating from a recent version.
+```
+C:\GAM7>gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
+
+Your browser has been opened to visit:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+C:\GAM7>
+```
+### Update your project without local browser (headless server for instance) to include the additional APIs that GAM7 uses
+This step may be omitted if you are updating from a recent version.
+```
+C:\GAM7>gam config no_browser true save
+C:\GAM7>gam update project
+
+Enter your Google Workspace admin or GCP project manager email address authorized to manage project(s) gam-project-abc-123-xyz? admin@domain.com
+
+Go to the following link in a browser on other computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&client_id=...
+
+Enter verification code: abc...xyz
+
+Authentication successful.
+API: admin.googleapis.com, already enabled...
+API: appsactivity.googleapis.com, already enabled...
+API: calendar-json.googleapis.com, already enabled...
+API: classroom.googleapis.com, already enabled...
+API: contacts.googleapis.com, already enabled...
+API: drive.googleapis.com, already enabled...
+API: gmail.googleapis.com, already enabled...
+API: groupssettings.googleapis.com, already enabled...
+API: licensing.googleapis.com, already enabled...
+API: plus.googleapis.com, already enabled...
+API: reseller.googleapis.com, already enabled...
+API: siteverification.googleapis.com, already enabled...
+API: vault.googleapis.com, already enabled...
+Enable 3 APIs
+  API: audit.googleapis.com, Enabled (1/3)
+  API: groupsmigration.googleapis.com, Enabled (2/3)
+  API: sheets.googleapis.com, Enabled (3/3)
+
+C:\GAM7>
+```
+### Update GAM7 client access
+
+You select a list of scopes, GAM uses a browser to get final authorization from Google for these scopes and
+writes the credentials into the file oauth2.txt.
+
+```
+C:\GAM7>gam oauth create
+
+[*]  0)  Calendar API (supports readonly)
+[*]  1)  Chrome Browser Cloud Management API (supports readonly)
+[*]  2)  Chrome Management API - AppDetails read only
+[*]  3)  Chrome Management API - Telemetry read only
+[*]  4)  Chrome Management API - read only
+[*]  5)  Chrome Policy API (supports readonly)
+[*]  6)  Chrome Printer Management API (supports readonly)
+[*]  7)  Chrome Version History API
+[*]  8)  Classroom API - Course Announcements (supports readonly)
+[*]  9)  Classroom API - Course Topics (supports readonly)
+[*] 10)  Classroom API - Course Work/Materials (supports readonly)
+[*] 11)  Classroom API - Course Work/Submissions (supports readonly)
+[*] 12)  Classroom API - Courses (supports readonly)
+[*] 13)  Classroom API - Profile Emails
+[*] 14)  Classroom API - Profile Photos
+[*] 15)  Classroom API - Rosters (supports readonly)
+[*] 16)  Classroom API - Student Guardians (supports readonly)
+[ ] 17)  Cloud Channel API (supports readonly)
+[*] 18)  Cloud Identity - Inbound SSO Settings (supports readonly)
+[*] 19)  Cloud Identity Groups API (supports readonly)
+[*] 20)  Cloud Identity OrgUnits API (supports readonly)
+[*] 21)  Cloud Identity User Invitations API (supports readonly)
+[ ] 22)  Cloud Storage API (Read Only, Vault/Takeout Download, Cloud Storage)
+[ ] 23)  Cloud Storage API (Read/Write, Vault/Takeout Copy/Download, Cloud Storage)
+[*] 24)  Contact Delegation API (supports readonly)
+[*] 25)  Contacts API - Domain Shared Contacts and GAL
+[*] 26)  Data Transfer API (supports readonly)
+[*] 27)  Directory API - Chrome OS Devices (supports readonly)
+[*] 28)  Directory API - Customers (supports readonly)
+[*] 29)  Directory API - Domains (supports readonly)
+[*] 30)  Directory API - Groups (supports readonly)
+[*] 31)  Directory API - Mobile Devices Directory (supports readonly and action)
+[*] 32)  Directory API - Organizational Units (supports readonly)
+[*] 33)  Directory API - Resource Calendars (supports readonly)
+[*] 34)  Directory API - Roles (supports readonly)
+[*] 35)  Directory API - User Schemas (supports readonly)
+[*] 36)  Directory API - User Security
+[*] 37)  Directory API - Users (supports readonly)
+[ ] 38)  Email Audit API
+[*] 39)  Groups Migration API
+[*] 40)  Groups Settings API
+[*] 41)  License Manager API
+[*] 42)  People API (supports readonly)
+[*] 43)  People Directory API - read only
+[ ] 44)  Pub / Sub API
+[*] 45)  Reports API - Audit Reports
+[*] 46)  Reports API - Usage Reports
+[ ] 47)  Reseller API
+[*] 48)  Site Verification API
+[ ] 49)  Sites API
+[*] 50)  Vault API (supports readonly)
+
+Select an unselected scope [ ] by entering a number; yields [*]
+For scopes that support readonly, enter a number and an 'r' to grant read-only access; yields [R]
+For scopes that support action, enter a number and an 'a' to grant action-only access; yields [A]
+Clear read-only access [R] or action-only access [A] from a scope by entering a number; yields [*]
+Unselect a selected scope [*] by entering a number; yields [ ]
+Select all default scopes by entering an 's'; yields [*] for default scopes, [ ] for others
+Unselect all scopes by entering a 'u'; yields [ ] for all scopes
+Exit without changes/authorization by entering an 'e'
+Continue to authorization by entering a 'c'
+  Note, if all scopes are selected, Google will probably generate an authorization error
+
+Please enter 0-50[a|r] or s|u|e|c: c
+
+Enter your Google Workspace admin email address? admin@domain.com
+
+Go to the following link in a browser on this computer or on another computer:
+
+    https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=423565144751-10lsdt2lgnsch9jmdhl35uq4617u1ifp&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&scope=...
+
+If you use a browser on another computer, you will get a browser error that the site can't be reached AFTER you
+click the Allow button, paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+Enter verification code or paste "Unable to connect" URL from other computer (only URL data up to &scope required):
+
+The authentication flow has completed.
+Client OAuth2 File: C:\GAMConfig\oauth2.txt, Created
+
+C:\GAM7>
+```
+### Update GAM7 service account access.
+```
+C:\GAM7>gam user admin@domain.com check serviceaccount
+System time status
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication
+  Authentication                                                            PASS
+Service Account Private Key age; Google recommends rotating keys on a routine basis
+  Service Account Private Key age: 0 days                                   PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        FAIL (25/34)
+  https://www.googleapis.com/auth/drive.labels                              FAIL (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+Some scopes FAILED!
+To authorize them, please go to:
+
+    https://admin.google.com/ac/owl/domainwidedelegation?clientScopeToAdd=https://mail.google.com/,https://sites.google.com/feeds,https://www.googleapis.com/auth/apps.alerts,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/classroom.announcements,https://www.googleapis.com/auth/classroom.coursework.students,https://www.googleapis.com/auth/classroom.courseworkmaterials,https://www.googleapis.com/auth/classroom.profile.emails,https://www.googleapis.com/auth/classroom.rosters,https://www.googleapis.com/auth/classroom.topics,https://www.googleapis.com/auth/cloud-identity,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/contacts,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/datastudio,https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/drive.activity,https://www.googleapis.com/auth/gmail.modify,https://www.googleapis.com/auth/gmail.settings.basic,https://www.googleapis.com/auth/gmail.settings.sharing,https://www.googleapis.com/auth/keep,https://www.googleapis.com/auth/spreadsheets,https://www.googleapis.com/auth/tasks,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/userinfo.email&clientIdToAdd=SVCACCTID&overwriteClientId=true&dn=domain.com&authuser=admin@domain.com
+
+You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page
+The "Add a new Client ID" box will open
+Make sure that "Overwrite existing client ID" is checked
+Click AUTHORIZE
+When the box closes you're done
+After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
+
+C:\GAM7>
+```
+The link shown in the error message should take you directly to the authorization screen.
+If not, make sure that you are logged in as a domain admin, then re-enter the link.
+
+### Verify GAM7 service account access.
+
+Wait a moment and then perform the following command; it it still fails, wait a bit longer, it can sometimes take serveral minutes
+for the authorization to complete.
+```
+C:\GAM7>gam user admin@domain.com check serviceaccount
+System time status:
+  Your system time differs from www.googleapis.com by less than 1 second    PASS
+Service Account Private Key Authentication:
+  Authentication                                                            PASS
+Domain-wide Delegation authentication:, User: admin@domain.com, Scopes: 34
+  https://mail.google.com/                                                  PASS (1/34)
+  https://sites.google.com/feeds                                            PASS (2/34)
+  https://www.googleapis.com/auth/analytics.readonly                        PASS (3/34)
+  https://www.googleapis.com/auth/apps.alerts                               PASS (4/34)
+  https://www.googleapis.com/auth/calendar                                  PASS (5/34)
+  https://www.googleapis.com/auth/chat.delete                               PASS (6/34)
+  https://www.googleapis.com/auth/chat.memberships                          PASS (7/34)
+  https://www.googleapis.com/auth/chat.messages                             PASS (8/34)
+  https://www.googleapis.com/auth/chat.spaces                               PASS (9/34)
+  https://www.googleapis.com/auth/classroom.announcements                   PASS (10/34)
+  https://www.googleapis.com/auth/classroom.coursework.students             PASS (11/34)
+  https://www.googleapis.com/auth/classroom.courseworkmaterials             PASS (12/34)
+  https://www.googleapis.com/auth/classroom.profile.emails                  PASS (13/34)
+  https://www.googleapis.com/auth/classroom.rosters                         PASS (14/34)
+  https://www.googleapis.com/auth/classroom.topics                          PASS (15/34)
+  https://www.googleapis.com/auth/cloud-identity                            PASS (16/34)
+  https://www.googleapis.com/auth/cloud-platform                            PASS (17/34)
+  https://www.googleapis.com/auth/contacts                                  PASS (18/34)
+  https://www.googleapis.com/auth/contacts.other.readonly                   PASS (19/34)
+  https://www.googleapis.com/auth/datastudio                                PASS (20/34)
+  https://www.googleapis.com/auth/directory.readonly                        PASS (21/34)
+  https://www.googleapis.com/auth/documents                                 PASS (22/34)
+  https://www.googleapis.com/auth/drive                                     PASS (23/34)
+  https://www.googleapis.com/auth/drive.activity                            PASS (24/34)
+  https://www.googleapis.com/auth/drive.admin.labels                        PASS (25/34)
+  https://www.googleapis.com/auth/drive.labels                              PASS (26/34)
+  https://www.googleapis.com/auth/gmail.modify                              PASS (27/34)
+  https://www.googleapis.com/auth/gmail.settings.basic                      PASS (28/34)
+  https://www.googleapis.com/auth/gmail.settings.sharing                    PASS (29/34)
+  https://www.googleapis.com/auth/keep                                      PASS (30/34)
+  https://www.googleapis.com/auth/spreadsheets                              PASS (31/34)
+  https://www.googleapis.com/auth/tasks                                     PASS (32/34)
+  https://www.googleapis.com/auth/userinfo.profile                          PASS (33/34)
+  https://www.googleapis.com/auth/youtube.readonly                          PASS (34/34)
+All scopes PASSED!
+
+Service Account Client name: SVCACCTID is fully authorized.
+
+C:\GAM7>
+```
--- a/docs/How-to-Upgrade-from-Legacy-GAM.md
+++ b/docs/How-to-Upgrade-from-Legacy-GAM.md
--- a/docs/How-to-Upgrade-from-Standard-GAM.md
+++ b/docs/How-to-Upgrade-from-Standard-GAM.md
@@ -251,9 +251,9 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAMADV-XTD3 6.79.03 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 7.00.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.4 64-bit final
+Python 3.12.5 64-bit final
 MacOS Sonoma 14.5 x86_64
 Path: /Users/admin/bin/gamadv-xtd3
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -923,9 +923,9 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAMADV-XTD3 6.79.03 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
+GAMADV-XTD3 7.00.02 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
 Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.4 64-bit final
+Python 3.12.5 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAMADV-XTD3
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
--- a/docs/Inbound-SSO.md
+++ b/docs/Inbound-SSO.md
@@ -53,6 +53,8 @@ use the `returnnameonly` option to have GAM display just the profile name of the
 This will be useful in scripts that create|update a profile and then want to perform subsequent GAM commands that
 reference the profile.

+If `returnnameonly is specified, `inProgress` is returned if the API does not return a complete result.
+
 ```
 gam delete inboundssoprofile <SSOProfileItem>
 ```
--- a/docs/List.md
+++ b/docs/List.md
@@ -1,6 +1,6 @@
 # List

-The list command is used to verify collections of objects. See GamDataSelection.txt/
+The list command is used to verify collections of objects.

 ## Commands
 ```
@@ -8,3 +8,42 @@ gam list [todrive <ToDriveAttribute>*] <EntityList> [data <CrOSTypeEntity>|<User
 gam <CrOSTypeEntity>|<UserTypeEntity> list [todrive <ToDriveAttribute>*] [data <EntityList> [delimiter <Character>]]
 ```

+Allow mapping of keyfield value in csvkmd selectors.
+    <CSVkmdSelector> ::= csvkmd <FileName> [charset <Charset>]
+        keyfield <FieldName> [keypattern <RegularExpression>] [keyvalue <String>] [delimiter <String>]
+        (matchfield <FieldName> <RegularExpression>)*
+        [datafield <FieldName>(:<FieldName)* [delimiter <String>]]
+
+You want to update the membership of a collection of parent groups at your school, the data is coming from a database in a fixed format.
+Example 1, CSV File GroupP1P2.csv, exactly the data you want, keypattern and keyvalue are not required
+Group,P1Email,P2Email
+2017-parents@domain.com,g1member11@domain.com,g1member12@domain.com
+2017-parents@domain.com,g1member21@domain.com,g1member22@domain.com
+2018-parents@domain.com,g2member11@domain.com,g2member11@domain.com
+2018-parents@domain.com,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the Group column is used as the group name.
+Verify data selection: gam list csvkmd GroupP1P2.csv keyfield Group datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GroupP1P2.csv keyfield Group datafield P1Email:P2Email sync member csvdata P1Email:P2Email
+
+Example 2, CSV File GradYearP1P2.csv, you have to convert GradYear to group name GradYear-parents@domain.com, keyvalue is required
+GradYear,P1Email,P2Email
+2017,g1member11@domain.com,g1member12@domain.com
+2017,g1member21@domain.com,g1member22@domain.com
+2018,g2member11@domain.com,g2member11@domain.com
+2018,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the GradYear column replaces the keyField name in the keyvalue argument and that value is used as the group name.
+Verify data selection: gam list csvkmd GradYearP1P2.csv keyfield GradYear keyvalue GradYear-parents@domain.com datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GradYearP1P2.csv keyfield GradYear keyvalue GradYear-parents@domain.com datafield P1Email:P2Email sync member csvdata P1Email:P2Email
+
+Example 3, CSV File GradYearP1P2.csv, you have to convert GradYear to group name 'LastTwoDigitsOfGradYear-parents@domain.com', keypattern and keyvalue are required.
+GradYear,P1Email,P2Email
+2017,g1member11@domain.com,g1member12@domain.com
+2017,g1member21@domain.com,g1member22@domain.com
+2018,g2member11@domain.com,g2member11@domain.com
+2018,g2member21@domain.com,g2member22@domain.com
+...
+For each row, the value from the GradYear column is matched against the keypattern, the matched segments are substituted into the keyvalue argument and that value is used as the group name.
+Verify data selection: gam list csvkmd GradYearP1P2.csv keyfield GradYear keypattern '20(..)' keyvalue '\1-parents@domain.com' datafield P1Email:P2Email data csvdata P1Email:P2Email
+Execute: gam update groups csvkmd GradYearP1P2.csv keyfield GradYear keypattern '20(..)' keyvalue '\1-parents@domain.com' datafield P1Email:P2Email sync member csvdata P1Email:P2Email
--- a/docs/Organizational-Units.md
+++ b/docs/Organizational-Units.md
@@ -16,6 +16,7 @@
 - [Display organizational unit counts](#display-organizational-unit-counts)
 - [Display indented organizational unit tree](#display-indented-organizational-unit-tree)
 - [Check organizational unit for contained items](#check-organizational-unit-for-contained-items)
+- [Delete Empty OUs](#delete-empty-ous)
 - [Special case handling for large number of organizational units](#special-case-handling-for-large-number-of-organizational-units)

 ## API documentation
@@ -295,6 +296,7 @@ Only items directly within the OU are counted, items in sub-OUs are not counted.

 gam check org|ou <OrgUnitItem> [todrive <ToDriveAttribute>*]
        [<OrgUnitCheckName>*|(fields <OrgUnitCheckNameList>)]
+        [filename <FileName>] [movetoou <OrgUnitItem>]
        [formatjson [quotechar <Character>]]
 ```
 By default, GAM checks each of the five items; you can select specfic fields
@@ -309,6 +311,28 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

+If `movetoou <OrgUnitItem>` is specified, GAM will create a batch file of GAM commands that will move any remaining items
+in `ou <OrgUnitItem>` to `movetoou <OrgUnitItem>`.
+
+By default, the batch file will be named `CleanOuBatch.txt` and will be created in `gam.cfg/drive_dir`.
+This can be overridden with `filename <FileName>`.
+
+You can inspect the file and execute it if desired; substitute actual filenames as desired.
+```
+gam redirect stdout CleanOuLog.txt multiproces redirect stderr stdout batch CleanOuBatch.txt
+```
+
+### Delete Empty OUs
+```
+# Get list of OUs
+gam redirect csv ./OUs.csv print ous 
+# Check status of each OU
+gam redirect csv ./CheckOUs.csv multiprocess redirect stderr - multiprocess csv OUs.csv gam check ou "~orgUnitId"
+# Delete empty OUs
+gam config csv_input_row_filter "empty:boolean:true" redirect stdout ./DeleteEmptyOUs.txt multiprocess redirect stderr stdout csv CheckOUs.csv gam delete ou "~orgUnitId"
+```
+Repeat the steps until no empty OUs remain.
+
 ## Special case handling for large number of organizational units

 By default, the `print orgs` and `show orgtree`  commands issue a single API call to get the
--- a/docs/Other-Resources.md
+++ b/docs/Other-Resources.md
@@ -1,6 +1,6 @@
 # Other Resources

-The following are links to contributions of others in support of GAMADV-XTD3.
+The following are links to contributions of others in support of GAM7.

 Thank you.

@@ -12,8 +12,8 @@ Thank you.
 * James Seymour - https://sites.google.com/view/gam--commands/
 * Kevin Melillo - https://github.com/KevinMelilloIEEE/gam-script
 * Korey Rideout - https://chatgpt.com/g/g-PTxxnVPMG-gam-assist - A helpful tool to assist with, GAM (+Advance) and GYB commands to assist with syntax for Google Workspace Administrators.
-* Paul Ogier (Taming.Tech) - GAMADV-XTD3 Course on Udemy https://taming.tech/GAMCourse
-* Paul Ogier (Taming.Tech) - GAMADV-XTD3 Tutorials https://www.youtube.com/watch?v=g9LDeyXQNLI&list=PL_dLiK09pJVhKJxZHNk9CHK0q5hkZ856w
+* Paul Ogier (Taming.Tech) - GAM7 Course on Udemy https://taming.tech/GAMCourse
+* Paul Ogier (Taming.Tech) - GAM7 Tutorials https://www.youtube.com/watch?v=g9LDeyXQNLI&list=PL_dLiK09pJVhKJxZHNk9CHK0q5hkZ856w
 * Paul Ogier (Taming.Tech) - https://taming.tech/taming-gam-a-practical-guide-to-gam-and-gamadv-xtd3/
 * Steve Larsen - https://docs.google.com/spreadsheets/d/1MzzA-u-cmoQcJnQOovCnZcEKMjvOyFhfkdFdf10X_GI/edit
 * Workspace Admins YouTube Channel - https://youtube.com/@googleworkspaceadmins
--- a/docs/Rclone.md
+++ b/docs/Rclone.md
@@ -1,10 +1,10 @@
 # Rclone

-GAMADV-XTD3 has the capability to upload and download single files between your local computer and Google Drive;
+GAM7 has the capability to upload and download single files between your local computer and Google Drive;
 it has no capability for uploading and dowloading folders. For this you can use Rclone: https://rclone.org/

 ## Authorization
-Rclone uses client and service account access to perform its operations; you can use your existing GAMADV-XTD3
+Rclone uses client and service account access to perform its operations; you can use your existing GAM7
 authorization for Rclone, you don't need to create a new project or service account within your project.

 You can use your Client ID and Client Secret from `client_secrets.json` and you can use your `oauth2service.json` file with rclone.
--- a/docs/Reports.md
+++ b/docs/Reports.md
@@ -2,6 +2,7 @@
 - [API documentation](#api-documentation)
 - [Collections of Users](Collections-of-Users)
 - [Definitions](#definitions)
+- [Special quoting](#special-quoting)
 - [Activity reports](#activity-reports)
  - [Find Shared Drives with no activity](#find-shared-drives-with-no-activity)
 - [Customer and user reports parameters](#customer-and-user-reports-parameters)
@@ -24,6 +25,17 @@
        never|
        now|today
 ```
+## Special quoting
+If you are going to use `config csv_output_row_filter` when printing reports,
+you'll need special quoting in the filter because of the `:` characters in the parameter names.
+
+See: https://github.com/taers232c/GAMADV-XTD3/wiki/CSV-Output-Filtering#quoting-rules
+
+For example:
+```
+config csv_output_row_filter "'\"accounts:used_quota_in_mb\":count>15000'"
+```
+
 ## Activity reports
 ```
 <ActivityApplicationName> ::=
--- a/docs/Running-GAM7-securely-on-a-Google-Compute-Engine.md
+++ b/docs/Running-GAM7-securely-on-a-Google-Compute-Engine.md
@@ -0,0 +1,76 @@
+# Running GAM7 securely on a Google Compute Engine
+- [thanks](#thanks)
+- [Introduction](#introduction)
+- [Setup Steps](#setup-steps)
+
+## Thanks
+
+Thanks to Jay Lee for the original version of this document.
+
+## Introduction
+GAM7 can run on a Linux or Windows Google Compute Engine (GCE) VM and use the attached service account to access Google Workspace APIs. The advantage of this configuration is that no service account private key is accessible to GAM7 directly and there is no risk of the key being stolen/lost.
+
+GAM7 version 6.50.00 or higher is required.
+
+## Setup Steps
+1. Create a [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).
+
+2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAM7.
+   * Enter a value in `Service account name`
+   * Enter text in `Service account description`
+   * Click `Create` and `Continue`
+   * Click `Continue` under `Grant this service account access to project`
+   * Click `Done` under `Grant users access to this service account`
+ 
+3. Grant the service account rights to generate authentication tokens.
+   * Go to [console.cloud.google.com](https://console.cloud.google.com).
+   * Go to `IAM & Admin` > `Service accounts`
+   * Click on the service account you created (not the default service account).
+   * Copy the email address of your service account to the clipboard.
+   * Click on the `Permissions` tab.
+   * Click `Grant Access`.
+   * In the `New principals` text box, paste the service account email you copied.
+   * Give your service account the `Service Account Token Creator` and `View Service Accounts` roles.
+   * Click `Save`
+
+4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances).
+   * Scroll down and start at Create a VM and attach the service account
+   * Click `Go to VM instances`
+   * Click `Create Instance`
+   * Enter a value for `Name`
+   * Configure `Manage Tags and Labels`
+   * You can choose a region physically close to you though you may be limited in your choices if you want to use the free tier.
+   * GAM7 can run on the minimal `e2-micro` [free tier VM](https://cloud.google.com/free/docs/free-cloud-features#compute) though performance may suffer. If you are performing batch operations, raising the CPU count will help performance. If you have a very large and busy Workspace instance downloading reports or Drive file lists may require more RAM.
+   * Set `Service account` under `Identity and API access/API and identity management`; choose the service account you created above.
+   * Select `Set access for each API`
+   * Enable `Cloud Platform`
+   * GAM7 does not use a significant amount of storage, unless you have specific storage needs the default disk size should suffice.
+   * Leave other VM instance settings at their defaults unless you know what you are doing.
+   * Click `Create`
+
+5. Install GAM7 on the VM
+   * See: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Install-GAM7
+
+6. Logout and log back in to the VM, you should now be able to run GAM7 commands like:
+```
+gam version
+```
+
+7. Create the special `oauth2service.json` file GAM7 will use:
+```
+gam create gcpserviceaccount
+```
+If you'd like, take a look at the generated ```oauth2service.json``` file;
+you'll notice that while the file has some fields similar to a normal service account file, there is no `private_key` attribute containing an RSA private key.
+
+8. Enable the Google APIs GAM7 will use:
+```
+gam enable apis
+```
+You are given the option to enable them automatically or manually. Automatic enablement will ask you to authenticate to GAM7. You should authenticate as a user with rights to manage project APIs, probably a project owner. If you are not the project owner you can choose manual enablement and GAM7 will provide two or more URLs which you can send to the project owner. When the owner opens these URLs, they'll be prompted to enable all the APIs GAM7 needs.
+
+9. Perform admin actions (manage users, groups, orgunits, Chrome devices, etc)
+   * [Configure delegated admin service account (DASA)](https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-delegated-admin-service-account); start at step 4.
+
+10. Manage user data
+   * Run ```gam user user@domain.com check serviceaccount``` and follow the instructions to perform domain-wide delegation.
--- a/docs/Running-GAMADV-XTD3-securely-on-a-Google-Compute-Engine.md
+++ b/docs/Running-GAMADV-XTD3-securely-on-a-Google-Compute-Engine.md
@@ -15,24 +15,38 @@ GAMADV-XTD3 version 6.50.00 or higher is required.
 ## Setup Steps
 1. Create a [GCP project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).

-2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAMADV-XTD3. Continue steps 2 and 3 without granting the new service account any special access to the project and without granting users access to the service account.
+2. Create [a service account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) which will be used by GAMADV-XTD3.
+   * Enter a value in `Service account name`
+   * Enter text in `Service account description`
+   * Click `Create` and `Continue`
+   * Click `Continue` under `Grant this service account access to project`
+   * Click `Done` under `Grant users access to this service account`
 
 3. Grant the service account rights to generate authentication tokens.
-   * go to [console.cloud.google.com](https://console.cloud.google.com).
-   * go to "IAM & Admin" > Service accounts
-   * click on the service account you created (not the default service account).
-   * copy the email address of your service account to the clipboard.
-   * click on the Permissions tab.
-   * click "Grant Access".
-   * In the "New principals text box, paste the service account email you copied.
-   * Give your service account the "Service Account Key Admin", "Service Account Token Creator" and "View Service Accounts" roles.
+   * Go to [console.cloud.google.com](https://console.cloud.google.com).
+   * Go to `IAM & Admin` > `Service accounts`
+   * Click on the service account you created (not the default service account).
+   * Copy the email address of your service account to the clipboard.
+   * Click on the `Permissions` tab.
+   * Click `Grant Access`.
+   * In the `New principals` text box, paste the service account email you copied.
+   * Give your service account the `Service Account Token Creator` and `View Service Accounts` roles.
+   * Click `Save`

-4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/instances/create-start-instance).
+4. [Create a Windows or Linux virtual machine](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances).
+   * Scroll down and start at Create a VM and attach the service account
+   * Click `Go to VM instances`
+   * Click `Create Instance`
+   * Enter a value for `Name`
+   * Configure `Manage Tags and Labels`
   * You can choose a region physically close to you though you may be limited in your choices if you want to use the free tier.
   * GAMADV-XTD3 can run on the minimal `e2-micro` [free tier VM](https://cloud.google.com/free/docs/free-cloud-features#compute) though performance may suffer. If you are performing batch operations, raising the CPU count will help performance. If you have a very large and busy Workspace instance downloading reports or Drive file lists may require more RAM.
-   * [DO NOT use the default service account](https://cloud.google.com/iam/docs/best-practices-service-accounts#single-purpose). Choose the service account you created above instead.
+   * Set `Service account` under `Identity and API access/API and identity management`; choose the service account you created above.
+   * Select `Set access for each API`
+   * Enable `Cloud Platform`
   * GAMADV-XTD3 does not use a significant amount of storage, unless you have specific storage needs the default disk size should suffice.
-   * leave other VM instance settings at their defaults unless you know what you are doing.
+   * Leave other VM instance settings at their defaults unless you know what you are doing.
+   * Click `Create`

 5. Install GAMADV-XTD3 on the VM
   * See: https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Install-Advanced-GAM
--- a/docs/Scripts.md
+++ b/docs/Scripts.md
@@ -1,7 +1,7 @@
 # Scripts

 These scripts can be used to enhance GAM's capabilities; all are supported with Advanced GAM,
-many are supported with Standard GAM. They require that Python 3 be installed on you computer.
+many are supported with Legacy GAM. They require that Python 3 be installed on you computer.

 * https://github.com/taers232c/GAM-Scripts3
 * https://www.python.org/
--- a/docs/Shared-Drives.md
+++ b/docs/Shared-Drives.md
@@ -12,7 +12,11 @@
  - [Delete a Shared Drive](#delete-a-shared-drive)
  - [Change Shared Drive visibility](#change-shared-drive-visibility)
 - [Display Shared Drives](#display-shared-drives)
+- [Display List of Shared Drives in an Organizational Unit other than /](#display-list-of-shared-drives-in-an-organizational-unit-other-than-)
 - [Display List of Shared Drives in an Organizational Unit](#display-list-of-shared-drives-in-an-organizational-unit)
+- [Display all Shared Drives with no organizers](#display-all-shared-drives-with-no-organizers)
+- [Display all Shared Drives with a specific organizer](#display-all-shared-drives-with-a-specific-organizer)
+- [Display all Shared Drives without a specific organizer](#display-all-shared-drives-without-a-specific-organizer)
 - [Manage Shared Drive access](#manage-shared-drive-access)
 - [Transfer Shared Drive access](#transfer-shared-drive-access)
 - [Display Shared Drive access](#display-shared-drive-access)
@@ -72,6 +76,22 @@
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>

+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
+
 <DriveFileACLRole> ::=
        manager|organizer|owner|
        contentmanager|fileorganizer|
@@ -371,45 +391,42 @@ Print information about all Shared Drives in the organization.
 gam print teamdrives
 gam user admin@domain.com print teamdrives adminaccess
 ```
-Print information about all Shared Drives in the organization with no organizers.
-```
-gam print teamdrives query "organizerCount = 0"
-gam user admin@domain.com print teamdrives adminaccess teamdriveadminquery "organizerCount = 0"
-```
 Print information about Shared Drives that have admin@domain.com as a member.
 ```
 gam user admin@domain.com print teamdrives
 ```
+## Display all Shared Drives with no organizers
+```
+gam print teamdrives query "organizerCount = 0"
+```
+
+## Display all Shared Drives with a specific organizer
+Substitute actual email address for `organizer@domain.com`.
+```
+gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
+```
+
+## Display all Shared Drives without a specific organizer
+Substitute actual email address for `organizer@domain.com`.
+```
+gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
+```
+
+## Display List of Shared Drives in an Organizational Unit other than /
+Get the orgUnitID of OU / and use it (without the id:) in the print|show command. Adjust fields as desired.
+```
+gam info ou / nousers
+gam show teamdrives query "orgUnitId!='00gjdgxs2p9cxyz'" fields id,name,orgunit,createdtime
+gam print teamdrives query "orgUnitId!='00gjdgxs2p9cxyz'" fields id,name,orgunit,createdtime
+```
+
 ## Display List of Shared Drives in an Organizational Unit
-To use this command you must add the `Cloud Identity API` to your project and authorize
-the appropriate scope: `Cloud Identity OrgUnits API`.
-
-You'll have to do `gam update project` and `gam oauth create` to enable this command.
-
+Get the orgUnitID of the desired OU and use it (without the id:) in the print|show command. Adjust fields as desired.
 ```
-gam show oushareddrives
-        [ou|org|orgunit <OrgUnitPath>]                                                                                                                                                                                                                                             
-        [formatjson]
+gam info ou <OrgUnitPath> nousers
+gam show teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam print teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
 ```
-If `ou|org|orgunit <OrgUnitPath>` is not specified, `/` is used.
-
-By default, Gam displays the information as an indented list of keys and values.
-* `formatjson` - Display the fields in JSON format.
-```
-gam print oushareddrives [todrive <ToDriveAttribute>*]
-        [ou|org|orgunit <OrgUnitPath>]
-        [formatjson [quotechar <Character>]]
-```
-If `ou|org|orgunit <OrgUnitPath>` is not specified, `/` is used.
-
-By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
-* `formatjson` - Display the fields in JSON format.
-
-By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
-the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
-When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
-The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
-`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

 ## Manage Shared Drive access
 These commands are used to manage the ACLs on Shared Drives themselves, not the files/folders on the Shared Drives.
@@ -580,10 +597,12 @@ Print ACLs for all Shared Drives in the organization created after November 1, 2
 ```
 gam print teamdriveacls teamdriveadminquery "createdTime > '2017-11-01T00:00:00'"
 ```
+
 Print ACLs for all Shared Drives in the organization with foo@bar.com as an organizer.
 ```
 gam print teamdriveacls user foo@bar.com role organizer
 ```
+
 Print ACLs for all Shared Drives in the organization with foo@bar.com or groups that contain foo@bar.com as a reader.
 ```
 gam print teamdriveacls user foo@bar.com role reader checkgroups
--- a/docs/Todrive.md
+++ b/docs/Todrive.md
@@ -191,6 +191,7 @@ direct the uploaded file to a particular user and location and add a timestamp t
        (tdnotify [<Boolean>])|
        (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
        (tdretaintitle [<Boolean>])|
+        (tdreturnidonly [<Boolean>])|
        (tdshare <EmailAddress> commenter|reader|writer)*|
        (tdsheet (id:<Number>)|<String>)|
        (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
@@ -238,6 +239,11 @@ If `tdfileid <DriveFileID>` is not specified, a new file is created.
 * `tdcellwrap clip|overflow|wrap` - The Spreadsheet cell wrapping strategy.
 * `tdcellnumberformat text|number` - The Spreadsheet number format.

+## Report action, capture file ID
+* `tdreturnidonly` - If False, a message is written to stdout with the uploaded file URL; if True, only the uploaded file ID is written to stdout
+
+The ID can be captured and used in subsequent commands, `tdfileid <DriveFileID>` that will update the same file.
+
 ## Open browser and send email
 * `tdnobrowser` - If False, a browser is opened to view the file uploaded to Google Drive; if not specified, the `todrive_nobrowser` value from gam.cfg is used. If True, no browser is opened.
 * `tdnoemail` - If False, an email is sent to `tduser` informing them of name and URL of the uploaded file; if not specified, the `todrive_noemail` value from gam.cfg is used. If True, no email is sent to `tduser`.
--- a/docs/Upgrade-Benefits.md
+++ b/docs/Upgrade-Benefits.md
@@ -29,7 +29,7 @@

 ## Configuration

-GAMADV-XTD3 uses a configuration file, gam.cfg, to store the values of the various environment variables
+GAM7 uses a configuration file, gam.cfg, to store the values of the various environment variables
 and signal files used by earlier versions of GAM. Configuration files client_secrets.json, oauth2.txt, oauth2service.json and extra_args.txt
 are moved to a version independent location. This should simplify upgrading GAM versions in the future.
 Additionally, if you support multiple clients/domains or have multiple users running GAM,
@@ -39,7 +39,7 @@ See: [gam.cfg](gam.cfg)

 ## Syntax Checking

-GAMADV-XTD3 produces better error messages when syntax errors are found on the command line.
+GAM7 produces better error messages when syntax errors are found on the command line.

 ## API error checking

@@ -48,14 +48,14 @@ was an operation on multiple items, the items after the failing item are not pro
 you produce a CSV file containing the items you want to process; as each item is an independent excution, API failures for some items
 do not affect other items. Capturing meaningful output from the CSV execution is hard and you have to create the CSV file as a separate step.

-In GAMADV-XTD3, every API call is made with error handling; if an API call fails, a message is output and execution continues with additional items if possible.
+In GAM7, every API call is made with error handling; if an API call fails, a message is output and execution continues with additional items if possible.

 ## Batch files

 GAM uses multiprocessing for processing batch files and CSV files; this offers better performance than using threads. Unfortunately, one
 multiprocess subprocess can not create another subprocess; this prevents using gam csv commands inside GAM batch files.

-GAMADV-XTD3 supports two commands for processing batch files, batch and tbatch. gam batch uses multiprocessing and gam tbatch uses threads.
+GAM7 supports two commands for processing batch files, batch and tbatch. gam batch uses multiprocessing and gam tbatch uses threads.
 If you have a batch file that contains gam csv commands, gam tbatch can successfuly process the batch file.

 See: [Bulk Processing](Bulk-Processing)
@@ -69,13 +69,13 @@ gam csv File.csv gam <Command> > File.out 2>&1
 ```
 Multiple processes are writing to File.out(.err) simultaneously resulting in interleaved output that can be hard to read.

-With GAMADV-XTD3, you can capture the output from the multiple processes such that all of the output from each process is contiguous.
+With GAM7, you can capture the output from the multiple processes such that all of the output from each process is contiguous.
 ```
 gam redirect stdout ./File.out multiprocess redirect stderr ./File.err multiprocess csv File.csv gam <Command>
 gam redirect stdout ./File.out multiprocess redirect stderr stderr csv File.csv gam <Command>
 ```

-You can choose to have GAMADV-XTD3 bracket the output from each process with lines that show the command being executed.
+You can choose to have GAM7 bracket the output from each process with lines that show the command being executed.
 ```
 gam config show_multiprocess_info true redirect stdout ./File.out multiprocess redirect stderr ./File.err multiprocess csv File.csv gam <Command>
 gam config show_multiprocess_info true redirect stdout ./File.out multiprocess redirect stderr stderr csv File.csv gam <Command>
@@ -85,7 +85,7 @@ See: [Meta Commands and File Redirection](Meta-Commands-and-File-Redirection)

 ## Data selection

-GAMADV-XTD3 has many more ways to specify collections of ChromeOS devices, Users and other items.
+GAM7 has many more ways to specify collections of ChromeOS devices, Users and other items.

 See: [Collections of ChromeOS Devices](Collections-of-ChromeOS-Devices)

@@ -97,7 +97,7 @@ See: [Collections of Items](Collections-of-Items)

 GAM specifies drive files in different ways based on the command.

-GAMADV-XTD3 has a consistent way of specifying Google Drive files for all commands.
+GAM7 has a consistent way of specifying Google Drive files for all commands.

 See: [Drive File Selection](Drive-File-Selection)

@@ -106,17 +106,17 @@ See: [Drive File Selection](Drive-File-Selection)
 GAM allows no options when you use the todrive option with a gam print command; the file is always uploaded with a fixed name to the root folder of
 Google Drive for the Google Admin user named in oauth2.txt.

-GAMADV-XTD3 allows you to specify the name, location and user for files uploaded with todrive; you can also save a local copy of the file.
+GAM7 allows you to specify the name, location and user for files uploaded with todrive; you can also save a local copy of the file.

 See: [Todrive](Todrive)

 ## Calendars

-GAM can manage the list of calendars a user can view; GAMADV-XTD3 can also create, modify and remove calendars.
+GAM can manage the list of calendars a user can view; GAM7 can also create, modify and remove calendars.

-GAM can add and delete events; GAMADV-XTD3 can also update, move, show and print events.
+GAM can add and delete events; GAM7 can also update, move, show and print events.

-GAM can add, update, delete and show calendar ACLs; GAMADV-XTD3 can also get ACLs for a single calendar and print a CSV file of calendar ACLs.
+GAM can add, update, delete and show calendar ACLs; GAM7 can also get ACLs for a single calendar and print a CSV file of calendar ACLs.

 See: [Calendars - Access](Calendars-Access), [Calendars - Events](Calendars-Events)

@@ -130,7 +130,7 @@ See: [Users - Calendars - Transfer](Users-Calendars-Transfer)

 ## Contacts

-GAMADV-XTD3 supports domain shared contacts and user contacts.
+GAM7 supports domain shared contacts and user contacts.

 See: [Domain Shared Contacts](Contacts)

@@ -138,48 +138,48 @@ See: [Users - People - Contacts & Profiles](Users-People-Contacts-Profiles)

 ## Courses

-When updating a course, GAM can only add/delete a single alias; GAMADV-XTD3 can add/delete multiple aliases.
+When updating a course, GAM can only add/delete a single alias; GAM7 can add/delete multiple aliases.

-When updating a course's membership, GAM can only add/delete a single student/teacher; GAMADV-XTD3 can
+When updating a course's membership, GAM can only add/delete a single student/teacher; GAM7 can
 add/delete multiple students/teachers.

-When creating/updating courses, GAMADV-XTD3 can copy settings from another course.
+When creating/updating courses, GAM7 can copy settings from another course.

 See: [Courses](Courses)

 ## Data Studio

-GAMADV-XTD3 supports commands to display Data Studio assets and display/manage Data Studio permissions
+GAM7 supports commands to display Data Studio assets and display/manage Data Studio permissions

 See: [Users - Data Studio](Users-DataStudio)

 ## Drive File Copy and Move

-GAMADV-XTD3 supports advanced file/folder copying/moving
+GAM7 supports advanced file/folder copying/moving

 See: [Users - Drive - Copy/Move](Users-Drive-Copy-Move)

 ## Drive File Orphans

-GAMADV-XTD3 allows collecting a user's orphaned files.
+GAM7 allows collecting a user's orphaned files.

 See: [Users - Drive - Orphans](Users-Drive-Orphans)

 ## Drive File Ownership

-GAMADV-XTD3 allows transferring ownership of selected folders of a source user to a target user.
+GAM7 allows transferring ownership of selected folders of a source user to a target user.

-GAMADV-XTD3 allows claiming ownership of of selected folders to which the user has access.
+GAM7 allows claiming ownership of of selected folders to which the user has access.

 See: [Users - Drive - Ownership](Users-Drive-Ownership)

 ## Drive File Revisions

-GAMADV-XTD3 can manage drive file revisions.
+GAM7 can manage drive file revisions.

 ## Drive File Transfer

-GAMADV-XTD3 has more capabilites for transferring the Google Drive of a source user to a target user.
+GAM7 has more capabilites for transferring the Google Drive of a source user to a target user.

 See: [Users - Drive - Transfer](Users-Drive-Transfer)

@@ -187,63 +187,63 @@ See: [Users - Drive - Revisions](Users-Drive-Revisions)

 ## Send email messages

-GAMADV-XTD3 can send email messages.
+GAM7 can send email messages.

 See: [Send Email](Send-Email)

 ## Forms

-GAMADV-XTD3 supports commands to manage and display Google Forms.
+GAM7 supports commands to manage and display Google Forms.

 See: [Users - Forms](Users-Forms)

 ## Gmail

-GAMADV-XTD3 has commands for displaying Gmail messages.
+GAM7 has commands for displaying Gmail messages.

-GAMADV-XTD3 has commands for forwarding Gmail messages.
+GAM7 has commands for forwarding Gmail messages.

 See: [Users - Gmail - Messages/Threads](Users-Gmail-Messages-Threads)

 ## Groups

-GAMADV-XTD3 allows selecting fields with `info group`. The output is much easier to read.
+GAM7 allows selecting fields with `info group`. The output is much easier to read.

-When creating/updating groups, GAMADV-XTD3 can copy settings from another group.
+When creating/updating groups, GAM7 can copy settings from another group.

 See: [Groups](Groups)

-GAMADV-XTD3 has a more powerful `print group-members` command.
+GAM7 has a more powerful `print group-members` command.

-GAMADV-XTD3 has a more powerful ways of specifying changes to group membership.
+GAM7 has a more powerful ways of specifying changes to group membership.

 See: [Groups Membership](Groups-Membership)

-GAMADV-XTD3 has commands to display/manage a user's group membership.
+GAM7 has commands to display/manage a user's group membership.

 See: [Users - Group Membership](Users-Group-Membership)

 ## Keep

-GAMADV-XTD3 supports commands to manage and display Google Keep notes.
+GAM7 supports commands to manage and display Google Keep notes.

 See: [Users - Keep](Users-Keep)

 ## Organizational Units

-GAMADV-XTD3 supports updating multiple org units in a single command.
+GAM7 supports updating multiple org units in a single command.

 See: [Organizational Units](Organizational-Units)

 ## Resource Calendars

-GAMADV-XTD3 supports managing resource calendar ACLs.
+GAM7 supports managing resource calendar ACLs.

 See: [Resource Calendars](Resource-Calendars)

 ## Shared Drives

-GAMADV-XTD3 has more powerful commands for managing Shared Drives.
+GAM7 has more powerful commands for managing Shared Drives.

 See: [Shared Drives](Shared-Drives)

@@ -251,12 +251,12 @@ See: [Users - Shared Drives](Users-Shared-Drives)

 ## Spreadsheets

-GAMADV-XTD3 can manipulate Google Sheets.
+GAM7 can manipulate Google Sheets.

 See: [Users - Spreadsheets](Users-Spreadsheets)

 ## Tasks

-GAMADV-XTD3 supports commands to manage and display Google Tasks.
+GAM7 supports commands to manage and display Google Tasks.

 See: [Users - Tasks](Users-Tasks)
--- a/docs/Users-Calendars-Events.md
+++ b/docs/Users-Calendars-Events.md
@@ -26,6 +26,7 @@
 * https://developers.google.com/calendar/v3/reference/events
 * https://developers.google.com/calendar/v3/reference/events/import
 * https://developers.google.com/calendar/api/guides/working-hours-and-location
+* https://developers.google.com/calendar/api/guides/event-types#birthday

 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)
@@ -241,6 +242,7 @@
 ```
 ```
 <EventType> ::=
+        birthday|
        default|
        focustime|
        fromgmail|
@@ -306,6 +308,7 @@
        (attendee <EmailAddress>)|
        (attendeestatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddress>)|
        available|
+        (birthday <Date>)|
        (color <EventColorName>)|
        (colorindex|colorid <EventColorIndex>)|
        (description <String>)|
@@ -326,7 +329,7 @@
        (privateproperty <PropertyKey> <PropertyValue>)|
        (range <Date> <Date>)|
        (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
-        (reminder <Number> email|popup))|
+        (reminder <Number> email|popup)|
        (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
        (sequence <Integer>)|
        (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -461,6 +464,7 @@ and must have the specified values.
 * `matchfield location <RegularExpression>` - The location must match `<RegularExpression>`
 * `matchfield organizeremail <RegularExpression>` - The organizer email address must match `<RegularExpression>`
 * `matchfield organizername <RegularExpression>` - The orgainzer name must match `<RegularExpression>`
+* `matchfield organizerself <Boolean>` - The user must be/not be the organizer of the event
 * `matchfield status <RegularExpression>` - The summary must match `<RegularExpression>`. The API documented values are:
    * `confirmed`
    * `tentative`
--- a/docs/Users-Chat.md
+++ b/docs/Users-Chat.md
@@ -1,9 +1,9 @@
 # Users - Chat
 - [API documentation](#api-documentation)
 - [Introduction](#introduction)
- [Developer Preview Admin Access](#developer-preview-admin-access)
 - [Set up a Chat Bot](#set-up-a-chat-bot)
 - [Definitions](#definitions)
+- [Chat Space Permissions](#chat-space-permissions)
 - [Manage Chat Spaces](#manage-chat-spaces)
 - [Display Chat Spaces](#display-chat-spaces)
 - [Manage Chat Members](#manage-chat-members)
@@ -20,7 +20,9 @@
 * https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.messages/list
 * https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces.spaceEvents/list
 * https://support.google.com/chat/answer/7655820
+* https://support.google.com/a/answer/13369245
 * https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces/search
+* https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces#Space.FIELDS.predefined_permission_settings

 ## Introduction
 These features were added in version 6.60.00.
@@ -30,36 +32,11 @@ To use these commands you must update your service account authorization.
 gam user user@domain.com update serviceaccount

 [*]  4)  Chat API - Memberships (supports readonly)
+[*]  5)  Chat API - Memberships Admin (supports readonly)
 [*]  6)  Chat API - Messages (supports readonly)
 [*]  7)  Chat API - Spaces (supports readonly)
-[*]  9)  Chat API - Spaces Delete
-
-```
-
-## Developer Preview Admin Access
-The Chat API Developer Preview allows an admin to perform certain actions
-on all Chat Spaces. These commands were added in version 6.77.00.
-
-You must be enrolled in the Developer Preview program for the CHAT API to use these commands.
-
-```
-gam <UserItem> delete chatspace asadmin
-gam <UserItem> update chatspace asadmin
-gam <UserItem> info chatspace asadmin
-gam <UserItem> print|show chatspaces asadmin
-gam <UserItem> create chatmember asadmin
-gam <UserItem> delete|remove chatmember asadmin
-gam <UserItem> update|modify chatmember asadmin
-gam <UserItem> sync chatmembers asadmin
-gam <UserItem> info chatmember asadmin
-gam <UserItem> print|show chatmembers|asadmin
-```
-To use these commands you must update your service account authorization.
-```
-gam user user@domain.com update serviceaccount
-
-[*]  5)  Chat API - Memberships Admin (supports readonly)
 [*]  8)  Chat API - Spaces Admin (supports readonly)
+[*]  9)  Chat API - Spaces Delete
 [*] 10)  Chat API - Spaces Delete Admin
 ```

@@ -71,15 +48,6 @@ Added `use_chat_admin_access` Boolean variable to `gam.cfg`.
 * Default: False
 ```

-If your account is not enrolled in the Chat API Developer Preview, you will see errors like this:
-```
-$ gam user admin@domain.com show chatspaces asadmin
-Getting all Chat Spaces that match query (customer = "customers/my_customer" AND spaceType = "SPACE") for admin@domain.com(asadmin)
-Chat Admin: admin@domain.com(asadmin), Show Failed: Method not found.
-```
-
-To enroll in the Developer Preview program, see: https://developers.google.com/workspace/preview
-
 Google requires that you have a Chat Bot configured in order to use the Chat API; set up a Chat Bot as described in the next section.

 ## Set up a Chat Bot
@@ -139,6 +107,7 @@ Google requires that you have a Chat Bot configured in order to use the Chat API
        lastactivetime|
        membershipcount|
        name|
+        permissionsettings|
        singleuserbotdm|
        spacedetails|
        spacehistorystate|
@@ -188,11 +157,36 @@ Google requires that you have a Chat Bot configured in order to use the Chat API

 ```

+## Chat Space Permissions
+### Announcement
+| Keyword | Description | Allowed | Default |
+|---------|-------------|---------|---------|
+| manageapps | Manage apps | managers-immutable | managers |
+| managemembersandgroups | Manage members and groups | managers/members | managers |
+| managewebhooks | Manage web hooks | managers-immutable | managers |
+| modifyspacedetails | Modify space details | managers/members | managers |
+| postmessages | Post messages | managers-immutable | managers |
+| replymessages | Reply messages | members/managers | members |
+| togglehistory | Turn history on and off | managers/members | managers |
+| useatmentionall | Use @all | managers-immutable | managers |
+
+### Collaboration
+| Keyword | Description | Allowed | Default |
+|---------|-------------|---------|---------|
+| manageapps | Manage apps | members-immutable | members |
+| managemembersandgroups | Manage members and groups | managers/members | members |
+| managewebhooks | Manage web hooks | managers/members | members |
+| modifyspacedetails | Modify space details | managers/members | members |
+| postmessages | Post messages | members-immutable | members |
+| replymessages | Reply messages | members-immutable | members |
+| togglehistory | Turn history on and off | managers/members | members |
+| useatmentionall | Use @all | managers/members | members |
+
 ## Manage Chat Spaces
 ### Create a chat space
 ```
 gam <UserTypeEntity> create chatspace
-        [type <ChatSpaceType>]
+        [type <ChatSpaceType>] [announcement|collaboration]
        [restricted|(audience <String>)]
        [externalusersallowed <Boolean>]
        [members <UserTypeEntity>]
@@ -208,6 +202,7 @@ For `type space`, the following apply:
 * `description <String>` - Optional
 * `guidelines <String>` - Optional
 * `history <Boolean>` - Optional
+* `announcement|collaboration` - Initial permission settings; default is `collaboration`; this is in Developer Preview

 For `type groupchat`, the following apply:
 * `members <UserTypeEntity>` - Required, must specify between 2 and 20 users
@@ -229,8 +224,6 @@ By default, Gam displays the information about the created chatspace as an inden

 Use the `<ChatContent>` option to send an initial message to the created chatspace.

-The `restricted|audience` options are in Developer Preview and will not be generally available.
-
 By default, details about the chatmessage are displayed.
 * `returnidonly` - Display the chatmessage name only

@@ -242,12 +235,29 @@ gam <UserTypeEntity> update chatspace <ChatSpace>
         [type space]
         [description <String>] [guidelines|rules <String>]
         [history <Boolean>])
+        [managemembersandgroups managers|members]
+        [modifyspacedetails managers|members]
+        [togglehistory managers|members]
+        [useatmentionall managers|members]
+        [manageapps managers|members]
+        [managewebhooks managers|members]
+        [replymessages managers|members]
        [formatjson]
 ```
 A groupchat space can be upgraded to a space by specifying `type space` and `displayname <String>`.

 The `restricted|audience` options can not be combined with options `displayname,type,description,guidelines,history`.
-They are in Developer Preview and will not be generally available.
+
+You can manage permissions for chat spaces with the following options that are available with Developer Preview.
+        [managemembersandgroups managers|members]
+        [modifyspacedetails managers|members]
+        [togglehistory managers|members]
+        [useatmentionall managers|members]
+        [manageapps managers|members]
+        [managewebhooks managers|members]
+        [postmessages managers|members]
+        [replymessages managers|members]
+

 By default, Gam displays the information about the created chatspace as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
@@ -265,7 +275,6 @@ gam <UserItem> update chatspace asadmin <ChatSpace>
 A groupchat space can be upgraded to a space by specifying `type space` and `displayname <String>`.

 The `restricted|audience` options can not be combined with options `displayname,type,description,guidelines,history`.
-They are in Developer Preview and will not be generally available.

 By default, Gam displays the information about the created chatspace as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
@@ -398,7 +407,6 @@ When using the `formatjson` option, double quotes are used extensively in the da
 The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

-
 ## Manage Chat Members
 ### Add members to a user's chat space
 ```
--- a/docs/Users-Drive-Activity-Settings.md
+++ b/docs/Users-Drive-Activity-Settings.md
@@ -70,7 +70,7 @@ Google has introduced Drive Activity API v2; it adds time and action filtering a
 Drive Activity API v1 has been deprecated.
 * https://developers.google.com/drive/activity/v2/migrating
 ```
-gam <UserTypeEntity> print|show driveactivity [v2] [todrive <ToDriveAttributes>*]
+gam <UserTypeEntity> print driveactivity [v2] [todrive <ToDriveAttributes>*]
        [(fileid <DriveFileID>)|(folderid <DriveFolderID>)|
         (drivefilename <DriveFileName>)|(drivefoldername <DriveFolderName>)|
         (query <QueryDriveFile>)]
@@ -79,7 +79,7 @@ gam <UserTypeEntity> print|show driveactivity [v2] [todrive <ToDriveAttributes>*
        [action|actions [not] <DriveActivityActionList>]
        [consolidationstrategy legacy|none]
        [idmapfile <FileName>|(gsheet <UserGoogleSheet>) [charset <String>] [columndelimiter <Character>] [noescapechar <Boolean>]  [quotechar <Character>]]
-        [formatjson [quotechar <Character>]]
+        [stripcrsfromname] [formatjson [quotechar <Character>]]
 ```
 By default, Drive Activity API v2 is used; the `v2` option is ignored.

@@ -128,6 +128,9 @@ must be present in the file; the column `name.fullName` will be used if present.

 If you don't use the `idmapfile` option, Gam makes an additional API call per user to get the name and email address.

+The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
+Use this option if you discover filenames containing these special characters; it is not common.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.

--- a/docs/Users-Drive-Files-Display.md
+++ b/docs/Users-Drive-Files-Display.md
@@ -31,6 +31,7 @@
  - [File selection with or without a particular drive label](#file-selection-with-or-without-a-particular-drive-label)
  - [Handle empty file lists](#handle-empty-file-lists)
 - [Display disk usage](#display-disk-usage)
+- [Display files published to the web](#display-files-published-to-the-web)

 ## API documentation
 * https://developers.google.com/drive/api/v3/reference/files
@@ -55,6 +56,16 @@
        never|
        now|today

+<SharedDriveID> ::= <String>
+<SharedDriveName> ::= <String>
+<SharedDriveIDEntity> ::= (teamdriveid <SharedDriveID>) | (teamdriveid:<SharedDriveID>)
+<SharedDriveNameEntity> ::= (teamdrive <SharedDriveName>) | (teamdrive:<SharedDriveName>)
+<SharedDriveFileNameEntity> ::= (teamdrivefilename <DriveFileName>) | (teamdrivefilename:<DriveFileName>)
+
+<SharedDriveEntity> ::=
+        <SharedDriveIDEntity> |
+        <SharedDriveNameEntity>
+
 <MimeTypeShortcut> ::=
        gdoc|gdocument|
        gdrawing|
@@ -77,65 +88,67 @@
 ```
 ```
 <DriveCapabilitiesSubfieldName> ::=
-        canacceptownership|
-        canaddchildren|
-        canaddfolderfromanotherdrive|
-        canaddmydriveparent|
-        canchangecopyrequireswriterpermission|
-        canchangecopyrequireswriterpermissionrestriction|
-        canchangedomainusersonlyrestriction|
-        canchangedrivebackground|
-        canchangedrivemembersonlyrestriction|
-        canchangesecurityupdateenabled|
-        canchangesharingfoldersrequiresorganizerpermissionrestriction|
-        canchangeviewerscancopycontent|
-        cancomment|
-        cancopy|
-        candelete|
-        candeletechildren|
-        candeletedrive|
-        candownload|
-        canedit|
-        canlistchildren|
-        canmanagemembers|
-        canmodifycontent|
-        canmodifycontentrestriction|
-        canmodifyeditorcontentrestriction|
-        canmodifylabels|
-        canmodifyownercontentrestriction|
-        canmovechildrenoutofdrive|
-        canmovechildrenoutofteamdrive|
-        canmovechildrenwithindrive|
-        canmovechildrenwithinteamdrive|
-        canmoveitemintodrive|
-        canmoveitemintoteamdrive|
-        canmoveitemoutofdrive|
-        canmoveitemoutofteamdrive|
-        canmoveitemwithindrive|
-        canmoveitemwithinteamdrive|
-        canmoveteamdriveitem|
-        canreaddrive|
-        canreadlabels|
-        canreadrevisions|
-        canreadteamdrive|
-        canremovechildren|
-        canremovecontentrestriction|
-        canremovemydriveparent|
-        canrename|
-        canrenamedrive|
-        canresetdriverestrictions|
-        canshare|
-        cantrash|
-        cantrashchildren|
-        canuntrash
+        capabilities.canacceptownership|
+        capabilities.canaddchildren|
+        capabilities.canaddfolderfromanotherdrive|
+        capabilities.canaddmydriveparent|
+        capabilities.canchangecopyrequireswriterpermission|
+        capabilities.canchangecopyrequireswriterpermissionrestriction|
+        capabilities.canchangedomainusersonlyrestriction|
+        capabilities.canchangedrivebackground|
+        capabilities.canchangedrivemembersonlyrestriction|
+        capabilities.canchangesecurityupdateenabled|
+        capabilities.canchangesharingfoldersrequiresorganizerpermissionrestriction|
+        capabilities.canchangeviewerscancopycontent|
+        capabilities.cancomment|
+        capabilities.cancopy|
+        capabilities.candelete|
+        capabilities.candeletechildren|
+        capabilities.candeletedrive|
+        capabilities.candisableinheritedpermissions|
+        capabilities.candownload|
+        capabilities.canedit|
+        capabilities.canenableinheritedpermissions|
+        capabilities.canlistchildren|
+        capabilities.canmanagemembers|
+        capabilities.canmodifycontent|
+        capabilities.canmodifycontentrestriction|
+        capabilities.canmodifyeditorcontentrestriction|
+        capabilities.canmodifylabels|
+        capabilities.canmodifyownercontentrestriction|
+        capabilities.canmovechildrenoutofdrive|
+        capabilities.canmovechildrenoutofteamdrive|
+        capabilities.canmovechildrenwithindrive|
+        capabilities.canmovechildrenwithinteamdrive|
+        capabilities.canmoveitemintodrive|
+        capabilities.canmoveitemintoteamdrive|
+        capabilities.canmoveitemoutofdrive|
+        capabilities.canmoveitemoutofteamdrive|
+        capabilities.canmoveitemwithindrive|
+        capabilities.canmoveitemwithinteamdrive|
+        capabilities.canmoveteamdriveitem|
+        capabilities.canreaddrive|
+        capabilities.canreadlabels|
+        capabilities.canreadrevisions|
+        capabilities.canreadteamdrive|
+        capabilities.canremovechildren|
+        capabilities.canremovecontentrestriction|
+        capabilities.canremovemydriveparent|
+        capabilities.canrename|
+        capabilities.canrenamedrive|
+        capabilities.canresetdriverestrictions|
+        capabilities.canshare|
+        capabilities.cantrash|
+        capabilities.cantrashchildren|
+        capabilities.canuntrash

 <DriveContentRestrictionsSubfieldName> ::=
-        ownerrestricted|
-        readonly|
-        reason|
-        restrictinguser|
-        restrictiontime|
-        type
+        contentrestrictions.ownerrestricted|
+        contentrestrictions.readonly|
+        contentrestrictions.reason|
+        contentrestrictions.restrictinguser|
+        contentrestrictions.restrictiontime|
+        contentrestrictions.type

 <DriveLabelInfoSubfieldName> ::=
        labels.id|              # modifiedByMe
@@ -246,6 +259,7 @@
        iconlink|
        id|
        imagemediametadata|
+        inheritedpermissionsdisabled|
        isappauthorized|
        labelinfo|
        <DriveLabelInfoSubfieldName>|
@@ -283,6 +297,8 @@
        <DriveSharingUserSubfieldName>|
        shortcutdetails|
        <DriveShortcutDetailsSubfieldName>|
+        sha1checksum|
+        sha256checksum|
        size|
        spaces|
        starred|
@@ -401,7 +417,7 @@ gam <UserTypeEntity> show fileinfo <DriveFileEntity>
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [showdrivename] [showshareddrivepermissions]
        [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
-        [showparentsidsaslist]
+        [showparentsidsaslist] [followshortcuts [<Boolean>]]
        [stripcrsfromname]
        [formatjson]
 gam <UserTypeEntity> info drivefile <DriveFileEntity>
@@ -411,7 +427,7 @@ gam <UserTypeEntity> info drivefile <DriveFileEntity>
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [showdrivename] [showshareddrivepermissions]
        [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
-        [showparentsidsaslist]
+        [showparentsidsaslist] [followshortcuts [<Boolean>]]
        [stripcrsfromname]
        [formatjson]
 ```
@@ -475,6 +491,9 @@ gam user user@domain.com show fileinfo <DriveFileEntity> fields id,name,mimetype
 The `stripcrsfromname` option strips nulls, carriage returns and linefeeds from drive file names.
 Use this option if you discover filenames containing these special characters; it is not common.

+Starting in version 6.80.10, the option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to display information about the target of the shortcut rather than the shortcut itself.
+
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.

@@ -485,10 +504,12 @@ gam <UserTypeEntity> show filepath <DriveFileEntity>
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [stripcrsfromname]
        [folderpathonly [<Boolean>]] [fullpath] [pathdelimiter <Character>]
+        [followshortcuts [<Boolean>]]
 gam <UserTypeEntity> print filepath <DriveFileEntity> [todrive <ToDriveAttribute>*]
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [stripcrsfromname] [oneitemperrow]
        [fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
+        [followshortcuts [<Boolean>]]
 ```
 Use `returnpathonly` to display just the file path of the files in `<DriveFileEntity>`.

@@ -506,6 +527,9 @@ Use this option if you discover filenames containing these special characters; i
 By default, when printing file paths, all paths for a file are displayed on the same row; use `oneitemperrow` to
 have each file path displayed on a separate row.

+Starting in version 6.80.10, the option `followshortcuts [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to display path information for the target of the shortcut rather than the shortcut itself.
+
 ## Select files for Display file counts, list, tree
 Most GAM commands that deal with files require a `<DriveFileEntity>` to be specified; the command
 then processes those files. The `filecounts`, `filelist` and `filetree` commands don't process files, they just list them.
@@ -531,15 +555,19 @@ See: [Drive File Selection](Drive-File-Selection) for details of `<DriveFileName
        all_shortcuts |
        all_3p_shortcuts |
        all_items |
+        my_docs |
        my_files |
        my_folders |
        my_forms |
        my_google_files |
        my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
        my_shortcuts |
+        my_slides |
        my_3p_shortcuts |
        my_items |
-        my_forms |
        my_top_files |
        my_top_folders |
        my_top_items |
@@ -661,6 +689,7 @@ Print or show file counts by MIME type and/or file name.
 gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
        [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
            (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
        [corpora <CorporaAttribute>]
        [select <SharedDriveEntity>]
        [anyowner|(showownedby any|me|others)]
@@ -669,11 +698,13 @@ gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
        [filenamematchpattern <RegularExpression>]
        <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
        [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showmimetypesize] [showlastmodification]
+        (addcsvdata <FieldName> <String>)*
        [summary none|only|plus] [summaryuser <String>]
 gam <UserTypeEntity> show filecounts
        [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
            (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
        [corpora <CorporaAttribute>]
        [select <SharedDriveEntity>]
        [anyowner|(showownedby any|me|others)]
@@ -682,15 +713,28 @@ gam <UserTypeEntity> show filecounts
        [filenamematchpattern <RegularExpression>]
        <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
        [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showmimetypesize] [showlastmodification]
        [summary none|only|plus] [summaryuser <String>]
 ```

 By default, print filecounts displays counts of all files owned by the specified [`<UserTypeEntity>`](Collections-of-Users).

+The option `continueoninvalidquery [<Boolean>] can be used in special cases where a query of the form
+`query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels" causes Google to issue an error
+saying that the query is invalid when, in fact, it is but the user does not have a license that suppprts drive file labels.
+When `continueoninvalidquery` is true, GAM prints an error message and proceeds to the next user rather that terminating
+as it does now. Of course, if the query really is invalid, you will get the message for every user.
+
 The `showsize` option displays the total size (in bytes) of the files counted.

-The showmimetypesize' displays the total size (in bytes) of each MIME type counted.
+The `showmimetypesize` option displays the total size (in bytes) of each MIME type counted.
+
+The option `showlastmodification` displays the following fields:
+`lastModifiedFileId,lastModifiedFileName,lastModifyingUser,lastModifiedTime`;
+these are for the most recently modified file.
+
+For print filecouts, add additional columns of data from the command line to the output:
+* `addcsvdata <FieldName> <String>` - Add additional columns of data from the command line to the output

 See [Select files for Display file counts, list, tree](#select-files-for-display-file-counts-list-tree)

@@ -1009,6 +1053,7 @@ Display a list of file/folder details in CSV format.
 gam <UserTypeEntity> print|show filelist [todrive <ToDriveAttribute>*]
        [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
            (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
        [choose <DriveFileNameEntity>|<DriveFileEntityShortcut>]
        [corpora <CorporaAttribute>]
        [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
@@ -1035,6 +1080,12 @@ gam <UserTypeEntity> print|show filelist [todrive <ToDriveAttribute>*]
 ```
 By default, `print filelist` displays all files owned by the specified [`<UserTypeEntity>`](https://github.com/taers232c/GAMADV-XTD3/wiki/Collections-of-Users)

+The option `continueoninvalidquery [<Boolean>] can be used in special cases where a query  of the form
+`query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels" causes Google to issue an error
+saying that the query is invalid when, in fact, it is but the user does not have a license that suppprts drive file labels.
+When `continueoninvalidquery` is true, GAM prints an error message and proceeds to the next user rather that terminating
+as it does now. Of course, if the query really is invalid, you will get the message for every user.
+
 When `allfields` is specified (or no fields are specified), use `showshareddrivepermissions` to display permissions
 when shared drives are queried/selected. In this case, the Drive API returns the permission IDs
 but not the permissions themselves so GAM makes an additional API call per file to get the permissions.
@@ -1620,40 +1671,67 @@ Use the `show` option to control the display of data:

 ### Examples
 ```
-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive 
-User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive 
+User: user@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv
 User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
-testsimple@domain.com,testsimple@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
-testsimple@domain.com,testsimple@domain.com,0B3YenC8f12ALfmRuX3I4WFlqaTRnMGhXNkVvWV9UUG1zRDQwY1BwVkJhUGx5WHVIcjJKZUU,TestUpdate,True,False,False,2,3420,0,2,3420,0,1,My Drive/Classroom/TestUpdate
-testsimple@domain.com,testsimple@domain.com,1MT5xJ897oYa0Q2OuzBDfLHvig6k_b0EKaovVA2imGYcnrmqZu5hjlJkEPMH-rHKj4qDyy9_j,TS Course,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course
-testsimple@domain.com,testsimple@domain.com,1gsbqsbhhwBx9hCF0sqtE213tpUn6Ebj2klLFhHb4xkzBKIdEFkvvwCVtZpYWPgOA796fIPEN,TS Course 2,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course 2
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
+user@domain.com,user@domain.com,0B3YenC8f12ALfmRuX3I4WFlqaTRnMGhXNkVvWV9UUG1zRDQwY1BwVkJhUGx5WHVIcjJKZUU,TestUpdate,True,False,False,2,3420,0,2,3420,0,1,My Drive/Classroom/TestUpdate
+user@domain.com,user@domain.com,1MT5xJ897oYa0Q2OuzBDfLHvig6k_b0EKaovVA2imGYcnrmqZu5hjlJkEPMH-rHKj4qDyy9_j,TS Course,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course
+user@domain.com,user@domain.com,1gsbqsbhhwBx9hCF0sqtE213tpUn6Ebj2klLFhHb4xkzBKIdEFkvvwCVtZpYWPgOA796fIPEN,TS Course 2,True,False,False,0,0,0,0,0,0,1,My Drive/Classroom/TS Course 2
 ...
-testsimple@domain.com,testsimple@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
+user@domain.com,user@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash

-$ gam config csv_output_row_filter "depth:count<1" redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive 
-User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ gam config csv_output_row_filter "depth:count<1" redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive 
+User: user@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv
 User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
-testsimple@domain.com,testsimple@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,456YenC8f12ALfndaQ1NHc0RtUG92Y1BIUUl4bjVBRmNkWG5oakNqVVFDcXJWOHNmdFlwZmc,Classroom,True,False,False,0,0,15,9,6840,17,0,My Drive/Classroom
 ...
-testsimple@domain.com,testsimple@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
+user@domain.com,user@domain.com,1bHS_Tp77W3KSGRNSs_jP1RhAJhIGRCaI,XferFolder,True,False,False,1,1024,0,1,1024,0,0,My Drive/XferFolder
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash

-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage mydrive show summaryandtrash
-User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage mydrive show summaryandtrash
+User: user@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv 
 User,Owner,id,name,ownedByMe,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
-testsimple@domain.com,testsimple@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
-testsimple@domain.com,testsimple@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash
+user@domain.com,user@domain.com,012YenC8f12ALUk9PVA,My Drive,,False,False,100,138212,24,167,189598,79,-1,My Drive
+user@domain.com,user@domain.com,Trash,Trash,,True,True,0,0,1,3,3072,9,-1,Trash

-$ gam redirect csv ./MyDriveUsage.csv user testsimple@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
-User: testsimple@domain.com, Print 1 Drive Disk Usage
+$ gam redirect csv ./MyDriveUsage.csv user user@domain.com print diskusage shareddriveid 0AL5LiIe4dqxZUk9PVA  show summaryandtrash
+User: user@domain.com, Print 1 Drive Disk Usage
 $ more MyDriveUsage.csv 
 User,id,name,trashed,explicitlyTrashed,directFileCount,directFileSize,directFolderCount,totalFileCount,totalFileSize,totalFolderCount,depth,path
-testsimple@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,-1,SharedDrives/TS Shared Drive 1
-testsimple@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,-1,Trash
+user@domain.com,0125LiIe4dqxZUk9PVA,TS Shared Drive 1,False,False,16,6144,7,42,73799,25,-1,SharedDrives/TS Shared Drive 1
+user@domain.com,Trash,Trash,True,True,1,1024,0,1,1024,0,-1,Trash
+```
+
+## Display files published to the web
+Ths requires version 6.80.13 or later.
+
+You can display files published to the web.
+```
+# Get the published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
+```
+
+You can display files published to the web internally for your domain only.
+```
+# Get the internally only published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true,revisions.0.publishedOutsideDomain:boolean:false" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
+```
+
+You can display files published to the web externally outside of your domain.
+```
+# Get the externally published files
+gam config csv_output_header_filter "Owner,id,revisions.0.published,revisions.0.publishedOutsideDomain" csv_output_row_filter "revisions.0.published:boolean:true,revisions.0.publishedOutsideDomain:boolean:true" auto_batch_min 1 num_threads 20 redirect csv ./PublishedDocs.csv multiprocess redirect stderr - multiprocess <UserTypeEntity> print filerevisions my_publishable_items select last 1
+# Get the files name, MIMEtype and path
+gam redirect csv ./PublishedDocsWithName.csv multiprocess redirect stderr - multiprocess csv ./PublishedDocs.csv gam user "~Owner" print filelist select "~id" fields id,name,mimetype fullpath addcsvdata published "~revisions.0.published" addcsvdata publishedOutsideDomain "~revisions.0.publishedOutsideDomain" 
 ```
--- a/docs/Users-Drive-Files-Manage.md
+++ b/docs/Users-Drive-Files-Manage.md
@@ -117,6 +117,7 @@
        (description <String>)|
        (folderColorRgb <ColorValue>)|
        (indexabletext <String>)|
+        (inheritedpermissionsdisabled [<Boolean>])|
        (keeprevisionforever|pinned)|
        (lastviewedbyme <Time>)|
        (mimetype <MimeType>)|
@@ -127,10 +128,10 @@
        (property <PropertyKey> <PropertyValue> [private|public])|
        (restricted|restrict [<Boolean>])|
        (securityupdate [<Boolean>])|
+        (shortcut <DriveFileID>)|
        (starred|star [<Boolean>])|
        (trashed|trash [<Boolean>])|
        (viewed|view [<Boolean>])|
-        (shortcut <DriveFileID>)|
        (viewerscancopycontent [<Boolean>])|
        (writerscanshare|writerscantshare [<Boolean>])

@@ -208,7 +209,7 @@ If `noduplicate` is specfied, GAM will issue a warning and not perform the creat
 exists in the parent folder.

 By default, when files are uploaded from local content, they are created with `binary` format, i.e., the data is uploaded
-without any conversion. Standard GAM had an option `convert` that was passed to the Drive API v2 that it used.
+without any conversion. Legacy GAM had an option `convert` that was passed to the Drive API v2 that it used.
 * convert - Whether to convert this file to the corresponding Docs Editors format

 Advanced GAM uses Drive API v3 that doesn't support the `convert` option; it uses the `mimetype` argument to cause conversions.
@@ -635,24 +636,33 @@ gam user user@domain.com get drivefile drivefilename UserSheet csvsheet NewUsers
 ## Trash files
 Move a file or folder to the trash. If a folder is moved to the trash, all of its child files and folders are moved to the trash.
 ```
-gam <UserTypeEntity> trash drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> trash
+gam <UserTypeEntity> trash drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> trash [shortcutandtarget [<Boolean>]]
 ```

+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Untrash files
 Remove a file or folder from the trash. If a folder is removed from the trash, all of its child files and folders are removed from the trash.
 ```
-gam <UserTypeEntity> untrash drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> untrash
+gam <UserTypeEntity> untrash drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> untrash [shortcutandtarget [<Boolean>]]
 ```

+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Purge files
 Purging a file permanently deletes it; it can not be recovered. If a folder is purged, all of its child files and folders are purged.
 ```
-gam <UserTypeEntity> purge drivefile <DriveFileEntity>
-gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> purge
+gam <UserTypeEntity> purge drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> delete|del drivefile <DriveFileEntity> purge [shortcutandtarget [<Boolean>]]
 ```

+Starting in version 6.80.10, the  option `shortcutandtarget [<Boolean>]` that when true and `<DriveFileEntity` is a shortcut,
+causes GAM to process the shortcut and the target of the shortcut.
+
 ## Download Google Documents as JSON
 ```
 gam <UserTypeEntity> get document <DriveFileEntity>
--- a/docs/Users-Drive-Ownership.md
+++ b/docs/Users-Drive-Ownership.md
@@ -63,6 +63,10 @@ gam <UserTypeEntity> transfer ownership <DriveFileEntity> <UserItem>
        (orderby <DriveOrderByFieldName> [ascending|descending])*
        [preview] [filepath] [pathdelimiter <Character>] [buildtree] [todrive <ToDriveAttribute>*]
 ```
+`<DriveFileEntity>` specifies a file/folder owned by the source user `<UserTypeEntity>`.
+
+The target user is specified by `<UserItem>`.
+
 By default, there is no change of parents for the transferred files/folders, they remain in their current location.
 * `<DriveFileParentAttribute>` - Specify a parent folder in the My Drive of the target user `<UserItem>`.

--- a/docs/Users-Drive-Permissions.md
+++ b/docs/Users-Drive-Permissions.md
@@ -25,6 +25,22 @@
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>

+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
+
 <DrivePermissionsFieldName> ::=
        additionalroles|
        allowfilediscovery|
--- a/docs/Users-Drive-Revisions.md
+++ b/docs/Users-Drive-Revisions.md
@@ -85,6 +85,8 @@ gam <UserTypeEntity> update filerevisions <DriveFileEntity> select <DriveFileRev
 ```
 When `select <DriveFileRevisionIDEntity>` is omitted, all revisions are updated. 

+* `keepforever true` - Keep revision forever, even if it is no longer the head revision
+* `keepforever false` - Do not keep revision forever
 * `published true` - Publish these revision to the web
 * `published false` - Do not publish these revision to the web
 * `publishauto true` - Automaticaly publish subsequent revisions to the web
--- a/docs/Users-Drive-Transfer.md
+++ b/docs/Users-Drive-Transfer.md
@@ -19,6 +19,22 @@
 <EmailAddress> ::= <String>@<DomainName>
 <UniqueID> ::= id:<String>
 <UserItem> ::= <EmailAddress>|<UniqueID>|<String>
+
+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
 ```
 ## GAM Data Transfers
 ```
--- a/docs/Users-Gmail-Messages-Threads.md
+++ b/docs/Users-Gmail-Messages-Threads.md
@@ -440,7 +440,7 @@ gam <UserTypeEntity> delete messages|threads
 gam <UserTypeEntity> modify messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
         [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
-        (addlabel <LabelName>)* (removelabel <LabelName>)*
+        ((addlabel <LabelName>)|(removelabel <LabelName>))+
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
@@ -583,7 +583,7 @@ By default, the Message ID and these SMTP headers are displayed: `Date, Subject,
 Use these options to customize the display.

 By default, the `<SMTPDateHeader>` values are displayed in RFC2822 format; the `dateheaderformat iso|rfc2822|<String>` option allows reformatting it:
-* `iso` - Format is `%Y-%m-%dT%H:%M:%S%z`
+* `iso` - Format is `%Y-%m-%dT%H:%M:%S%:z`
 * `rfc2822` - Format is `%a, %d %b %Y %H:%M:%S %z`
 * `<String>` - Format according to: https://docs.python.org/3/library/datetime.html#strftime-strptime-behavior
 If the `Date` header value can't be parsed as RFC2822, it is left unchanged.
--- a/docs/Users-Gmail-Send-As-Signature-Vacation.md
+++ b/docs/Users-Gmail-Send-As-Signature-Vacation.md
@@ -210,11 +210,13 @@ gam config csv_output_row_filter "signature:boolean:false"

 ## Manage vacation
 ```
-gam <UserTypeEntity> vacation <Boolean> subject <String>
+gam <UserTypeEntity> vacation [<Boolean>] [subject <String>]
        [<VacationMessageContent> (replace <Tag> <UserReplacement>)*]
        [html [<Boolean>]] [contactsonly [<Boolean>]] [domainonly [<Boolean>]]
        [start|startdate <Date>|Started] [end|enddate <Date>|NotSpecified]
 ```
+The initial `<Boolean>` can be omitted to allow updates to other fields without affecting the current responder state.
+
 `<VacationMessageContent>` is the vacation message, there are four ways to specify it:
 * `message|textmessage|htmlmessage <String>` - Use `<String>` as the vacation message
 * `file|htmlfile <FileName> [charset <Charset>]` - Read the vacation message from `<FileName>`
--- a/docs/Users-Group-Membership.md
+++ b/docs/Users-Group-Membership.md
@@ -14,6 +14,8 @@
  - [Display group details in CSV format](#display-group-details-in-csv-format)
  - [Display group counts as an indented list](#display-group-counts-as-an-indented-list)
  - [Display group counts in CSV format](#display-group-counts-in-csv-format)
+  - [Display total group counts as an indented list](#display-total-group-counts-as-an-indented-list)
+  - [Display total group counts in CSV format](#display-total-group-counts-in-csv-format)
  - [Display group addresses in CSV format](#display-group-addresses-in-csv-format)
  - [Display groups and their parents](#display-groups-and-their-parents)
 - [Add a target user to the same groups as a source user](#add-a-target-user-to-the-same-groups-as-a-source-user)
@@ -461,6 +463,10 @@ gam <UserTypeEntity> show groups
        [(domain <DomainName>)|(customerid <CustomerID>)]
        [roles <GroupRoleList>] countsonly
 ```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+* `roles <GroupRoleList>` - Limit display to those groups for which the user has a specific role

 ### Display group counts in CSV format
 There is one row per user displaying the number of groups, by role, to which a user belongs.
@@ -476,6 +482,33 @@ By default, all groups to which a member belongs are displayed, these options al
 * `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
 * `roles <GroupRoleList>` - Limit display to those groups for which the user has a specific role

+### Display total group counts as an indented list
+There is one row per user displaying the number of groups to which a user belongs.
+
+There is one API call per user to get the total group count.
+```
+gam <UserTypeEntity> show groups
+        [(domain <DomainName>)|(customerid <CustomerID>)]
+        totalonly
+```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+
+
+### Display total group counts in CSV format
+There is one row per user displaying the total number of groups to which a user belongs.
+
+There is one API call per user to get the total group count.
+```
+gam <UserTypeEntity> print groups [todrive <ToDriveAttribute>*]
+        [(domain <DomainName>)|(customerid <CustomerID>)]
+        totalonly
+```
+By default, all groups to which a member belongs are displayed, these options allow selection of subsets of groups:
+* `domain <DomainName>` - Limit display to groups in the domain `<DomainName>` of which they are a member
+* `customerid <CustomerID>` - For resellers, display all groups in a resold workspace of which they are a member
+
 ### Display group addresses in CSV format
 There is one row per user showing the number and list of groups to which a user directly belongs.
 ```
--- a/docs/Users-Looker-Studio.md
+++ b/docs/Users-Looker-Studio.md
@@ -17,6 +17,8 @@ To use these commands you must add the 'Looker Studio API' to your project and u
 ```
 gam update project
 gam user user@domain.com check serviceaccount
+...
+[*] 35)  Looker Studio API (supports readonly)
 ```
 ## Definitions
 * [`<UserTypeEntity>`](Collections-of-Users)
--- a/docs/Users-Meet.md
+++ b/docs/Users-Meet.md
@@ -0,0 +1,174 @@
+# Users - Meet
+- [API documentation](#api-documentation)
+- [Query documentation](#query-documentation)
+- [Introduction](#introduction)
+- [Definitions](#definitions)
+- [Manage Meet Spaces](#manage-meet-spaces)
+- [Display Meet Conferences](#display-meet-conferences)
+- [Display Meet Participants](#display-meet-participants)
+- [Display Meet Recordings](#display-meet-recordings)
+- [Display Meet Transcripts](#display-meet-transcripts)
+
+## API documentation
+* https://developers.google.com/meet/api/reference/rest/v2
+* https://developers.google.com/meet/api/reference/rest/v2/spaces
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.participants
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.recordings
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.transcripts
+
+## Query documentation
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords/list
+* https://developers.google.com/meet/api/reference/rest/v2/conferenceRecords.participants/list
+
+## Introduction
+These features were added in version 6.81.00.
+
+To use these commands you must add the 'Meet API' to your project and update your service account authorization.
+```
+gam update project
+gam user user@domain.com update serviceaccount
+...
+[*] 36)  Meet API (supports readonly)
+
+```
+## Definitions
+* [`<UserTypeEntity>`](Collections-of-Users)
+```
+<MeetConferenceName> ::= conferenceRecords/<String>
+<MeetSpaceName> ::= spaces/<String> | <String>
+<MeetSpaceOptions> ::=
+        accesstype open|trusted|restricted |
+        entrypointaccess all|creatorapponly
+```
+
+## Manage Meet Spaces
+### Create a meet space
+```
+gam <UserTypeEntity> create meetspace
+        <MeetSpaceOptions>*
+        [formatjson|returnidonly]
+```
+By default, Gam displays the information about the created meetspace as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+* `returnidonly` - Display the meetspace name only
+
+### Update a meet space
+```
+gam <UserTypeEntity> update meetspace <MeetSpaceName>
+        <MeetSpaceOptions>*
+        [formatjson]
+```
+By default, Gam displays the information about the created meetspace as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### Display information about a specific meet space for a user
+```
+gam <UserTypeEntity> info meetspace <MeetSpaceName>
+        [formatjson]
+```
+By default, Gam displays the information as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+
+### End a meet space conference
+```
+gam <UserTypeEntity> end meetconference <MeetSpaceName>
+```
+
+## Display Meet Conferences
+```
+gam <UserItem> show meetconferences
+        [space <MeetSpaceName>] [code <String>]
+        [andquery|orquery <String>] [querytime<String> <Time>]
+        [formatjson]
+```
+By default, conferences are shown for all of a user's meet spaces. To limit the display use:
+  * `space <MeetSpaceName>` - Display conferences for a specifc space by giving its name
+  * `code <String>` - Display conferences for a specifc space by giving its code
+  
+By default, Gam displays the information about the meet conferences as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetconferences [todrive <ToDriveAttribute>*]
+        [space <MeetSpaceName>] [code <String>]
+        [andquery|orquery <String>] [querytime<String> <Time>]
+        [formatjson [quotechar <Character>]]
+```
+By default, conferences are shown for all of a user's meet spaces. To limit the display use:
+  * `space <MeetSpaceName>` - Display conferences for a specifc space by giving its name
+  * `code <String>` - Display conferences for a specifc space by giving its code
+  
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Participants
+```
+gam <UserItem> show meetparticipants <MeetConferenceName>
+        [query <String>] [querytime<String> <Time>]
+        [formatjson]
+```
+By default, Gam displays the information about the meet participants as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetparticipants <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [query <String>] [querytime<String> <Time>]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Recordings
+```
+gam <UserItem> show meetrecordings <MeetConferenceName>
+        [formatjson]
+```
+By default, Gam displays the information about the meet recordings as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meetrecordings <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
+
+## Display Meet Transcripts
+```
+gam <UserItem> show meettranscripts <MeetConferenceName>
+        [formatjson]
+```
+By default, Gam displays the information about the meet transcripts as an indented list of keys and values.
+* `formatjson` - Display the fields in JSON format.
+```
+gam <UserItem> print meettranscripts <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+```
+By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
+* `formatjson` - Display the fields in JSON format.
+
+By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
+the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
+When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
+The `quotechar <Character>` option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
+`quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.
+
--- a/docs/Users-People-Contacts-Profiles.md
+++ b/docs/Users-People-Contacts-Profiles.md
@@ -59,6 +59,7 @@ gam user user@domain.com check serviceaccount

 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
+<QueryContact> ::= <String>

 <PeopleResourceName> ::= people/<String>
 <PeopleResourceNameList> ::= "<PeopleResourceName>(,<PeopleResourceName>)*"
@@ -124,8 +125,15 @@ gam user user@domain.com check serviceaccount
        (subject <String>)|
        (suffix <String>)|
        (userdefinedfield clear|(<String> <String>))|
-        (website clear|(app_install_page|blog|ftp|home|home_page|other|profile|reservations|work|<String> <URL> notprimary|primary))
+        (url|website clear|(app_install_page|blog|ftp|home|home_page|other|profile|reservations|work|<String> <URL> notprimary|primary))

+For address, email, phone and url, the type <String> can be empty.
+address "" formatted "My Address" primary
+email "" user@gmail.com primary
+phone "" "510-555-1212" primary
+url "" "https://www.domain.com" primary
+```
+```
 <PeopleFieldName> ::=
        addresses|
        ageranges|
--- a/docs/Users-Shared-Drives.md
+++ b/docs/Users-Shared-Drives.md
@@ -15,7 +15,8 @@
 - [Display Shared Drive access](#display-shared-drive-access)
  - [Display Shared Drive access for specific Shared Drives](#display-shared-drive-access-for-specific-shared-drives)
  - [Display Shared Drive access for selected Shared Drives](#display-shared-drive-access-for-selected-shared-drives)
- [Change User1 Shared Drive access to User2](#change-user1-shared-drive-access-to-user2)
+- [Change single User1 Shared Drive access to User2](#change-single-user1-shared-drive-access-to-user2)
+- [Bulk change User1 Shared Drive access to User2](#bulk-change-user1-shared-drive-access-to-user2)
 - [Display empty folders on a Shared Drive](#display-empty-folders-on-a-shared-drive)
 - [Delete empty folders on a Shared Drive](#delete-empty-folders-on-a-shared-drive)
 - [Empty the trash on a Shared Drive](#empty-the-trash-on-a-shared-drive)
@@ -73,6 +74,22 @@
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>

+<DriveFileOrderByFieldName> ::=
+        createddate|createdtime|
+        folder|
+        lastviewedbyme|lastviewedbymedate|lastviewedbymetime|lastviewedbyuser|
+        modifiedbyme|modifiedbymedate|modifiedbymetime|modifiedbyuser|
+        modifieddate|modifiedtime|
+        name|
+        name_natural|
+        quotabytesused|quotaused|
+        recency|
+        sharedwithmedate|sharedwithmetime|
+        starred|
+        title|
+        title_natural|
+        viewedbymedate|viewedbymetime
+
 <DriveFileACLRole> ::=
        manager|organizer|owner|
        contentmanager|fileorganizer|
@@ -375,7 +392,6 @@ When deleting permissions from JSON data, permissions with role `owner` true are
 These commands are used to display the ACLs on Shared Drives themselves, not the files/folders on the Shared Drives.

 ## Display Shared Drive access for specific Shared Drives
-These commands must be issued by a user with Shared Drive permission role organizer.
 ```
 gam <UserTypeEntity> show drivefileacls <DriveFileEntity>
        <PermissionMatch>* [<PermissionMatchAction>] [pmselect]
@@ -404,7 +420,6 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 `quotechar` defaults to `gam.cfg/csv_output_quote_char`. When uploading CSV files to Google, double quote `"` should be used.

 ## Display Shared Drive access for selected Shared Drives
-These commands must be issued by a user with Shared Drive permission role organizer.
 ```
 gam <UserTypeEntity> show teamdriveacls
        adminaccess [teamdriveadminquery|query <QueryTeamDrive>]
@@ -421,6 +436,10 @@ gam <UserTypeEntity> print teamdriveacls [todrive <ToDriveAttribute>*]
        [oneitemperrow] [<DrivePermissionsFieldName>*|(fields <DrivePermissionsFieldNameList>)]
        [formatjson [quotechar <Character>]]
 ```
+By default,only Shared Drives with `<UserTypeEntity>` as a member are displayed. To display all
+Shared Drives in the workspace, `<UserTypeEntity>` should specify a super admin and the `adminaccess`
+option shoud be used.
+
 By default, all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
 * `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
 * `matchname <RegularExpression>` - Retrieve Shared Drives with names that match a pattern.
@@ -448,14 +467,27 @@ gam <UserTypeEntity> print emptydrivefolders [todrive <ToDriveAttribute>*]
        select <SharedDriveEntity>
 ```

-## Change User1 Shared Drive access to User2
+## Change single User1 Shared Drive access to User2
 ```
 # Get Shared Drives for User1
 gam redirect csv ./U1SharedDrives.csv user user1@domain.com print shareddriveacls pm emailaddress user1@domain.com em oneitemperrow
 # For each of those Shared Drives, delete User1 access
-gam redirect stdout ./DeleteU1SharedDriveAccess.txt multiprocess redirect stderr stdout gam delete drivefileacl "~id" "~permission.emailAddress"
+gam redirect stdout ./DeleteU1SharedDriveAccess.txt multiprocess redirect stderr stdout csv ./U1SharedDrives.csv gam delete drivefileacl "~id" "~permission.emailAddress"
 # For each of those Shared Drives, add User2 with the same role that User1 had
-gam redirect stdout ./AddU2SharedDriveAccess.txt multiprocess redirect stderr stdout gam create drivefileacl "~id" user user2@domain.com role "~permission.role"
+gam redirect stdout ./AddU2SharedDriveAccess.txt multiprocess redirect stderr stdout csv ./U1SharedDrives.csv gam create drivefileacl "~id" user user2@domain.com role "~permission.role"
+```
+
+## Bulk change User1 Shared Drive access to User2
+This requires GAM version 6.79.09 or higher.
+
+Make a CSV file Users.csv with two email address columns: User,Replace
+```
+# Get Shared Drives for all Users in CSV file
+gam redirect csv ./U1SharedDrives.csv multiprocess csv Users.csv gam user "~User" print shareddriveacls pm emailaddress "~User" em oneitemperrow addscvdata Replace "~Replace"
+# For each of those Shared Drives, delete User access
+gam redirect stdout ./DeleteU1SharedDriveAccess.txt multiprocess redirect stderr stdout csv ./U1SharedDrives.csv gam delete drivefileacl "~id" "~permission.emailAddress"
+# For each of those Shared Drives, add Replace with the same role that User had
+gam redirect stdout ./AddU2SharedDriveAccess.txt multiprocess redirect stderr stdout csv ./U1SharedDrives.csv gam create drivefileacl "~id" user "~Replace" role "~permission.role"
 ```

 ## Delete empty folders on a Shared Drive
--- a/docs/Users-Signout-Turnoff2SV.md
+++ b/docs/Users-Signout-Turnoff2SV.md
@@ -21,6 +21,7 @@ gam <UserTypeEntity> signout
 Turn off 2-Step Verification for a user.
 If successful, this call will turn off 2-Step Verification and also remove all registered second steps on the user account.
 This call will fail if **any** of the following is true:
+* the user is suspended
 * the user is not enrolled in 2-Step Verification.
 * the user has 2-Step Verification enforced.
 * the user is enrolled in the Advanced Protection Program.
--- a/docs/Users-Spreadsheets.md
+++ b/docs/Users-Spreadsheets.md
@@ -231,18 +231,24 @@ gam user testuser@domain.com update sheet <DriveFileItem> json file Sheet.json
 gam <UserTypeEntity> info|show sheet <DriveFileEntity>
        [fields <SpreadsheetFieldList>] [sheetsfields <SpreadsheetSheetsFieldList>]
        (range <SpreadsheetRange>)* (rangelist <SpreadsheetRangeList>)*
-        [includegriddata [<Boolean>]]
+        [includegriddata [<Boolean>]] [shownames]
        [formatjson]
 ```
+By default, the Sheets API does not return the sheet file name, use the `shownames` option to have GAM
+make an additional API call to get and display the sheet file name.
+
 The output is formatted for human readability. Use the following option to produce JSON output for program parsing.
 * `formatjson` - Display output in JSON format.
 ```
 gam <UserTypeEntity> print sheet <DriveFileEntity> [todrive <ToDriveAttribute>*]
        [fields <SpreadsheetFieldList>] [sheetsfields <SpreadsheetSheetsFieldList>]
        (range <SpreadsheetRange>)* (rangelist <SpreadsheetRangeList>)*
-        [includegriddata [<Boolean>]]
+        [includegriddata [<Boolean>]] [shownames]
        [formatjson [quotechar <Character>]]
 ```
+By default, the Sheets API does not return the sheet file name, use the `shownames` option to have GAM
+make an additional API call to get and display the sheet file name.
+
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
 the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
 When using the `formatjson` option, double quotes are used extensively in the data resulting in hard to read/process output.
@@ -463,8 +469,6 @@ gam csv SheetData.csv quotechar "'" gam user "~User" update sheetrange "~spreads
 ```

 ## Repair an uneditable sheet within a spreadsheet
-This example requires GAMADV-XTD3 version 6.30.07.
-
 Identify uneditable sheet; there is no `editors` field.
 ```
 $ gam user owner@domain.com info sheet 1234-y9d0nbckO_cnb3xyZhsIh0Hxd9WaqpGPBwxyz fields sheets sheetsfields protectedranges
--- a/docs/Users.md
+++ b/docs/Users.md
@@ -1,7 +1,7 @@
 # Users
 - [API documentation](#api-documentation)
- [Name guidelines](#name-guidelines)
 - [Query documentation](#query-documentation)
+- [Name guidelines](#name-guidelines)
 - [Quoting rules](#quoting-rules)
 - [Python Regular Expressions](Python-Regular-Expressions) Match function and Search function
 - [Definitions](#definitions)
@@ -46,12 +46,12 @@
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/users
 * https://developers.google.com/admin-sdk/directory/reference/rest/v1/schemas

-## Name guidelines
-* https://support.google.com/a/answer/9193374
-
 ## Query documentation
 * https://developers.google.com/admin-sdk/directory/v1/guides/search-users

+## Name guidelines
+* https://support.google.com/a/answer/9193374
+
 ## Quoting rules
 Items in a list can be separated by commas or spaces; if an item itself contains a comma, a space or a single quote, special quoting must be used.
 Typically, you will enclose the entire list in double quotes and quote each item in the list as detailed below.
@@ -80,6 +80,22 @@ queries "`"orgUnitPath=\'/Students/Lower\ School/2027\'`",`"orgUnitPath=\'/Stude
 * [`<UserTypeEntity>`](Collections-of-Users)
 * [Command data from Google Docs/Sheets/Storage](Command-Data-From-Google-Docs-Sheets-Storage)
 ```
+<StorageBucketName> ::= <String>
+<StorageObjectName> ::= <String>
+<StorageBucketObjectName> ::=
+        https://storage.cloud.google.com/<StorageBucketName>/<StorageObjectName>|
+        https://storage.googleapis.com/<StorageBucketName>/<StorageObjectName>|
+        gs://<StorageBucketName>/<StorageObjectName>|
+        <StorageBucketName>/<StorageObjectName>
+
+<UserGoogleDoc> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>)
+
+<SheetEntity> ::= <String>|id:<Number>
+<UserGoogleSheet> ::=
+        <EmailAddress> <DriveFileIDEntity>|<DriveFileNameEntity>|(<SharedDriveEntity> <SharedDriveFileNameEntity>) <SheetEntity>
+```
+```
 <DeliverySetting> ::=
        allmail|
        abridged|daily|
@@ -734,9 +750,9 @@ When updating a user's name, always update both the `firstname/givenname` and th
 ## Update a user's password
 When updating a user's password, you can send a message with the new password to an email address; this might be the user's secondary email address.

-In versions of GAMADV-XTD3 prior to 5.07.00, if you do `gam update users <UserTypeEntity>` or `gam <UserTypeEntity> update users` and
+In versions of GAM7 prior to 5.07.00, if you do `gam update users <UserTypeEntity>` or `gam <UserTypeEntity> update users` and
 specify `password random`, all of the users in `<UserTypeEntity>` are assigned the same random password;
-this is the same behavior as in Standard GAM. If you would like each of the users in `<UserTypeEntity>` to be
+this is the same behavior as in Legacy GAM. If you would like each of the users in `<UserTypeEntity>` to be
 assigned a unique random password, specify `password uniquerandom`.

 If you update a user with `password random|uniquerandom`, the `lograndompassword <FileName>` option causes GAM
--- a/docs/Using-GAM7-with-a-YubiKey.md
+++ b/docs/Using-GAM7-with-a-YubiKey.md
@@ -0,0 +1,72 @@
+# Using GAM7 with a YubiKey
+- [Thanks](#thanks)
+- [Yubikey ykman PIV Commands](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html)
+- [Introduction](#introduction)
+- [FAQs](#faqs)
+- [Setup Steps](#setup-steps)
+
+## Thanks
+
+Thanks to Jay Lee for the original version of this document.
+
+## Introduction
+GAM7 supports using a [YubiKey](https://www.yubico.com/products/yubikey-5-overview/) to generate and store the service account's private RSA key. Private keys generated by the YubiKey cannot be exported even to the computer running GAM7. When compared to the plain text oauth2service.json file with the private key stored in text, the YubiKey offers a more secure option that prevents digital theft and copying of the private key. Instead of reading the private key from the oauth2service.json file and signing requests itself, GAM7 will simply send signing requests to the YubiKey and get back the signature.
+
+GAM7 version 6.50.01 or higher is required. Best practice is to always use the [latest version of GAM7](https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Update-Advanced-GAM).
+
+## FAQs
+### Can I use a Google Titan or other brand security key?
+No, while Titan keys are great as security keys / U2F / 2SV, that is not the protocol being used by GAM7 here. GAM7 uses the PIV app of YubiKeys to work with service accounts. You need to use [a genuine Yubikey.](https://yubico.com/genuine/).
+
+### Does this protect the admin credentials GAM7 stores in oauth2.txt?
+No, the admin credentials GAM7 stores in oauth2.txt are not protected by the YubiKey as they are not using RSA private keys. Only the service account credentials normally stored in oauth2service.json are protected. The service account credentials are used for domain-wide delegation operations like managing Workspace user data in Drive, Gmail and Calendar. Note that GAM7 also has the ability to perform admin actions as a delegated admin service account (DASA). See [instructions for setting up DASA](https://github.com/taers232c/GAMADV-XTD3/wiki/Using-GAMADV-XTD3-with-a-delegated-admin-service-account.md). When DASA is setup, GAM7 will use the service account to authenticate which can be protected by the YubiKey.
+
+### What if someone physically steals the YubiKey?
+The YubiKey can be configured with a PIN that must be entered in order for it to sign data with the private key. GAM7 stores this PIN string in the oauth2service.json file so it can use it as needed. What this means is that an attacker would need to steal *both* the physical YubiKey and the PIN stored in oauth2service.json. The recommendation is to store oauth2service.json and the rest of the GAM directory on an encrypted partition. The YubiKey itself should also be kept in a secure location.
+
+### Can I require a physical touch of the YubiKey before the private key can be used?
+Yes but in practice this does not work very well with GAM7. The YubiKey will need to be touched every time there is a GAM7 command running which for batch or cron jobs may be constant. GAM7 can use a PIN configured on the YubiKey in order to offer an additional layer of protection.
+
+### If I use a YubiKey, do I need to rotate the private key regularly?
+No, because the YubiKey generated the private key it cannot be digitally exported from the YubiKey so there is no chance for it to be copied and stolen. Instead you should physically secure the YubiKey from theft.
+
+### What data does the service account private key have access to?
+When using domain-wide delegation with GAM7, the service account and anyone possessing the service account private key oauth2service.json file has access to the Gmail, Drive and Calendar data of ALL Workspace users in your domain. For this reason, whether using a YubiKey or not, you should take strong measures to protect the service account private key.
+
+## Setup Steps
+1. Upgrade to at least GAM7 6.50.01.
+2. **If you are using a new YubiKey or don't care about the PIV app data on the YubiKey**
+    1. Tell GAM7 to reset and configure the PIV app data on the YubiKey. This wipes all existing keys and configuration and then configures a private key and PIN for GAM7.
+      * Single YubiKey - `gam yubikey reset_piv`
+      * Multiple YubiKeys - `gam yubikey reset_piv yubikeyserialnumber <Number>`
+    2. During the PIV reset, GAM7 will print out a PIN for the private key, record this key.
+4. **If you are already using the YubiKey and wish to preserve the PIV app data and keys**
+    1. You need to configure one of the PIV slots for a private key GAM7 can use.
+      * [ykman piv keys generate](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html#ykman-piv-keys-options-command-args)
+        `ykman piv keys generate -P <Text> --pin-policy ALWAYS --touch-policy NEVER --algorithm RSA2048 9a new_pubkey.txt`
+      * Use `9a` for the `AUTHENTICATION` slot, `9c` for the `SIGNATURE` slot
+    2. You need to generate a certificate for that slot.
+      * [ykman piv certificates generate](https://docs.yubico.com/software/yubikey/tools/ykman/PIV_Commands.html#ykman-piv-certificates-generate-options-slot-public-key)
+        `ykman piv certificates generate -P <Text> --subject "GAM Service Account" -d 36500 9a new_pubkey.txt`
+      * Use `9a` for the `AUTHENTICATION` slot, `9c` for the `SIGNATURE` slot
+
+5. Now that you have a private key on your YubiKey, tell GAM7 to use that instead of the private_key stored in oauth2service.json. We can do that by rotating the key:
+```
+copy oauth2service.json to oauth2service.save
+gam create sakey yubikey yubikey_pin yubikey_slot AUTHENTICATION|SIGNATURE
+```
+The yubikey argument tells GAM7 to use a private key on a plugged in YubiKey. The yubikey_pin argument tells GAM7 to prompt you to input the PIN that was set in the previous step. The yubikey_slot argument tells GAM7 which PIV slot to use on the YubiKey.
+
+If there are problems, you can go back to the original oauth2service.json.
+```
+copy oauth2service.json to oauth2service.yk
+copy oauth2service.save to oauth2service.json
+```
+
+6. Now you should be able to run GAM7 commands like:
+```
+gam user admin@example.com check serviceaccount
+```
+and see the YubiKey lights flash as the YubiKey interacts with GAM7 to sign the GAM7 authentication requests. If you look at the oauth2service.json file, you'll see it contains some new fields like yubikey_serial and yubikey_pin but no longer contains the private_key field where GAM7 would normally store the private key data.
+
+7. As a last step, since YubiKey-stored private keys do not need to be and should not be rotated, you can remove the service account's permissions to change it's own key. Navigate to the [Cloud Console](https://console.cloud.google.com/iam-admin/serviceaccounts) select the correct project and service account and on the Permissions tab, edit and remove the "Service Account Key Admin" permission that the service account has to itself.
--- a/docs/Using-GAM7-with-a-delegated-admin-service-account.md
+++ b/docs/Using-GAM7-with-a-delegated-admin-service-account.md
@@ -0,0 +1,61 @@
+# Using GAM7 with a delegated admin service account
+- [Thanks](#thanks)
+- [Introduction](#introduction)
+- [Advantages](#advantages)
+- [Disadvantages](#disadvantages)
+- [Setup Steps](#setup-steps)
+
+## Thanks
+
+Thanks to Jay Lee for the original version of this document.
+
+## Introduction
+Delegated admin service accounts (DASA) are regular [GCP service accounts](https://cloud.google.com/iam/docs/service-accounts#what_are_service_accounts) that are granted a Workspace [delegated admin role](https://support.google.com/a/answer/33325). Service accounts have an email address like `gam-project-xuw-sp1-c4b@gam-project-xuw-sp1-c4b.iam.gserviceaccount.com` and are not part of a Workspace or Cloud Identity domain even if they are owned by a project in the domain’s organization. Service accounts cannot login to Google web services interactively, they are only able to call Google APIs.
+
+GAM7 version 6.50.00 or higher is required.
+
+## Advantages
+* DASA accounts don’t require a Workspace or Cloud Identity license.
+* DASA accounts don’t have a password login that can be phished or captured, they use [RSA private keys](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) to sign authentication requests which makes them very secure. You should however [rotate the key](https://jaylee.us/qwm) on a regular basis and keep it safe and secured!
+* When a DASA account makes admin changes, the Admin audit log properly shows that the DASA account made the change. This is not the case when using domain-wide delegation.
+* DASA accounts are granted [Google admin roles and permissions](https://support.google.com/a/answer/1219251) so that they are only able to perform the actions they are given permissions to perform. This is a simpler model than using both API scopes and admin roles to determine if GAM7 can perform an action.
+* When using a DASA account, GAM7 does not need to worry about OAuth, scopes, token refresh, consent screens, etc. DASA accounts can [simply generate a JWT token signed by their private key](https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth) and use the JWT as the authorization header on Google API calls. This method is both faster and less complex than regular OAuth.
+
+## Disadvantages
+* DASA accounts can only be delegated admins. [If a task requires super admin rights to perform](https://support.google.com/a/answer/2405986#:~:text=Only%20super%20administrators%20can...), DASA accounts won’t be able to do it.
+Not all Google Admin APIs work with DASA right now. For example, Google Vault API calls will fail with a DASA account.
+* DASA is a delegated admin and can make Workspace / Cloud Identity admin API calls, it does not replace domain-wide delegation (DwD) when using GAM7 commands that interact with Gmail, Drive and Calendar user data.
+* GAM7 support for DASA is still experimental and some things may fail. Please report your findings to the [GAM group](https://groups.google.com/g/google-apps-manager).
+
+## Setup Steps
+1. Upgrade to at least GAM7 6.50.00. Best practice is to always use the [latest version of GAM7](https://github.com/taers232c/GAMADV-XTD3/wiki/How-to-Update-Advanced-GAM).
+
+2. Follow the steps in `gam create project` up to the point where you are presented with a URL to the Cloud console to create a Client ID and secret. You don’t need to enter anything those, just press CTRL+C to quit the project creation.
+
+3. GAM will have created a Google Cloud project for you and a service account. The service account is stored in oauth2service.json. If you look at the contents of this file you’ll see a couple important things:
+   * client_email is the email address of your service account. Copy this address, we’ll use it to grant the service account delegated admin rights in your Workspace domain thus making it a DASA.
+   * private_key is the cryptographic key which is used to sign authorization requests. Google has a copy of the public key and uses it to validate that the API call is being made by the DASA account. Keep oauth2service.json safe and private! It’s the only file needed to use the DASA account!
+
+4. Now grant the service account delegated permissions. Head to [admin.google.com](https://admin.google.com/) > Account > Admin roles. If you don’t already have a delegated admin role created with the permissions you want the DASA account to have you can [use a system role or create your own](https://support.google.com/a/answer/33325).
+
+**Pro tip** GAM now has the ability to create an admin role that has all delegate permissions (Super delegate which is not the same as a super admin) as well as an admin role that has all permissions that can be scoped to an OrgUnit (Super OU delegate). With a regular GAM setup, try running:
+```
+gam create adminrole "Super Delegate" privileges all
+```
+or to create an admin role with all privileges that can be scoped to an OrgUnit:
+```
+gam create adminrole "Super OU Delegate" privileges all_ou
+```
+
+5. Now assign your service account the delegated admin role. You’ll need the service account email address from  step 3. With the role opened in the admin console, click "Assign service accounts" and enter the email address.
+
+6. Still in the admin console, head to Account > Account settings > Profile and record the Customer ID value. You’ll need this in the next steps.
+
+7. Now we need to tell GAM which Workspace / Cloud Identity domain to use. Remember, the DASA account in oauth2service.json is not a member of your domain. We can tell GAM7 which domain to use with gam.cfg variables:
+The following variables in `gam.cfg` must be set when `enable_dasa` is True: `admin_email`, `customer_id` and `domain`,
+`customer_id` may not be set to `my_customer`.
+
+
+```
+gam config enable_dasa true admin_email admin@domain.com customer_id <Customer ID from step 6> domain domain.com save
+```
--- a/docs/Version-and-Help.md
+++ b/docs/Version-and-Help.md
@@ -1,13 +1,13 @@
-\# Version and Help
+# Version and Help

 Print the current version of Gam with details
 ```
 gam version
-GAMADV-XTD3 6.79.03 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
-Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.4 64-bit final
+GAM 7.00.13 - https://github.com/GAM-team/GAM - pyinstaller
+GAM Team <google-apps-manager@googlegroups.com>
+Python 3.12.7 64-bit final
 MacOS Sonoma 14.5 x86_64
-Path: /Users/Admin/bin/gamadv-xtd3
+Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 ```
@@ -15,11 +15,11 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAMADV-XTD3 6.79.03 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
-Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.4 64-bit final
+GAM 7.00.13 - https://github.com/GAM-team/GAM - pyinstaller
+GAM Team <google-apps-manager@googlegroups.com>
+Python 3.12.7 64-bit final
 MacOS Sonoma 14.5 x86_64
-Path: /Users/Admin/bin/gamadv-xtd3
+Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Your system time differs from www.googleapis.com by less than 1 second
 ```
@@ -27,17 +27,17 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAMADV-XTD3 6.79.03 - https://github.com/taers232c/GAMADV-XTD3 - pythonsource
-Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.4 64-bit final
+GAM 7.00.13 - https://github.com/GAM-team/GAM - pyinstaller
+GAM Team <google-apps-manager@googlegroups.com>
+Python 3.12.7 64-bit final
 MacOS Sonoma 14.5 x86_64
-Path: /Users/Admin/bin/gamadv-xtd3
+Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Your system time differs from admin.googleapis.com by less than 1 second
 OpenSSL 3.1.1 30 May 2023
 cryptography 41.0.1
-filelock 3.12.4
+filelock 3.12.7
 google-api-python-client 2.88.0
 google-auth-httplib2 0.1.0
 google-auth-oauthlib 1.0.0
@@ -55,7 +55,7 @@ Print the current and latest versions of Gam and:
 ```
 gam version checkrc
 GAM 5.35.08 - https://github.com/taers232c/GAMADV-XTD3
-Ross Scroggs <ross.scroggs@gmail.com>
+GAM Team <google-apps-manager@googlegroups.com>
 Python 3.8.1 64-bit final
 google-api-python-client 2.77.0
 httplib2 0.16.0
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gamadv-xtd3
 Version Check:
  Current: 5.35.08
-   Latest: 6.79.03
+   Latest: 7.00.12
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-6.79.03
+7.00.13
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,11 +82,11 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 6.79.03 - https://github.com/taers232c/GAMADV-XTD3
-Ross Scroggs <ross.scroggs@gmail.com>
-Python 3.12.4 64-bit final
+GAM 7.00.13 - https://github.com/GAM-team/GAM
+GAM Team <google-apps-manager@googlegroups.com>
+Python 3.12.7 64-bit final
 MacOS Sonoma 14.5 x86_64
-Path: /Users/Admin/bin/gamadv-xtd3
+Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
 Time: 2023-06-02T21:10:00-07:00
 Help: Syntax in file /Users/Admin/bin/gamadv-xtd3/GamCommands.txt
--- a/docs/_Sidebar.md
+++ b/docs/_Sidebar.md
@@ -2,25 +2,25 @@ Update History
 * [GAM Updates](GamUpdates)

 Installation
-* [How to Install Advanced GAM](How-to-Install-Advanced-GAM)
-* [How to Update Advanced GAM](How-to-Update-Advanced-GAM)
-* [How to Upgrade from Standard GAM](How-to-Upgrade-from-Standard-GAM)
-* [How to Upgrade from GAMADV-X or GAMADV-XTD](How-to-Upgrade-from-GAMADV-X-or-GAMADV-XTD)
+* [How to Install GAM7](How-to-Install-GAM7)
+* [How to Update Advanced GAM to GAM7](How-to-Update-Advanced-GAM-to-GAM7)
+* [How to Update GAM7](How-to-Update-GAM7)
+* [How to Upgrade from Legacy GAM](How-to-Upgrade-from-Legacy-GAM)
 * [Install GAM as Python Library](Install-GAM-as-Python-Library)
-* [GAMADV-XTD3 on Chrome OS Devices](GAMADV-XTD3-on-Chrome-OS-Devices)
-* [GAMADV-XTD3 on Android Devices](GAMADV-XTD3-on-Android-Devices)
+* [GAM7 on Chrome OS Devices](GAM7-on-Chrome-OS-Devices)
+* [GAM7 on Android Devices](GAM7-on-Android-Devices)
 * [Google Network Addresses](Google-Network-Addresses)
 * [HTTPS Proxy](HTTPS-Proxy)
 * [SSL Root CA Certificates](SSL-Root-CA-Certificates)
-* [How to Uninstall Advanced GAM](How-to-Uninstall-Advanced-GAM)
+* [How to Uninstall GAM7](How-to-Uninstall-GAM7)

 Configuration
 * [Authorization](Authorization)
 * [GAM Configuration](gam.cfg)
  * [Multiple Customers and Domains](https://github.com/taers232c/GAMADV-XTD3/wiki/gam.cfg#multiple-customers-and-domains)
-* [Running GAMADV-XTD3 securely on a Google Compute Engine](Running-GAMADV-XTD3-securely-on-a-Google-Compute-Engine)
-* [Using GAMADV-XTD3 with a delegated admin service account](Using-GAMADV-XTD3-with-a-delegated-admin-service-account)
-* [Using GAMADV-XTD3 with a YubiKey](Using-GAMADV-XTD3-with-a-YubiKey)
+* [Running GAM7 securely on a Google Compute Engine](Running-GAM7-securely-on-a-Google-Compute-Engine)
+* [Using GAM7 with a delegated admin service account](Using-GAM7-with-a-delegated-admin-service-account)
+* [Using GAM7 with a YubiKey](Using-GAM7-with-a-YubiKey)

 Notes and Information
 * [Upgrade Benefits](Upgrade-Benefits)
@@ -155,6 +155,8 @@ Service Account Access
 * [Users - Group Membership](Users-Group-Membership)
 * [Users - Keep](Users-Keep)
 * [Users - Looker Studio](Users-Looker-Studio)
+* [Users - Meet](Users-Meet)
+* [Users - Classroom - Profile](Users-Classroom-Profile)
 * [Users - People - Contacts & Profiles](Users-People-Contacts-Profiles)
 * [Users - Photo](Users-Photo)
 * [Users - Profile Sharing](Users-Profile-Sharing)
--- a/docs/gam.cfg.md
+++ b/docs/gam.cfg.md
@@ -7,7 +7,7 @@

 ## Introduction
 GAM uses a configuration file, gam.cfg, to store the values of the various environment variables
-and signal files used by Basic GAM. Configuration files client_secrets.json, oauth2.txt, oauth2service.json and extra_args.txt
+and signal files used by Legacy GAM. Configuration files client_secrets.json, oauth2.txt, oauth2service.json and extra_args.txt
 are moved to a version independent location. This should simplify upgrading GAM versions in the future.
 Additionally, if you support multiple clients/domains or have multiple users running GAM,
 gam.cfg lets you easily manage your configuration.
@@ -34,7 +34,7 @@ Every once in a while, you edit gam.cfg to set some desired values and then you
 gam.cfg must be a plain text file, you can edit it with your favorite text editor (emacs, vi, TextWrangler,
 TextEdit, Notepad, Wordpad) as long as you wind up with a plain text file.

-If you are upgrading from Basic GAM, set the environment variable OLDGAMPATH to OldGamPath. This is a one-time setting
+If you are upgrading from Legacy GAM, set the environment variable OLDGAMPATH to OldGamPath. This is a one-time setting
 to allow GAM to find your old signal files and to copy client_secrets.json, oauth2.txt, oauth2service.json, extra_args.txt
 from OldGamPath to GamConfigDir. To generate the initial gam.cfg, execute the command: gam select default verify.
 Once gam.cfg is created, no signal files are read and the only environment variable used is GAMCFGDIR.
@@ -65,7 +65,7 @@ api_calls_tries_limit
        Limit the number of tries for Google API calls that return an error
        that indicates a retry should be performed
        Default: 10
-        Range: 3-10
+        Range: 3-30
 auto_batch_min
        Automatically generate gam batch command if number of users
        specified in gam users xxx command exceeds this number
@@ -944,11 +944,11 @@ domain = goo.com
 customer_id = my_customer
 config_dir = goo
 ```
-### Existing clients that have been accessed with Standard GAM.
+### Existing clients that have been accessed with Legacy GAM.
 You have two clients: foo and goo.
 Make sub-directories foo and goo in the same folder/directory as gam.cfg.
-For each client, copy the client_secrets.json and oauth2service.json files from their Standard GAM location
-to the appropriate sub-directory. If the Standard Gam files do not have these names,
+For each client, copy the client_secrets.json and oauth2service.json files from their Legacy GAM location
+to the appropriate sub-directory. If the Legacy Gam files do not have these names,
 rename them after copying them to the sub-directory.

 Perform the following commands for each client (replace xxx with foo and goo).
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
@@ -627,6 +627,7 @@ If an item contains spaces, it should be surrounded by ".
        (tdnotify [<Boolean>])|
        (tdparent (id:<DriveFolderID>)|<DriveFolderName>)|
        (tdretaintitle [<Boolean>])|
+        (tdreturnidonly [<Boolean>])|
        (tdshare <EmailAddress> commenter|reader|writer)*|
        (tdsheet (id:<Number>)|<String>)|
        (tdsheettimestamp [<Boolean>] [tdsheettimeformat <String>])
@@ -1053,12 +1054,17 @@ Specify a collection of items by directly specifying them; the item type is dete
        all_shortcuts |
        all_3p_shortcuts |
        all_items |
+        my_docs |
        my_files |
        my_folders |
        my_forms |
        my_google_files |
        my_non_google_files |
+        my_presentations |
+        my_publishable_items |
+        my_sheets |
        my_shortcuts |
+        my_slides |
        my_3p_shortcuts |
        my_items |
        my_top_files |
@@ -1588,6 +1594,7 @@ gam calendar <CalendarEntity> printacl [todrive <ToDriveAttribute>*]
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative

 <EventType> ::=
+        birthday|
        default|
        focustime|
        fromgmail|
@@ -1994,6 +2001,7 @@ gam revoke browsertoken <BrowserTokenPermanentID>
        org|
        orgunit|
        orgunitpath|
+        ou|
        revoketime|
        revokerid|
        state|
@@ -2040,6 +2048,7 @@ gam setup chat
        lastactivetime|
        membershipcount|
        name|
+        permissionsettings|
        singleuserbotdm|
        spacedetails|
        spacehistorystate|
@@ -2592,19 +2601,21 @@ gam create chromepolicyimage <ChromePolicyImageSchemaName> <FileName>

 gam update chromepolicy [convertcrnl]
        (<SchemaName> ((<Field> <Value>)+ | <JSONData>))+
-        ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
+        ((ou|orgunit <OrgUnitItem>)|(cigroup <GroupItem>))
+        [(printerid <PrinterID>)|(appid <AppID>)]
 gam delete chromepolicy
        (<SchemaName> [<JSONData>])+
-        ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
+        ((ou|orgunit <OrgUnitItem>)|(cigroup <GroupItem>))
+        [(printerid <PrinterID>)|(appid <AppID>)]
 gam show chromepolicies
-        ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
-        [filter <String>] [namespace <NamespaceList>]
-        [show all|direct|inherited]
+        ((ou|orgunit <OrgUnitItem> [show all|direct|inherited])|(cigroup <GroupItem>))
+        [(printerid <PrinterID>)|(appid <AppID>)]
+        (filter <StringList>)* (namespace <NamespaceList>)*
        [formatjson]
 gam print chromepolicies [todrive <ToDriveAttribute>*]
-        ou|org|orgunit <OrgUnitItem> [(printerid <PrinterID>)|(appid <AppID>)]
-        [filter <String>] [namespace <NamespaceList>]
-        [show all|direct|inherited]
+        ((ou|orgunit <OrgUnitItem> [show all|direct|inherited])|(cigroup <GroupItem>))
+        [(printerid <PrinterID>)|(appid <AppID>)]
+        (filter <StringList>)* (namespace <NamespaceList>)*
        [[formatjson [quotechar <Character>]]

 <ChromePolicySchemaFieldName> ::=
@@ -2938,44 +2949,58 @@ gam <UserTypeEntity> show contactdelegates [shownames] [csv]
 gam create|add course [id|alias <CourseAlias>] <CourseAttribute>*
        [copyfrom <CourseID>
            [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
            [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
            [workstates <CourseWorkStateList>]
-                [individualstudentassignments copy|delete|maptoall]
+                [individualstudentcoursework copy|delete|maptoall]
                [removeduedate [<Boolean>]]
                [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
            [copymaterialsfiles [<Boolean>]]
            [copytopics [<Boolean>]]
+            [markdraftaspublished [<Boolean>]]
            [markpublishedasdraft [<Boolean>]]
            [members none|all|students|teachers]]
            [logdrivefileids [<Boolean>]]
+
 gam update course <CourseID> <CourseAttribute>+
        [copyfrom <CourseID>
            [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
            [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
            [workstates <CourseWorkStateList>]
-                [individualstudentassignments copy|delete|maptoall]
+                [individualstudentcoursework copy|delete|maptoall]
                [removeduedate [<Boolean>]]
                [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
            [copymaterialsfiles [<Boolean>]]
            [copytopics [<Boolean>]]
+            [markdraftaspublished [<Boolean>]]
            [markpublishedasdraft [<Boolean>]]
            [members none|all|students|teachers]]
            [logdrivefileids [<Boolean>]]
-gam delete course <CourseID> [archive|archived]

 gam update courses <CourseEntity> <CourseAttribute>+
        [copyfrom <CourseID>
            [announcementstates <CourseAnnouncementStateList>]
+                [individualstudentannouncements copy|delete|maptoall]
            [materialstates <CourseMaterialStateList>]
+                [individualstudentmaterials copy|delete|maptoall]
            [workstates <CourseWorkStateList>]
-                [individualstudentassignments copy|delete|maptoall]
+                [individualstudentcoursework copy|delete|maptoall]
                [removeduedate [<Boolean>]]
                [mapsharemodestudentcopy edit|none|view]
+            [individualstudentassignments copy|delete|maptoall]
            [copymaterialsfiles [<Boolean>]]
            [copytopics [<Boolean>]]
+            [markdraftaspublished [<Boolean>]]
            [markpublishedasdraft [<Boolean>]]
            [members none|all|students|teachers]]
            [logdrivefileids [<Boolean>]]
+
+gam delete course <CourseID> [archive|archived]
 gam delete courses <CourseEntity> [archive|archived]

 gam course <CourseID> create|add alias <CourseAlias>
@@ -3036,6 +3061,7 @@ gam print course-participants [todrive <ToDriveAttribute>*]
        creationtime|
        creator|creatoruserid|
        id|
+        individualstudentsoptions|
        materials|
        scheduledtime|
        state|
@@ -3056,6 +3082,7 @@ gam print course-participants [todrive <ToDriveAttribute>*]
        creator|creatoruserid|
        description|
        id|
+        individualstudentsoptions|
        materials|
        scheduledtime|
        state|
@@ -3098,6 +3125,7 @@ gam print course-participants [todrive <ToDriveAttribute>*]
        duedate|
        duetime|
        id|
+        individualstudentsoptions|
        materials|
        maxpoints|
        scheduledtime|
@@ -3120,35 +3148,36 @@ gam print course-announcements [todrive <ToDriveAttribute>*]
        (announcementids <CourseAnnouncementIDEntity>)|((announcementstates <CourseAnnouncementStateList>)*
        (orderby <CourseAnnouncementOrderByFieldName> [ascending|descending])*)
        [showcreatoremails|creatoremail] [fields <CourseAnnouncementFieldNameList>]
-        [formatjson [quotechar <Character>]]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 gam print course-materials [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
        (materialids <CourseMaterialIDEntity>)|((materialstates <CourseMaterialStateList>)*
        (orderby <CourseMaterialOrderByFieldName> [ascending|descending])*)
        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseMaterialFieldNameList>]
-        [formatjson [quotechar <Character>]]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 gam print course-submissions [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
        (workids <CourseWorkIDEntity>)|((workstates <CourseWorkStateList>)*
        (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
        (submissionids <CourseSubmissionIDEntity>)|((submissionstates <CourseSubmissionStateList>)*) [late|notlate]
        [fields <CourseSubmissionFieldNameList>]
-        [formatjson [quotechar <Character>]] [showuserprofile]
        [timefilter creationtime|updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 gam print course-topics [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
        [topicids <CourseTopicIDEntity>]
-        [formatjson [quotechar <Character>]]
        [timefilter updatetime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]
 gam print course-works [todrive <ToDriveAttribute>*]
        (course|class <CourseEntity>)*|([teacher <UserItem>] [student <UserItem>] states <CourseStateList>])
        (workids <CourseWorkIDEntity>)|((workstates <CourseWorkStateList>)*
        (orderby <CourseWorkOrderByFieldName> [ascending|descending])*)
        [showcreatoremails|creatoremail] [showtopicnames] [fields <CourseWorkFieldNameList>]
-        [formatjson [quotechar <Character>]]
+        [showstudentsaslist [<Boolean>]] [delimiter <Character>]
        [timefilter creationtime|updatetime|scheduledtime] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
+        [countsonly] [formatjson [quotechar <Character>]]

 # Classroom - Invitations

@@ -3514,11 +3543,11 @@ gam [<UserTypeEntity>] show drivelabels
        [formatjson] [adminaccess|asadmin]
 `
 gam [<UserTypeEntity>] create drivelabelpermission <DriveLabelNameEntity>
-        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        (user <UserItem>) | (group <GroupItem>) | (audience <String>)
        role applier|editor|organizer|reader
        [formatjson] [adminaccess|asadmin]
 gam [<UserTypeEntity>] delete drivelabelpermission <DriveLabelNameEntity>
-        (user <UserItem>) | (group <GroupItem) | (audience <String>)
+        (user <UserItem>) | (group <GroupItem>) | (audience <String>)
        [adminaccess|asadmin]
 gam [<UserTypeEntity>] remove drivelabelpermission <DriveLabelPermissionNameEntity>
        [adminaccess|asadmin]
@@ -3793,6 +3822,7 @@ gam print group-members [todrive <ToDriveAttribute>*]
        [types <GroupTypeList>]
        [memberemaildisplaypattern|memberemailskippattern <RegularExpression>]
        [userfields <UserFieldNameList>]
+        [allschemas|(schemas|custom|customschemas <SchemaNameList>)]
        [(recursive [noduplicates])|includederivedmembership] [nogroupemail]
        [peoplelookup|(peoplelookupuser <EmailAddress>)]
        [unknownname <String>] [cachememberinfo [Boolean]]
@@ -4225,8 +4255,9 @@ gam show orgtree [fromparent <OrgUnitItem>] [batchsuborgs [<Boolean>]]
        users
 <OrgUnitCheckNameList> ::= "<OrgUnitCheckName>(,<OrgUnitCheckName>)*"

-gam check org|ou <OrgUnitItem> [todrive <ToDriveAttribute>*]
+gam check ou|org <OrgUnitItem> [todrive <ToDriveAttribute>*]
        [<OrgUnitCheckName>*|(fields <OrgUnitCheckNameList>)]
+        [filename <FileName>] [movetoou <OrgUnitItem>]
        [formatjson [quotechar <Character>]]

 # Printers
@@ -4926,6 +4957,7 @@ gam print teamdriveacls [todrive <ToDriveAttribute>*]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
        <PermissionMatch>* [<PermissionMatchAction>] [pmselect]
        [oneitemperrow] [<DrivePermissionsFieldName>*|(fields <DrivePermissionsFieldNameList>)]
+        (addcsvdata <FieldName> <String>)*
        [formatjson [quotechar <Character>]]
 gam show teamdriveacls
        [teamdriveadminquery|query <QueryTeamDrive>]
@@ -4955,6 +4987,7 @@ gam <UserTypeEntity> print teamdriveacls [todrive <ToDriveAttribute>*]
        <PermissionMatch>* [<PermissionMatchAction>] [pmselect]
        [oneitemperrow] [<DrivePermissionsFieldName>*|(fields <DrivePermissionsFieldNameList>)]
        [shownopermissionsdrives false|true|only]
+        (addcsvdata <FieldName> <String>)*
        [formatjson [quotechar <Character>]]
 gam <UserTypeEntity> show teamdriveacls
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
@@ -5355,7 +5388,7 @@ gam download storagefile <StorageBucketObjectName>
        (note clear|([text_html|text_plain] <String>|
                                            (file|htmlfile <FileName> [charset <Charset>])|
                                            (gdoc|ghtml <UserGoogleDoc>)))|
-        (org|ou|orgunitpath <OrgUnitPath>|<OrgUnitID>)
+        (ou|org|orgunitpath <OrgUnitPath>|<OrgUnitID>)
        (password (random [<Integer>])|(uniquerandom [<Integer>])|blocklogin|<Password>)|
        (recoveryemail <EmailAddress>)|
        (recoveryphone <string>)|
@@ -5816,6 +5849,7 @@ gam <UserTypeEntity> transfer calendars|seccals <UserItem> [<UserCalendarEntity>
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative

 <EventType> ::=
+        birthday|
        default|
        focustime|
        outofoffice|
@@ -5865,13 +5899,15 @@ gam <UserTypeEntity> transfer calendars|seccals <UserItem> [<UserCalendarEntity>
 <AttendeeStatus> ::= accepted|declined|needsaction|tentative

 <EventAttribute> ::=
+        (allday <Date>)|
        (anyonecanaddself [<Boolean>])|
        (attachment <String> <URL>)|
        (attendee <EmailAddress>)|
        (attendeestatus [<AttendeeAttendance>] [<AttendeeStatus>] <EmailAddress>)|
        available|
+        (birthday <Date>)|
        (color <EventColorName>)|
-        (colorindex|colorid <EventColorIndex>))|
+        (colorindex|colorid <EventColorIndex>)|
        (description <String>)|
        (end|endtime (allday <Date>)|<Time>)|
        (guestscaninviteothers <Boolean>)|
@@ -5881,14 +5917,16 @@ gam <UserTypeEntity> transfer calendars|seccals <UserItem> [<UserCalendarEntity>
        guestscantseeotherguests|
        hangoutsmeet|
        <JSONData>|
-        (jsonattendees [charset <Charset>] <String>)|(jsonattendees file <FileName> [charset <Charset>])|
+        (jsonattendees [charset <Charset>] <String>)|
+        (jsonattendees file <FileName> [charset <Charset>])|
        (location <String>)|
        (noreminders|(reminder email|popup <Number>))|
        (optionalattendee <EmailAddress>)|
        (originalstart|originalstarttime (allday <Date>)|<Time>)|
        (privateproperty <PropertyKey> <PropertyValue>)|
+        (range <Date> <Date>)|
        (recurrence <RRULE, EXRULE, RDATE and EXDATE line>)|
-        (reminder <Number> email|popup))|
+        (reminder <Number> email|popup)|
        (selectattendees [<AttendeeAttendance>] [<AttendeeStatus>] <UserTypeEntity>)|
        (sequence <Integer>)|
        (sharedproperty <PropertyKey> <PropertyValue>)|
@@ -5897,6 +5935,7 @@ gam <UserTypeEntity> transfer calendars|seccals <UserItem> [<UserCalendarEntity>
        (status confirmed|tentative|cancelled)|
        (summary <String>)|
        tentative|
+        (timerange <Time> <Time>)|
        (timezone <TimeZone>)|
        (transparency opaque|transparent)|
        (visibility default|public|private)
@@ -6033,7 +6072,7 @@ gam <UserTypeEntity> print focustime|outofoffice|workinglocation
        [showdayofweek]
        [formatjson [quotechar <Character>]] [todrive <ToDriveAttribute>*]

-# Users Chat
+# Users - Chat

 <ChatContent> ::=
        ((text <String>)|
@@ -6055,7 +6094,7 @@ gam <UserTypeEntity> print focustime|outofoffice|workinglocation
        <String> must contain only lowercase letters, numbers, and hyphens up to 56 characters in length.

 gam <UserTypeEntity> create chatspace
-        [type <ChatSpaceType>]
+        [type <ChatSpaceType>] [announcement|collaboration]
        [restricted|(audience <String>)]
        [externalusersrallowed <Boolean>]
        [members <UserTypeEntity>]
@@ -6070,6 +6109,13 @@ gam <UserTypeEntity> update chatspace <ChatSpace>
         [type space]
         [description <String>] [guidelines|rules <String>]
         [history <Boolean>])
+        [managemembersandgroups managers|members]
+        [modifyspacedetails managers|members]
+        [togglehistory managers|members]
+        [useatmentionall managers|members]
+        [manageapps managers|members]
+        [managewebhooks managers|members]
+        [replymessages managers|members]
        [formatjson]
 gam <UserTypeEntity> delete chatspace <ChatSpace>

@@ -6329,6 +6375,7 @@ gam <UserTypeEntity> print chatevents [todrive <ToDriveAttribute>*]
        (description <String>)|
        (folderColorRgb <ColorValue>)|
        (indexabletext <String>)|
+        (inheritedpermissionsdisabled [<Boolean>])|
        (keeprevisionforever|pinned)|
        (lastviewedbyme <Time>)|
        (mimetype <MimeType>)|
@@ -6353,9 +6400,6 @@ gam <UserTypeEntity> print chatevents [todrive <ToDriveAttribute>*]
        (teamdriveparentid <DriveFolderID>)|
        (teamdriveparent <SharedDriveName>)|
        (teamdriveparentid <SharedDriveID> teamdriveparentname <DriveFolderName>)|
-        (teamdriveparent <SharedDriveName> teamdriveparentname <DriveFolderName>))|
-        (teamdriveparentid <DriveFolderID>)|(teamdriveparent <SharedDriveName>)|
-        (teamdriveparentid <SharedDriveID> teamdriveparentname <DriveFolderName>)|
        (teamdriveparent <SharedDriveName> teamdriveparentname <DriveFolderName>)

 <DriveFileCreateAttribute> ::=
@@ -6489,10 +6533,10 @@ gam <UserTypeEntity> get drivefile <DriveFileEntity> [revision <DriveFileRevisio
        [donotfollowshortcuts [<Boolean>]] [overwrite [<Boolean>]] [showprogress [<Boolean>]]
        [acknowledgeabuse [<Boolean>]]

-gam <UserTypeEntity> delete drivefile <DriveFileEntity> [purge|untrash|trash]
-gam <UserTypeEntity> purge drivefile <DriveFileEntity>
-gam <UserTypeEntity> trash drivefile <DriveFileEntity>
-gam <UserTypeEntity> untrash drivefile <DriveFileEntity>
+gam <UserTypeEntity> delete drivefile <DriveFileEntity> [purge|untrash|trash] [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> purge drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> trash drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]
+gam <UserTypeEntity> untrash drivefile <DriveFileEntity> [shortcutandtarget [<Boolean>]]

 gam <UserTypeEntity> info drivefile <DriveFileEntity>
        [returnidonly]
@@ -6501,7 +6545,7 @@ gam <UserTypeEntity> info drivefile <DriveFileEntity>
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [showdrivename] [showshareddrivepermissions]
        [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
-        [showparentsidsaslist]
+        [showparentsidsaslist] [followshortcuts [<Boolean>]]
        [stripcrsfromname]
        [formatjson]

@@ -6747,65 +6791,67 @@ gam <UserTypeEntity> collect orphans
        [preview [todrive <ToDriveAttribute>*]]

 <DriveCapabilitiesSubfieldName> ::=
-        canacceptownership|
-        canaddchildren|
-        canaddfolderfromanotherdrive|
-        canaddmydriveparent|
-        canchangecopyrequireswriterpermission|
-        canchangecopyrequireswriterpermissionrestriction|
-        canchangedomainusersonlyrestriction|
-        canchangedrivebackground|
-        canchangedrivemembersonlyrestriction|
-        canchangesecurityupdateenabled|
-        canchangesharingfoldersrequiresorganizerpermissionrestriction|
-        canchangeviewerscancopycontent|
-        cancomment|
-        cancopy|
-        candelete|
-        candeletechildren|
-        candeletedrive|
-        candownload|
-        canedit|
-        canlistchildren|
-        canmanagemembers|
-        canmodifycontent|
-        canmodifycontentrestriction|
-        canmodifyeditorcontentrestriction|
-        canmodifylabels|
-        canmodifyownercontentrestriction|
-        canmovechildrenoutofdrive|
-        canmovechildrenoutofteamdrive|
-        canmovechildrenwithindrive|
-        canmovechildrenwithinteamdrive|
-        canmoveitemintodrive|
-        canmoveitemintoteamdrive|
-        canmoveitemoutofdrive|
-        canmoveitemoutofteamdrive|
-        canmoveitemwithindrive|
-        canmoveitemwithinteamdrive|
-        canmoveteamdriveitem|
-        canreaddrive|
-        canreadlabels|
-        canreadrevisions|
-        canreadteamdrive|
-        canremovechildren|
-        canremovecontentrestriction|
-        canremovemydriveparent|
-        canrename|
-        canrenamedrive|
-        canresetdriverestrictions|
-        canshare|
-        cantrash|
-        cantrashchildren|
-        canuntrash
+        capabilities.canacceptownership|
+        capabilities.canaddchildren|
+        capabilities.canaddfolderfromanotherdrive|
+        capabilities.canaddmydriveparent|
+        capabilities.canchangecopyrequireswriterpermission|
+        capabilities.canchangecopyrequireswriterpermissionrestriction|
+        capabilities.canchangedomainusersonlyrestriction|
+        capabilities.canchangedrivebackground|
+        capabilities.canchangedrivemembersonlyrestriction|
+        capabilities.canchangesecurityupdateenabled|
+        capabilities.canchangesharingfoldersrequiresorganizerpermissionrestriction|
+        capabilities.canchangeviewerscancopycontent|
+        capabilities.cancomment|
+        capabilities.cancopy|
+        capabilities.candelete|
+        capabilities.candeletechildren|
+        capabilities.candeletedrive|
+        capabilities.candisableinheritedpermissions|
+        capabilities.candownload|
+        capabilities.canedit|
+        capabilities.canenableinheritedpermissions|
+        capabilities.canlistchildren|
+        capabilities.canmanagemembers|
+        capabilities.canmodifycontent|
+        capabilities.canmodifycontentrestriction|
+        capabilities.canmodifyeditorcontentrestriction|
+        capabilities.canmodifylabels|
+        capabilities.canmodifyownercontentrestriction|
+        capabilities.canmovechildrenoutofdrive|
+        capabilities.canmovechildrenoutofteamdrive|
+        capabilities.canmovechildrenwithindrive|
+        capabilities.canmovechildrenwithinteamdrive|
+        capabilities.canmoveitemintodrive|
+        capabilities.canmoveitemintoteamdrive|
+        capabilities.canmoveitemoutofdrive|
+        capabilities.canmoveitemoutofteamdrive|
+        capabilities.canmoveitemwithindrive|
+        capabilities.canmoveitemwithinteamdrive|
+        capabilities.canmoveteamdriveitem|
+        capabilities.canreaddrive|
+        capabilities.canreadlabels|
+        capabilities.canreadrevisions|
+        capabilities.canreadteamdrive|
+        capabilities.canremovechildren|
+        capabilities.canremovecontentrestriction|
+        capabilities.canremovemydriveparent|
+        capabilities.canrename|
+        capabilities.canrenamedrive|
+        capabilities.canresetdriverestrictions|
+        capabilities.canshare|
+        capabilities.cantrash|
+        capabilities.cantrashchildren|
+        capabilities.canuntrash

 <DriveContentRestrictionsSubfieldName> ::=
-        ownerrestricted|
-        readonly|
-        reason|
-        restrictinguser|
-        restrictiontime|
-        type
+        contentrestrictions.ownerrestricted|
+        contentrestrictions.readonly|
+        contentrestrictions.reason|
+        contentrestrictions.restrictinguser|
+        contentrestrictions.restrictiontime|
+        contentrestrictions.type

 <DriveLabelInfoSubfieldName> ::=
        labels.id|              # modifiedByMe
@@ -6915,6 +6961,7 @@ gam <UserTypeEntity> collect orphans
        iconlink|
        id|
        imagemediametadata|
+        inheritedpermissionsdisabled|
        isappauthorized|
        labelinfo|
        <DriveLabelInfoSubfieldName>|
@@ -6952,8 +6999,8 @@ gam <UserTypeEntity> collect orphans
        <DriveSharingUserSubfieldName>|
        shortcutdetails|
        <DriveShortcutDetailsSubfieldName>|
-        sha1Checksum|
-        sha256Checksum|
+        sha1checksum|
+        sha256checksum|
        size|
        spaces|
        starred|
@@ -6984,7 +7031,7 @@ gam <UserTypeEntity> show fileinfo <DriveFileEntity>
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [showdrivename] [showshareddrivepermissions]
        [(showlabels details|ids)|(includelabels <DriveLabelIDList>)]
-        [showparentsidsaslist]
+        [showparentsidsaslist] [followshortcuts [<Boolean>]]
        [stripcrsfromname]
        [formatjson]

@@ -6993,14 +7040,17 @@ gam <UserTypeEntity> show filepath <DriveFileEntity>
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [stripcrsfromname]
        [fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
+        [followshortcuts [<Boolean>]]
 gam <UserTypeEntity> print filepath <DriveFileEntity> [todrive <ToDriveAttribute>*]
        (orderby <DriveFileOrderByFieldName> [ascending|descending])*
        [stripcrsfromname] [oneitemperrow]
        [fullpath] [folderpathonly [<Boolean>]] [pathdelimiter <Character>]
+        [followshortcuts [<Boolean>]]

 gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
        [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
            (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
        [corpora <CorporaAttribute>]
        [select <SharedDriveEntity>]
        [anyowner|(showownedby any|me|others)]
@@ -7009,20 +7059,22 @@ gam <UserTypeEntity> print filecounts [todrive <ToDriveAttribute>*]
        [filenamematchpattern <RegularExpression>]
        <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
        [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showmimetypesize] [showlastmodification]
+        (addcsvdata <FieldName> <String>)*
        [summary none|only|plus] [summaryuser <String>]
 gam <UserTypeEntity> show filecounts
        [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
            (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
        [corpora <CorporaAttribute>]
        [select <SharedDriveEntity>]
        [anyowner|(showownedby any|me|others)]
-        [showmimetype [not] <MimeTypeList>] [`<showmimetype category <MimeTypeNameList>]
+        [showmimetype [not] <MimeTypeList>] [showmimetype category <MimeTypeNameList>]
        [sizefield quotabytesused|size] [minimumfilesize <Integer>] [maximumfilesize <Integer>]
        [filenamematchpattern <RegularExpression>]
        <PermissionMatch>* [<PermissionMatchMode>] [<PermissionMatchAction>]
        [excludetrashed]
-        [showsize] [showmimetypesize]
+        [showsize] [showmimetypesize] [showlastmodification]
        [summary none|only|plus] [summaryuser <String>]

 gam <UserTypeEntity> print filesharecounts [todrive <ToDriveAttribute>*]
@@ -7076,6 +7128,7 @@ gam <UserTypeEntity> print fileparenttree <DriveFileEntity> [todrive <ToDriveAtt
 gam <UserTypeEntity> print filelist [todrive <ToDriveAttribute>*]
        [((query <QueryDriveFile>) | (fullquery <QueryDriveFile>) | <DriveFileQueryShortcut>)
            (querytime<String> <Time>)*]
+        [continueoninvalidquery [<Boolean>]]
        [choose <DriveFileNameEntity>|<DriveFileEntityShortcut>]
        [corpora <CorporaAttribute>]
        [select <DriveFileEntity> [selectsubquery <QueryDriveFile>]
@@ -7123,7 +7176,7 @@ gam <UserTypeEntity> print diskusage <DriveFileEntity> [todrive <ToDriveAttribut
        upload
 <DriveActivityActionList> ::= "<DriveActivityAction>(,<DriveActivityAction>)*"

-gam <UserTypeEntity> print|show driveactivity [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> print driveactivity [todrive <ToDriveAttribute>*]
        [(fileid <DriveFileID>) | (folderid <DriveFolderID>) |
         (drivefilename <DriveFileName>) | (drivefoldername <DriveFolderName>) | (query <QueryDriveFile>)]
        [([start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>])|(range <Date>|<Time> <Date>)|<Time>|
@@ -7131,7 +7184,7 @@ gam <UserTypeEntity> print|show driveactivity [todrive <ToDriveAttribute>*]
        [action|actions [not] <DriveActivityActionList>]
        [consolidationstrategy legacy|none]
        [idmapfile <CSVFileInput> endcsv]
-        [formatjson [quotechar <Character>]]
+        [stripcrsfromname] [formatjson [quotechar <Character>]]

 <DriveSettingsFieldName> ::=
        appinstalled|
@@ -7424,7 +7477,7 @@ gam <UserTypeEntity> delete messages|threads
 gam <UserTypeEntity> modify messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
         [quick|notquick] [doit] [max_to_modify <Number>])|(ids <MessageIDEntity>)
-        (addlabel <LabelName>)* (removelabel <LabelName>)*
+        ((addlabel <LabelName>)|(removelabel <LabelName>))+
        [csv [todrive <ToDriveAttribute>*]]
 gam <UserTypeEntity> spam messages|threads
        (((query <QueryGmail> [querytime<String> <Date>]*) (matchlabel <LabelName>) [or|and])+
@@ -7511,7 +7564,7 @@ gam <UserTypeEntity> show signature|sig [compact|format|html]
 gam <UserTypeEntity> print signature [compact]
        [primary|default] [verifyonly] [todrive <ToDriveAttribute>*]

-gam <UserTypeEntity> vacation <Boolean> subject <String>
+gam <UserTypeEntity> vacation [<Boolean>] [subject <String>]
        [<VacationMessageContent> (replace <Tag> <UserReplacement>)*]
        [html [<Boolean>]] [contactsonly [<Boolean>]] [domainonly [<Boolean>]]
        [start|startdate <Date>|Started] [end|enddate <Date>|NotSpecified]
@@ -7602,10 +7655,10 @@ gam <UserTypeEntity> check group|groups
        [roles <GroupRoleList>] [includederivedmembership] [csv] <GroupEntity>
 gam <UserTypeEntity> print groups [todrive <ToDriveAttribute>*]
        [(domain <DomainName>)|(customerid <CustomerID>)]
-        [roles <GroupRoleList>] [countsonly|nodetails]
+        [roles <GroupRoleList>] [countsonly|totalonly|nodetails]
 gam <UserTypeEntity> show groups
        [(domain <DomainName>)|(customerid <CustomerID>)]
-        [roles <GroupRoleList>] [countsonly|nodetails]
+        [roles <GroupRoleList>] [countsonly|totalonly|nodetails]
 gam <UserTypeEntity> print grouptree [todrive <ToDriveAttribute>*]
        [(domain <DomainName>)|(customerid <CustomerID>)]
        [roles <GroupRoleList>]
@@ -7760,6 +7813,52 @@ gam <UserTypeEntity> show lookerstudiopermissions
        [role editor|owner|viewer]
        [formatjson]

+# Users - Meet
+
+<MeetConferenceName> ::= conferenceRecords/<String>
+<MeetSpaceName> ::= spaces/<String> | <String>
+<MeetSpaceOptions> ::=
+        accesstype open|trusted|restricted |
+        entrypointaccess all|creatorapponly
+
+gam <UserTypeEntity> create meetspace
+        <MeetSpaceOptions>*
+        [formatjson]
+
+gam <UserTypeEntity> update meetspace <MeetSpaceName>
+        <MeetSpaceOptions>*
+        [formatjson]
+
+gam <UserTypeEntity> info meetspace <MeetSpaceName>
+        [formatjson]
+
+gam <UserTypeEntity> end meetconference <MeetSpaceName>
+
+gam <UserItem> show meetconferences
+        [space <MeetSpaceName>] [code <String>]
+        [andquery|orquery <String>] [querytime<String> <Time>]
+        [formatjson]
+gam <UserItem> print meetconferences [todrive <ToDriveAttribute>*]
+        [andquery|orquery <String>] [querytime<String> <Time>]
+        [formatjson [quotechar <Character>]]
+
+gam <UserItem> show meetparticipants <MeetConferenceName>
+        [query <String>] [querytime<String> <Time>]
+        [formatjson]
+gam <UserItem> print meetparticipants <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [query <String>] [querytime<String> <Time>]
+        [formatjson [quotechar <Character>]]
+
+gam <UserItem> show meetrecordings <MeetConferenceName>
+        [formatjson]
+gam <UserItem> print meetrecordings <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+
+gam <UserItem> show meettranscripts <MeetConferenceName>
+        [formatjson]
+gam <UserItem> print meettranscripts <MeetConferenceName> [todrive <ToDriveAttribute>*]
+        [formatjson [quotechar <Character>]]
+
 # Users - Contacts and Profiles

 <PeopleContactAttribute> ::=
@@ -7804,7 +7903,7 @@ gam <UserTypeEntity> show lookerstudiopermissions
        (subject <String>)|
        (suffix <String>)|
        (userdefinedfield clear|(<String> <String>))|
-        (website clear|(app_install_page|blog|ftp|home|home_page|other|profile|reservations|work|<String> <URL> notprimary|primary))
+        (url|website clear|(app_install_page|blog|ftp|home|home_page|other|profile|reservations|work|<String> <URL> notprimary|primary))

 <PeopleUserContactSelection> ::=
        [(selectcontactgroup <PeopleContactGroupItem>)|
@@ -8162,12 +8261,12 @@ gam <UserTypeEntity> update sheet <DriveFileEntity>
 gam <UserTypeEntity> info|show sheet <DriveFileEntity>
        [fields <SpreadsheetFieldList>] [sheetsfields <SpreadsheetSheetsFieldList>]
        (range <SpreadsheetRange>)* (rangelist <SpreadsheetRangeList>)*
-        [includegriddata [<Boolean>]]
+        [includegriddata [<Boolean>]] [shownames]
        [formatjson]
 gam <UserTypeEntity> print sheet <DriveFileEntity> [todrive <ToDriveAttribute>*]
        [fields <SpreadsheetFieldList>] [sheetsfields <SpreadsheetSheetsFieldList>]
        (range <SpreadsheetRange>)* (rangelist <SpreadsheetRangeList>)*
-        [includegriddata [<Boolean>]]
+        [includegriddata [<Boolean>]] [shownames]
        [formatjson [quotechar <Character>]]

 See: https://developers.google.com/sheets/api/reference/rest/v4/spreadsheets.values#ValueRange
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,7 +1,342 @@
+7.00.13
+
+Version bump in order to confirm MSI installs are operating properly
+
+7.00.12
+
+Updated option `showlastmodification` to `gam <UserTypeEntity> print|show filecounts` to handle
+the case where all users owning files are suspended. In this case the `lastModifyingUser` column
+will show the user's display name as the API doesn't return the user's email address.
+
+Updated support for `Folders with limited access`; this is a work in progress.
+
+Windows builds now use PyInstaller's onedir config for improved performance. You may notice a lib
+folder now exists underneath the GAM install path. GAM commands should start significantly faster.
+
+7.00.11
+
+Updated to Python 3.12.7 where possible.
+
+7.00.10
+
+Handled the following error that occurs when `gam create user` is immediateley followed by `gam update user`.
+```
+ERROR: 412: conditionNotMet - User creation is not complete.
+```
+
+Updated support for `Folders with limited access`; this is a work in progress.
+
+7.00.09
+
+Added initial support for `Folders with limited access`; you must be enrolled in the Beta preview.
+
+Updated `api_call_tries_limit` variable to `gam.cfg` that limits the number of tries
+for Google API calls that return an error that indicates a retry should be performed.
+The default value is 10 and the range of allowable values is 3-30.
+
+7.00.08
+
+Fixed bug in `gam <UserTypeEntity> delete groups` that caused the command to fail when `enable_dasa = true` in `gam.cfg`.
+
+7.00.07
+
+Updated `<PeopleContactAttribute>` fields `address,email,phone,url` to allow an empty type field.
+```
+address "" formatted "My Address" primary
+email "" user@gmail.com primary
+phone "" "510-555-1212" primary
+url "" "https://www.domain.com" primary
+```
+
+7.00.06
+
+Updated `gam <UserTypeEntity> create|update chatspace` to support the new permissions settings
+for Chat spaces that are in Developer Preview.
+
+* See: https://developers.google.com/workspace/chat/api/reference/rest/v1/spaces#Space.FIELDS.predefined_permission_settings
+
+7.00.05
+
+Fixed bug that caused an error when creating a calendar birthday event.
+
+7.00.04
+
+Improved performance of `gam report users orgunit <OrgUnitPath>` when `showorgunit` is not specified.
+
+Added option `birthday <Date>` to `gam <UserTypeEntity> create event <UserCalendarEntity>` that adds
+an annual recurring event to the calendar.
+
+Added `birthday` to `<EventType>` for use in various calendar event commands.
+
+7.00.03
+
+Updated `gam delete ou` and `gam print admins` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+7.00.02
+
+Added option `showlastmodification` to `gam <UserTypeEntity> print|show filecounts` that adds
+the following fields to the output: `lastModifiedFileId,lastModifiedFileName,lastModifyingUser,lastModifiedTime`;
+these are for the most recently modified file.
+
+Added option `keepforever [<Boolean>]` to `gam <UserTypeEntity> update filerevisions` that allows setting
+`Keep forever` in revisions.
+
+Upgraded to Python 3.12.6 where possible.
+
+7.00.01
+
+Added option `shownames` to `gam <UserTypeEntity> print|show sheet` that causes GAM
+to make an additional API call to get and display the sheet file name that is not supplied by the Sheets API.
+
 7.00.00

 Merged GAM-Team version

+6.81.02
+
+Updated `gam update group postmaster@domain.com` to handle the error that is generated.
+
+6.81.01
+
+Fixed bug in `gam <UserTypeEntity> create meetspace` that caused errors
+due to Developer Preview options being included.
+
+6.81.00
+
+Added support for groups when defining Chrome policies.
+
+Added support for the Meet API.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Meet
+
+Added option `countsonly` to the following course commands that displays
+the number of items in a course but not the details of the items.
+```
+gam print course-announcements
+gam print course-materials
+gam print course-submissions
+gam print course-topics
+gam print course-work
+```
+
+6.80.21
+
+Updated `gam <UserTypeEntity> archive messages` to handle the following error:
+```
+googleapiclient.errors.MediaUploadSizeError: Media larger than: 26214400
+```
+
+6.80.20
+
+Updated `gam report usage user` and `gam report users` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+6.80.19
+
+Fixed bug in `gam create inboundssoprofile` that caused a trap due to
+an unexpected API result.
+
+Updated `gam create inboundssoprofile ... returnnameonly` to return `inProgress` if the API
+does not return a complete result.
+
+Upgraded to OpenSSL 3.3.2 where possible.
+
+6.80.18
+
+Updated `gam print|show admins` to handle the following error:
+```
+ERROR: 503: serviceNotAvailable - The service is currently unavailable.
+```
+
+6.80.17
+
+Updated `gam <UserTypeEntity> modify messages` to improve error handling.
+
+6.80.16
+
+Fixed bug in `gam print vaultcounts` that caused a trap.
+
+6.80.15
+
+Fixed bug in `gam <UserTypeEntity> print filelist ... countsrowfilter` that caused a trap.
+
+Added option `continueoninvalidquery [<Boolean>]` to `gam <UserTypeEntity> print filelist|filecounts` that can be used
+in special cases where a query  of the form `query "'labels/mRoha85IbwCRl490E00xGLvBsSbkwIiuZ6PRNNEbwxyz' in labels"
+causes Google to issue an error saying that the query is invalid when, in fact, it is but the user does not have a
+license that suppprts drive file labels. When `continueoninvalidquery` is true, GAM prints an error message and
+proceeds to the next user rather that terminating as it does now. Of course, if the query really is invalid, you will
+get the message for every user.
+
+6.80.14
+
+Updated `gam <UserTypeEntity> print messages|threads` to display all default headers
+even if no messages are to be displayed. This eliminates error messages of the following form
+that occurred because only the headers `User,threadId,id` were displayed.
+```
+WARNING: csv_output_row_filter column "^Date$" does not match any output columns
+```
+
+6.80.13
+
+Added `my_publishable_items` to `<DriveFileQueryShortcut>` that can be used in
+`gam <UserTypeEntity> print filerevisions` to select only those items that can be
+published to the web: documents, forms, presentations(slides), spreadsheets. With row filtering,
+this allows identification of files that have been published outside your domain.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Files-Display#display-files-published-to-the-web
+
+6.80.12
+
+Updated `gam print vaultcounts` to correctly display accounts with errors.
+
+6.80.11
+
+Updated `gam <UserTypeEntity> delete|purge|trash|untrash <DriveFileEntity> shortcutandtarget`
+that when `<DriveFileEntity` is a shortcut, to have GAM validate that the shortcut and target can be
+successfully processed before proceeding.
+
+6.80.10
+
+Added option `followshortcuts [<Boolean>]` to `gam <UserTypeEntity> print|show fileinfo|filepath <DriveFileEntity>`
+that when true and `<DriveFileEntity` is a shortcut, causes GAM to display information about the target of the shortcut rather than the shortcut itself.
+
+Added option `shortcutandtarget [<Boolean>]` to `gam <UserTypeEntity> delete|purge|trash|untrash <DriveFileEntity>`
+that when true and `<DriveFileEntity` is a shortcut, causes GAM to process the shortcut and the target of the shortcut.
+
+6.80.09
+
+Added options `allschemas|(schemas|custom|customschemas <SchemaNameList>)` to `gam print group-members`
+that display any custom schema values for the group members.
+
+6.80.08
+
+Updated `gam print|show oushareddrives` to display the Shared Drive ID, name and orgUnitPath as
+individual, separate entities in the output.
+
+6.80.07
+
+Updated `dateheaderformat iso` in `gam <UserTypeEntity> info|print|show messages` to include a colon
+between the hours and minutes in the timezone portion of the string as in all other time strings.
+
+6.80.06
+
+Added option `tdreturnidonly [<Boolean>]` to `<ToDriveAttribute>` that when true (the default), causes GAM to display
+only the uploaded file ID to stdout. This can be captured and used in subsequent commands, `tdfileid <DriveFileID>` that will update the same file.
+
+6.80.05
+
+Added  option `individualstudentcoursework copy|delete|maptoall` to `gam create|update course ... copyfrom`
+that controls how individual student coursework in the `copyfrom` course is processed.
+* `individualstudentcoursework copy` - Copy individual student coursework; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentcoursework delete` - Delete individual student coursework
+* `individualstudentcoursework maptoall` - Map individual student coursework to all student coursework
+
+For convenience, setting `individualstudentassignments` sets all of the following to the same value:
+*`individualstudentannouncements`
+*`individualstudentmaterials`
+*`individualstudentcoursework`
+
+6.80.04
+
+Cleaned up progress messages in `gam create|update course ... copyfrom`.
+
+6.80.03
+
+Added option `stripcrsfromname` to `gam <UserTypeEntity> print driveactivity` that causes carriage returns,
+linefeeds and nulls to be stripped from file names.
+
+6.80.02
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print filecounts` that adds
+additional columns of data to the CSV file output.
+
+Added  options `individualstudentannouncements copy|delete|maptoall` and `individualstudentmaterials copy|delete|maptoall`
+to `gam create|update course ... copyfrom` that controls how individual student announcements and materials in the `copyfrom` course are processed.
+* `individualstudentannouncements copy` - Copy individual student announcements; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentannouncements delete` - Delete individual student announcements
+* `individualstudentannouncements maptoall` - Map individual student announcements to all student announcements
+* `individualstudentmaterials copy` - Copy individual student materials; this is the default. You will get an error if a student is not a member of the course
+* `individualstudentmaterials delete` - Delete individual student materials
+* `individualstudentmaterials maptoall` - Map individual student materials to all student materials
+
+6.80.01
+
+Added options `showstudentsaslist [<Boolean>]` and `delimiter <Character>` to `gam print course-work`.
+By default, when course work is assigned to individual students, the student IDs are displayed in multiple indexed columns.
+Use these options to display the student IDs in a single column as a delimited list.
+
+Updated `gam <UserTypeEntity> vacation [<Boolean>]` to make `<Boolean>` optional; this allows changes
+to other fields without affecting the current responder state.
+
+Updated `gam <UserTypeEntity> print|show vacation` to avoid a trap when invalid start or end dates
+have been entered in the Gmail user interface. Invalid dates are represented as `1970-01-01`.
+
+6.80.00
+
+Fixed bug in `gam <UserTypeEntity> print users ... license ... formatjson` that caused a trap.
+
+Upgraded to Python 3.12.5 where possible.
+
+6.79.12
+
+Fixed bug in `gam user admin@domain.com print chatspaces asadmin` that caused the following error:
+```
+Chat Admin: admin@domain.com(asadmin), Print Failed: This method doesn't support non-admin user authentication. Authenticate with an admin account.
+```
+
+6.79.11
+
+Fixed bug in `gam <UserItem> print|show chatmembers` where the `filter <String>` was not applied.
+
+6.79.10
+
+Updated commands to handle a trap that occurs when oauth2service.json specifies a YubiKey but the YubiKey is not inserted.
+
+6.79.09
+
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print teamdriveacls` that adds
+additional columns of data to the CSV file output. This can be used when ACLs for selected users are to be
+replaced with a different user email address.
+
+* See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Shared-Drives#bulk-change-user1-shared-drive-access-to-user2
+
+6.79.08
+
+Clarified action to perform messages when creating/deleting/updating licenses.
+
+6.79.07
+
+Added option `totalonly` to `gam <UserTypeEntity> print|show groups` that displays
+the user email address and the total number of groups to which it belongs. This is in
+contrast to `countsonly` that has to make an additional API call per group per user to get the user's role.
+When `countsonly` is specified, an additional column `Total` is displayed that is the sum
+of the role counts.
+
+6.79.06
+
+Fixed bug in `gam calendars <CalendarEntity> update event ... removeattendee <EmailAddress>` that caused a trap
+if the event had no attendees.
+
+6.79.05
+
+Updated `gam <UserTypeEntity> empty drivetrash <SharedDriveEntity>` to handle this error that
+occurs when the user is not a Manager of the Shared Drive.
+```
+ERROR: 403: insufficientFilePermissions - The user does not have sufficient permissions for this file.
+```
+
+6.79.04
+
+Added options `filename <FileName>` and `movetoou <OrgUnitItem>` to `gam check ou <OrgUnitItem>`
+that causes GAM to create a batch file of GAM commands that will move any remaining items
+in `ou <OrgUnitItem>` to `movetoou <OrgUnitItem>`; executing the batch file will then allow
+`ou <OrgUnitItem>` to be deleted if desired.
+
 6.79.03

 Added column|field `assignedToUnknown` to `gam print|show admins` that will be True when
@@ -147,7 +482,7 @@ Thanks to Jay, added option `nokey` to `gam create project` that creates a proje

 Added option `individualstudentassignments copy|delete|maptoall` to `gam create|update course ... copyfrom`
 that controls how individual student assignments in the `copyfrom` course are processed.
-* `individualstudentassignments copy` - Copy individual student assignments; this is the default. You will get an error if the student is not a member of the course.
+* `individualstudentassignments copy` - Copy individual student assignments; this is the default. You will get an error if a student is not a member of the course
 * `individualstudentassignments delete` - Delete individual student assignments
 * `individualstudentassignments maptoall` - Map individual student assignments to all student assignments

@@ -253,7 +588,7 @@ and was `Waiting for N running processes to finish before terminating`.

 Fixed bug in `gam <UserTypeEntity> print messages ... positivecountsonly` where message counts with value 0 were deiplayed.

-Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print|messages` that adds
+Added option `addcsvdata <FieldName> <String>` to `gam <UserTypeEntity> print messages` that adds
 additional columns of data to the CSV file output.

 Added option `showusagebytes` to `gam <UserTypeEntity> print|show drivesettings` that displays
@@ -18160,4 +18495,3 @@ This isn't elegant but it's a start; you can say:
    with open(GAM_STDOUT, 'rU') as f:
        for line in f:
            sys.stdout.write(line)
-
--- a/src/chat-v1.json
+++ b/src/chat-v1.json
--- a/src/gam-install.sh
+++ b/src/gam-install.sh
@@ -16,12 +16,12 @@ OPTIONS:
   -u      Admin user email address to use with GAM. Default is to prompt.
   -r      Regular user email address. Used to test service account access to user data. Default is to prompt.
   -v      Version to install (latest, prerelease, draft, 3.8, etc). Default is latest.
-   -s      Strip gam7 component from extracted files, files will be downloaded directly to $target_dir
+   -s      Strip gam component from extracted files, files will be downloaded directly to $target_dir
 EOF
 }

 target_dir="$HOME/bin"
-target_gam="gam/gam"
+target_gam="gam7/gam"
 gamarch=$(uname -m)
 gamos=$(uname -s)
 osversion=""
@@ -30,7 +30,7 @@ upgrade_only=false
 gamversion="latest"
 adminuser=""
 regularuser=""
-gam_x86_64_glibc_vers="2.31"
+gam_x86_64_glibc_vers="2.35 2.31"
 gam_arm64_glibc_vers="2.31"
 strip_gam="--strip-components 0"

@@ -141,7 +141,28 @@ case $gamos in
    ;;
  [Mm]ac[Oo][sS]|[Dd]arwin)
    gamos="macos"
-    gamfile="macos-universal2.tar.xz"
+    fullversion=$(sw_vers -productVersion)
+    osversion=${fullversion:0:2}
+    case $gamarch in
+      x86_64)
+        gamfile="macos-x86_64.tar.xz"
+	minimum_version=13
+        ;;
+      arm|arm64|aarch64)
+        gamfile="macos-aarch64.tar.xz"
+	minimum_version=14
+        ;;
+      *)
+        echo_red "ERROR: this installer currently only supports x86_64 and arm64 MacOS. Looks like you're running on $gamarch. Exiting."
+        exit
+	;;
+    esac
+    if [[ "$osversion" -ge "$minimum_version" ]]; then
+      echo_green "You are running MacOS ${fullversion}, good. Using GAM with ${gamfile}."
+    else
+      echo_red "Sorry, you are running MacOS ${fullversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
+      exit
+    fi
    ;;
  MINGW64_NT*)
    gamos="windows"
@@ -154,7 +175,9 @@ case $gamos in
    ;;
 esac

-if [ "$gamversion" == "latest" -o "$gamversion" == "prerelease" -o "$gamversion" == "draft" ]; then
+if [ "$gamversion" == "latest" ]; then
+  release_url="https://api.github.com/repos/GAM-team/GAM/releases/latest"
+elif [ "$gamversion" == "prerelease" -o "$gamversion" == "draft" ]; then
  release_url="https://api.github.com/repos/GAM-team/GAM/releases"
 else
  release_url="https://api.github.com/repos/GAM-team/GAM/releases/tags/v$gamversion"
--- a/src/gam.spec
+++ b/src/gam.spec
@@ -12,15 +12,15 @@ for pkg in GAM_VER_LIBS:
    datas += copy_metadata(pkg, recursive=True)
 datas += [('admin-directory_v1.1beta1.json', '.')]
 datas += [('cbcm-v1.1beta1.json', '.')]
-datas += [('chat-v1.json', '.')]
 datas += [('contactdelegation-v1.json', '.')]
 datas += [('datastudio-v1.json', '.')]
 datas += [('serviceaccountlookup-v1.json', '.')]
 datas += [('cacerts.pem', '.')]
 hiddenimports = [
-     'gam.auth.yubikey',
+     'gam.gamlib.yubikey',
     ]

+runtime_hooks = []
 a = Analysis(
    ['gam/__main__.py'],
    pathex=[],
@@ -29,28 +29,35 @@ a = Analysis(
    hiddenimports=hiddenimports,
    hookspath=[],
    hooksconfig={},
-    runtime_hooks=[],
+    runtime_hooks=runtime_hooks,
    excludes=[],
    win_no_prefer_redirects=False,
    win_private_assemblies=False,
    cipher=None,
    noarchive=False,
-)
+    )
+#print(f"datas from analysis:\n{a.datas}")
 for d in a.datas:
    if 'pyconfig' in d[0]:
        a.datas.remove(d)
        break
+#print(f"datas after pyconfig cleanup:\n{a.datas}")
 pyz = PYZ(a.pure,
          a.zipped_data,
          cipher=None)
 # requires Python 3.10+ but no one should be compiling
 # GAM with older versions anyway
+target_arch = None
+codesign_identity = None
+entitlements_file = None
 match platform:
    case "darwin":
        if getenv('arch') == 'universal2':
            target_arch = "universal2"
-        else:
-            target_arch = None
+
+        codesign_identity = getenv('codesign_identity')
+        if codesign_identity:
+            entitlements_file = '../.github/actions/entitlements.plist'
        strip = True
    case "win32":
        target_arch = None
@@ -65,9 +72,38 @@ upx = False
 console = True
 disable_windowed_traceback = False
 argv_emulation = False
-codesign_identity = None
-entitlements_file = None
-if not getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
+if getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
+    # Build one directory
+    exe = EXE(
+              pyz,
+              a.scripts,
+              [],
+              exclude_binaries=True,
+              name=name,
+              debug=debug,
+              bootloader_ignore_signals=bootloader_ignore_signals,
+              strip=strip,
+              upx=upx,
+              console=console,
+              # put most everyting under a lib/ subfolder
+              contents_directory='lib',
+              disable_windowed_traceback=disable_windowed_traceback,
+              argv_emulation=argv_emulation,
+              target_arch=target_arch,
+              codesign_identity=codesign_identity,
+              entitlements_file=entitlements_file,
+              )
+    coll = COLLECT(
+        exe,
+        a.binaries,
+        a.zipfiles,
+        a.datas,
+        strip=strip,
+        upx=upx,
+        upx_exclude=[],
+        name=name,
+        )
+else:
    # Build one file
    exe = EXE(
              pyz,
@@ -88,33 +124,4 @@ if not getenv('PYINSTALLER_BUILD_ONEDIR') == 'yes':
              codesign_identity=codesign_identity,
              entitlements_file=entitlements_file,
              )
-else:
-    # Build one folder
-    exe = EXE(
-              pyz,
-              a.scripts,
-              [],
-              exclude_binaries=True,
-              name=name,
-              debug=debug,
-              bootloader_ignore_signals=bootloader_ignore_signals,
-              strip=strip,
-              upx=upx,
-              console=console,
-              disable_windowed_traceback=disable_windowed_traceback,
-              argv_emulation=argv_emulation,
-              target_arch=target_arch,
-              codesign_identity=codesign_identity,
-              entitlements_file=entitlements_file,
-              )
-    coll = COLLECT(
-        exe,
-        a.binaries,
-        a.zipfiles,
-        a.datas,
-        strip=strip,
-        upx=upx,
-        upx_exclude=[],
-        name=name,
-        )

--- a/src/gam.wxs
+++ b/src/gam.wxs
@@ -32,8 +32,11 @@
    <SetDirectory Id="WINDOWSVOLUME" Value="[WindowsVolume]"/>
    <Directory Id="TARGETDIR" Name="SourceDir">
      <Directory Id="WINDOWSVOLUME">
-          <Directory Id="INSTALLFOLDER" Name="GAM7" />
-        </Directory>
+        <Directory Id="INSTALLFOLDER" Name="GAM7">
+          <Directory Id="lib" Name="lib">
+	  </Directory>
+	</Directory>
+      </Directory>
    </Directory>
  </Fragment>

@@ -42,7 +45,7 @@
    <ComponentGroup
        Id="ProductComponents"
        Directory="INSTALLFOLDER"
-        Source="dist/gam">
+	Source="dist/gam/gam7">
      <Component Id="gam_exe" Guid="d046ea24-c9f8-40ca-84db-70b0119933ff">
        <File Name="gam.exe" KeyPath="yes" />
        <Environment Id="PATH" Name="PATH" Value="[INSTALLFOLDER]" Permanent="yes" Part="last" Action="set" System="yes" />
@@ -62,6 +65,7 @@
      <Component Id="cacerts_pem" Guid="61fe2b2d-1646-4bed-b844-193965e97727">
        <File Name="cacerts.pem" KeyPath="yes" />
      </Component>
+      <ComponentGroupRef Id="Lib" />
    </ComponentGroup>
  </Fragment>

--- a/src/gam/init.py
+++ b/src/gam/init.py
--- a/src/gam/chat-v1.json
+++ b/src/gam/chat-v1.json
--- a/src/gam/gamlib/glaction.py
+++ b/src/gam/gamlib/glaction.py
@@ -56,6 +56,7 @@ class GamAction():
  DRAFT = 'draf'
  EMPTY = 'empt'
  ENABLE = 'enbl'
+  END = 'end '
  EXISTS = 'exis'
  EXPORT = 'expo'
  EXTRACT = 'extr'
@@ -174,6 +175,7 @@ class GamAction():
    DRAFT: ['Drafted', 'Draft'],
    EMPTY: ['Emptied', 'Empty'],
    ENABLE: ['Enabled', 'Enable'],
+    END: ['Ended', 'End'],
    EXISTS: ['Exists', 'Exists'],
    EXPORT: ['Exported', 'Export'],
    EXTRACT: ['Extracted', 'Extract'],
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -74,6 +74,7 @@ IAP = 'iap'
 KEEP = 'keep'
 LICENSING = 'licensing'
 LOOKERSTUDIO = 'datastudio'
+MEET = 'meet'
 OAUTH2 = 'oauth2'
 ORGPOLICY = 'orgpolicy'
 PEOPLE = 'people'
@@ -186,6 +187,7 @@ PROJECT_APIS = [
  'iap.googleapis.com',
  'keep.googleapis.com',
  'licensing.googleapis.com',
+  'meet.googleapis.com',
  'people.googleapis.com',
  'pubsub.googleapis.com',
  'reseller.googleapis.com',
@@ -204,15 +206,15 @@ _INFO = {
  ANALYTICS_ADMIN: {'name': 'Analytics Admin API', 'version': 'v1beta', 'v2discovery': True},
  CALENDAR: {'name': 'Calendar API', 'version': 'v3', 'v2discovery': True, 'mappedAPI': 'calendar-json'},
  CBCM: {'name': 'Chrome Browser Cloud Management API', 'version': 'v1.1beta1', 'v2discovery': True, 'localjson': True},
-  CHAT: {'name': 'Chat API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
-  CHAT_EVENTS: {'name': 'Chat API - Events', 'version': 'v1', 'v2discovery': True, 'localjson': True, 'mappedAPI': CHAT},
-  CHAT_MEMBERSHIPS: {'name': 'Chat API - Memberships', 'version': 'v1', 'v2discovery': True, 'localjson': True, 'mappedAPI': CHAT},
-  CHAT_MEMBERSHIPS_ADMIN: {'name': 'Chat API - Memberships Admin', 'version': 'v1', 'v2discovery': True, 'localjson': True, 'mappedAPI': CHAT},
-  CHAT_MESSAGES: {'name': 'Chat API - Messages', 'version': 'v1', 'v2discovery': True, 'localjson': True, 'mappedAPI': CHAT},
-  CHAT_SPACES: {'name': 'Chat API - Spaces', 'version': 'v1', 'v2discovery': True, 'localjson': True, 'mappedAPI': CHAT},
-  CHAT_SPACES_ADMIN: {'name': 'Chat API - Spaces Admin', 'version': 'v1', 'v2discovery': True, 'localjson': True, 'mappedAPI': CHAT},
-  CHAT_SPACES_DELETE: {'name': 'Chat API - Spaces Delete', 'version': 'v1', 'v2discovery': True, 'localjson': True, 'mappedAPI': CHAT},
-  CHAT_SPACES_DELETE_ADMIN: {'name': 'Chat API - Spaces Delete Admin', 'version': 'v1', 'v2discovery': True, 'localjson': True, 'mappedAPI': CHAT},
+  CHAT: {'name': 'Chat API', 'version': 'v1', 'v2discovery': True},
+  CHAT_EVENTS: {'name': 'Chat API - Events', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_MEMBERSHIPS: {'name': 'Chat API - Memberships', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_MEMBERSHIPS_ADMIN: {'name': 'Chat API - Memberships Admin', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_MESSAGES: {'name': 'Chat API - Messages', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_SPACES: {'name': 'Chat API - Spaces', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_SPACES_ADMIN: {'name': 'Chat API - Spaces Admin', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_SPACES_DELETE: {'name': 'Chat API - Spaces Delete', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
+  CHAT_SPACES_DELETE_ADMIN: {'name': 'Chat API - Spaces Delete Admin', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHAT},
  CLASSROOM: {'name': 'Classroom API', 'version': 'v1', 'v2discovery': True},
  CHROMEMANAGEMENT: {'name': 'Chrome Management API', 'version': 'v1', 'v2discovery': True},
  CHROMEMANAGEMENT_APPDETAILS: {'name': 'Chrome Management API - AppDetails', 'version': 'v1', 'v2discovery': True, 'mappedAPI': CHROMEMANAGEMENT},
@@ -250,6 +252,7 @@ _INFO = {
  KEEP: {'name': 'Keep API', 'version': 'v1', 'v2discovery': True},
  LICENSING: {'name': 'License Manager API', 'version': 'v1', 'v2discovery': True},
  LOOKERSTUDIO: {'name': 'Looker Studio API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
+  MEET: {'name': 'Meet API', 'version': 'v2', 'v2discovery': True},
  OAUTH2: {'name': 'OAuth2 API', 'version': 'v2', 'v2discovery': False},
  ORGPOLICY: {'name': 'Organization Policy API', 'version': 'v2', 'v2discovery': True},
  PEOPLE: {'name': 'People API', 'version': 'v1', 'v2discovery': True},
@@ -259,7 +262,7 @@ _INFO = {
  PUBSUB: {'name': 'Pub / Sub API', 'version': 'v1', 'v2discovery': True},
  REPORTS: {'name': 'Reports API', 'version': 'reports_v1', 'v2discovery': True, 'mappedAPI': 'admin'},
  RESELLER: {'name': 'Reseller API', 'version': 'v1', 'v2discovery': True},
-  SERVICEACCOUNTLOOKUP: {'name': 'Service Account Lookup psuedo-API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
+  SERVICEACCOUNTLOOKUP: {'name': 'Service Account Lookup pseudo-API', 'version': 'v1', 'v2discovery': True, 'localjson': True},
  SERVICEMANAGEMENT: {'name': 'Service Management API', 'version': 'v1', 'v2discovery': True},
  SERVICEUSAGE: {'name': 'Service Usage API', 'version': 'v1', 'v2discovery': True},
  SHEETS: {'name': 'Sheets API', 'version': 'v4', 'v2discovery': True},
@@ -475,7 +478,7 @@ _CLIENT_SCOPES = [
   'subscopes': [],
   'offByDefault': True,
   'scope': 'https://www.googleapis.com/auth/apps.order'},
-  {'name': 'Service Account Lookup psuedo-API',
+  {'name': 'Service Account Lookup pseudo-API',
   'api': SERVICEACCOUNTLOOKUP,
   'subscopes': [],
   'scope': ''},
@@ -499,6 +502,10 @@ _TODRIVE_CLIENT_SCOPES = [
   'api': DRIVE3,
   'subscopes': [],
   'scope': DRIVE_SCOPE},
+  {'name': 'Drive File API - todrive_clientaccess',
+   'api': DRIVE3,
+   'subscopes': [],
+   'scope': 'https://www.googleapis.com/auth/drive.file'},
  {'name': 'Gmail API - todrive_clientaccess',
   'api': GMAIL,
   'subscopes': [],
@@ -648,6 +655,10 @@ _SVCACCT_SCOPES = [
   'api': LOOKERSTUDIO,
   'subscopes': READONLY,
   'scope': 'https://www.googleapis.com/auth/datastudio'},
+  {'name': 'Meet API',
+   'api': MEET,
+   'subscopes': READONLY,
+   'scope': 'https://www.googleapis.com/auth/meetings.space.created'},
  {'name': 'OAuth2 API',
   'api': OAUTH2,
   'subscopes': [],
--- a/src/gam/gamlib/glcfg.py
+++ b/src/gam/gamlib/glcfg.py
@@ -151,6 +151,8 @@ DOMAIN = 'domain'
 DRIVE_DIR = 'drive_dir'
 # When retrieving lists of Drive files/folders from API, how many should be retrieved in each chunk
 DRIVE_MAX_RESULTS = 'drive_max_results'
+# Use Drive V3 beta
+DRIVE_V3_BETA = 'drive_v3_beta'
 # Use Drive V3 ntive names
 DRIVE_V3_NATIVE_NAMES = 'drive_v3_native_names'
 # When processing email messages in batches, how many should be processed in each batch
@@ -366,6 +368,7 @@ Defaults = {
  DOMAIN: '',
  DRIVE_DIR: '',
  DRIVE_MAX_RESULTS: '1000',
+  DRIVE_V3_BETA: FALSE,
  DRIVE_V3_NATIVE_NAMES: TRUE,
  EMAIL_BATCH_SIZE: '50',
  ENABLE_DASA: FALSE,
@@ -479,7 +482,7 @@ VAR_INFO = {
  ADMIN_EMAIL: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_ADMIN_EMAIL', VAR_LIMITS: (0, None)},
  API_CALLS_RATE_CHECK: {VAR_TYPE: TYPE_BOOLEAN},
  API_CALLS_RATE_LIMIT: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (50, None)},
-  API_CALLS_TRIES_LIMIT: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (3, 10)},
+  API_CALLS_TRIES_LIMIT: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (3, 30)},
  AUTO_BATCH_MIN: {VAR_TYPE: TYPE_INTEGER, VAR_ENVVAR: 'GAM_AUTOBATCH', VAR_LIMITS: (0, 100)},
  BAIL_ON_INTERNAL_ERROR_TRIES: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 10)},
  BATCH_SIZE: {VAR_TYPE: TYPE_INTEGER, VAR_ENVVAR: 'GAM_BATCH_SIZE', VAR_LIMITS: (1, 1000)},
@@ -528,6 +531,7 @@ VAR_INFO = {
  DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
  DRIVE_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMDRIVEDIR'},
  DRIVE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
+  DRIVE_V3_BETA: {VAR_TYPE: TYPE_BOOLEAN},
  DRIVE_V3_NATIVE_NAMES: {VAR_TYPE: TYPE_BOOLEAN},
  EMAIL_BATCH_SIZE: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 100)},
  ENABLE_DASA: {VAR_TYPE: TYPE_BOOLEAN, VAR_SIGFILE: 'enabledasa.txt', VAR_SFFT: (FALSE, TRUE)},
--- a/src/gam/gamlib/glclargs.py
+++ b/src/gam/gamlib/glclargs.py
@@ -651,6 +651,16 @@ class GamCLArgs():
  ARG_LICENSES = 'licenses'
  ARG_MATTER = 'matter'
  ARG_MATTERS = 'matters'
+  ARG_MEETSPACE = 'meetspace'
+  ARG_MEETSPACES = 'meetspaces'
+  ARG_MEETCONFERENCE = 'meetconference'
+  ARG_MEETCONFERENCES = 'meetconferences'
+  ARG_MEETPARTICIPANT = 'meetparticipant'
+  ARG_MEETPARTICIPANTS = 'meetparticipants'
+  ARG_MEETRECORDING = 'meetrecording'
+  ARG_MEETRECORDINGS = 'meetrecordings'
+  ARG_MEETTRANSCRIPT = 'meettranscript'
+  ARG_MEETTRANSCRIPTS = 'meettranscripts'
  ARG_MEMBER = 'member'
  ARG_MEMBERS = 'members'
  ARG_MESSAGE = 'message'
@@ -672,6 +682,8 @@ class GamCLArgs():
  ARG_ORG = 'org'
  ARG_ORGS = 'orgs'
  ARG_ORGTREE = 'orgtree'
+  ARG_ORGUNIT = 'orgunit'
+  ARG_ORGUNITS = 'orgunits'
  ARG_ORGUNITSHAREDDRIVE = 'orgunitshareddrive'
  ARG_ORGUNITSHAREDDRIVES = 'orgunitshareddrives'
  ARG_ORPHANS = 'orphans'
@@ -934,6 +946,7 @@ class GamCLArgs():
  OB_LOOKERSTUDIO_PERMISSION_ENTITY = 'LookerStudioPermissionEntity'
  OB_MATTER_ITEM = 'MatterItem'
  OB_MATTER_ITEM_LIST = 'MatterItemList'
+  OB_MEET_CONFERENCE_NAME = 'MeetConferenceName'
  OB_MESSAGE_ID = 'MessageID'
  OB_MIMETYPE = 'MimeType'
  OB_MIMETYPE_LIST = 'MimeTypeList'
--- a/src/gam/gamlib/glentity.py
+++ b/src/gam/gamlib/glentity.py
@@ -133,10 +133,12 @@ class GamEntity():
  COPYFROM_GROUP = 'cfgr'
  COURSE = 'cour'
  COURSE_ALIAS = 'coal'
+  COURSE_ANNOUNCEMENT = 'cann'
  COURSE_ANNOUNCEMENT_ID = 'caid'
  COURSE_ANNOUNCEMENT_STATE = 'cast'
  COURSE_MATERIAL_DRIVEFILE = 'comd'
  COURSE_MATERIAL_FORM = 'comf'
+  COURSE_MATERIAL = 'cmtl'
  COURSE_MATERIAL_ID = 'cmid'
  COURSE_MATERIAL_STATE = 'cmst'
  COURSE_NAME = 'cona'
@@ -204,6 +206,7 @@ class GamEntity():
  DRIVE_PATH = 'drvp'
  DRIVE_SETTINGS = 'drvs'
  DRIVE_SHORTCUT = 'drsc'
+  DRIVE_SHORTCUT_ID = 'dsci'
  DRIVE_3PSHORTCUT = 'dr3s'
  DRIVE_TRASH = 'drvt'
  EMAIL = 'emai'
@@ -212,6 +215,7 @@ class GamEntity():
  END_TIME = 'endt'
  ENTITY = 'enti'
  EVENT = 'evnt'
+  EVENT_BIRTHDAY = 'evbd'
  EVENT_FOCUSTIME = 'evft'
  EVENT_OUTOFOFFICE = 'evoo'
  EVENT_WORKINGLOCATION = 'evwl'
@@ -257,6 +261,11 @@ class GamEntity():
  LOOKERSTUDIO_ASSET_REPORT = 'lsar'
  LOOKERSTUDIO_PERMISSION = 'lspe'
  MD5HASH = 'md5h'
+  MEET_SPACE = 'mesp'
+  MEET_CONFERENCE = 'msco'
+  MEET_PARTICIPANT = 'msps'
+  MEET_RECORDING = 'msre'
+  MEET_TRANSCRIPT = 'mstr'
  MEMBER = 'memb'
  MEMBER_NOT_ARCHIVED = 'mena'
  MEMBER_ARCHIVED = 'mear'
@@ -475,10 +484,12 @@ class GamEntity():
    COPYFROM_GROUP: ['Copy From Groups', 'CopyFrom Group'],
    COURSE: ['Courses', 'Course'],
    COURSE_ALIAS: ['Course Aliases', 'Course Alias'],
+    COURSE_ANNOUNCEMENT: ['Course Announcements', 'Course Announcement'],
    COURSE_ANNOUNCEMENT_ID: ['Course Announcement IDs', 'Course Announcement ID'],
    COURSE_ANNOUNCEMENT_STATE: ['Course Announcement States', 'Course Announcement State'],
    COURSE_MATERIAL_DRIVEFILE: ['Course Material Drive Files', 'Course Material Drive File'],
    COURSE_MATERIAL_FORM: ['Course Material Forms', 'Course Material Form'],
+    COURSE_MATERIAL: ['Course Materials', 'Course Material'],
    COURSE_MATERIAL_ID: ['Course Material IDs', 'Course Material ID'],
    COURSE_MATERIAL_STATE: ['Course Material States', 'Course Material State'],
    COURSE_NAME: ['Course Names', 'Course Name'],
@@ -546,6 +557,7 @@ class GamEntity():
    DRIVE_PATH: ['Drive Paths', 'Drive Path'],
    DRIVE_SETTINGS: ['Drive Settings', 'Drive Settings'],
    DRIVE_SHORTCUT: ['Drive Shortcuts', 'Drive Shortcut'],
+    DRIVE_SHORTCUT_ID: ['Drive Shortcut IDs', 'Drive Shortcut ID'],
    DRIVE_3PSHORTCUT: ['Drive 3rd Party Shortcuts', 'Drive 3rd Party Shortcut'],
    DRIVE_TRASH: ['Drive Trash', 'Drive Trash'],
    EMAIL: ['Email Addresses', 'Email Address'],
@@ -554,6 +566,7 @@ class GamEntity():
    END_TIME: ['End Times', 'End Time'],
    ENTITY: ['Entities', 'Entity'],
    EVENT: ['Events', 'Event'],
+    EVENT_BIRTHDAY: ['Borthday Events', 'Birthday Event'],
    EVENT_FOCUSTIME: ['Focus Time Events', 'Focus Time Event'],
    EVENT_OUTOFOFFICE: ['Out of Office Events', 'Out of Office Event'],
    EVENT_WORKINGLOCATION: ['Working Location Events', 'Working Location Event'],
@@ -599,6 +612,11 @@ class GamEntity():
    LOOKERSTUDIO_ASSET_REPORT: ['Looker Studio REPORT Assets', 'Looker Studio REPORT Asset'],
    LOOKERSTUDIO_PERMISSION: ['Looker Studio Permissions', 'Looker Studio Permission'],
    MD5HASH: ['MD5 hash', 'MD5 Hash'],
+    MEET_SPACE: ['Meet Spaces', 'Meet Space'],
+    MEET_CONFERENCE: ['Meet Conferences', 'Meet Conference'],
+    MEET_PARTICIPANT: ['Meet Participants', 'Meet Participant'],
+    MEET_RECORDING: ['Meet Recordings', 'Meet Recording'],
+    MEET_TRANSCRIPT: ['Meet Transcripts', 'Meet Transcript'],
    MEMBER: ['Members', 'Member'],
    MEMBER_NOT_ARCHIVED: ['Members (Not Archived)', 'Member (Not Archived)'],
    MEMBER_ARCHIVED: ['Members (Archived)', 'Member (Archived)'],
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -78,7 +78,7 @@ Please go to:

  https://admin.google.com/ac/owl/list?tab=configuredApps

-1. Click on: Add app > OAuth App Name Or Client ID.
+1. Click on: Configure new app > OAuth App Name Or Client ID.
 2. Enter the following Client ID value:

  {1}
@@ -257,7 +257,9 @@ FORBIDDEN = 'Forbidden'
 FORMAT_NOT_AVAILABLE = 'Format ({0}) not available'
 FORMAT_NOT_DOWNLOADABLE = 'Format not downloadable'
 FROM = 'From'
+FROM_LC = 'from'
 FULL_PATH_MUST_START_WITH_DRIVE = 'fullpath must start with {0} or {1}'
+GAM_BATCH_FILE_WRITTEN = 'GAM batch file {0} written\n'
 GAM_LATEST_VERSION_NOT_AVAILABLE = 'GAM Latest Version information not available'
 GAM_OUT_OF_MEMORY = 'GAM has run out of memory. If this is a large Google Workspace instance, you should use a 64-bit version of GAM on Windows or a 64-bit version of Python on other systems.'
 GENERATING_NEW_PRIVATE_KEY = 'Generating new private key'
@@ -318,6 +320,7 @@ IS_NOT_UNIQUE = 'Is not unique, {0}: {1}'
 IS_REQD_TO_CHG_PWD_NO_DELEGATION = 'Is required to change password at next login. You must change password or clear changepassword flag for delegation.'
 IS_SUSPENDED_NO_BACKUPCODES = 'User is suspended. You must unsuspend to process backupcodes'
 IS_SUSPENDED_NO_DELEGATION = 'Is suspended. You must unsuspend for delegation.'
+IS_YUBIKEY_INSERTED = 'Is YubiKey inserted?'
 JSON_ERROR = 'JSON error "{0}" in file {1}'
 JSON_KEY_NOT_FOUND = 'JSON key "{0}" not found in file {1}'
 KIOSK_MODE_REQUIRED = ' This command ({0}) requires that the ChromeOS device be in Kiosk mode.'
@@ -393,6 +396,7 @@ NO_ENTITIES_MATCHED = 'No {0} matched'
 NO_FILTER_ACTIONS = 'No {0} actions specified'
 NO_FILTER_CRITERIA = 'No {0} criteria specified'
 NO_LABELS_MATCH = 'No Labels match'
+NO_LABELS_TO_PROCESS = 'No Labels to process'
 NO_MESSAGES_WITH_LABEL = 'No Messages with Label'
 NO_PARENTS_TO_CONVERT_TO_SHORTCUTS = 'No parents to convert to shortcuts'
 NO_REPORT_AVAILABLE = 'No {0} report available.'
@@ -420,6 +424,8 @@ ONLY_ONE_DEVICE_SELECTION_ALLOWED = 'Only one device selection allowed, filter =
 ONLY_ONE_JSON_RANGE_ALLOWED = 'Only one range/json allowed'
 ONLY_ONE_OWNER_ALLOWED = 'Only one owner allowed'
 OR = 'or'
+OU_AND_MOVETOOU_CANNOT_BE_IDENTICAL = 'ou {0} can not be be identical to movetoou {1}'
+OU_SUBOUS_CANNOT_BE_MOVED_TO_MOVETOOU = 'ou {0} sub OUs can not be be moved to movetoou {1}'
 PERMISSION_DENIED = 'The caller does not have permission'
 PLEASE_CORRECT_YOUR_SYSTEM_TIME = 'Please correct your system time.'
 PLEASE_ENTER_A_OR_M = 'Please enter a or m ...\n'
@@ -451,6 +457,7 @@ SCHEMA_WOULD_HAVE_NO_FIELDS = '{0} would have no {1}'
 SELECTED = 'Selected'
 SERVICE_NOT_APPLICABLE = 'Service not applicable/Does not exist'
 SERVICE_NOT_APPLICABLE_THIS_ADDRESS = 'Service not applicable for this address: {0}'
+SHORTCUT_TARGET_CAPABILITY_IS_FALSE = '{0} capability {1} is False'
 STARTING_THREAD = 'Starting thread'
 STATISTICS_COPY_FILE = 'Total: {0}, Copied: {1}, Shortcut created {2}, Shortcut exists {3}, Duplicate: {4}, Copy Failed: {5}, Not copyable: {6}, In skipids: {7}, Permissions Failed: {8}, Protected Ranges Failed: {9}'
 STATISTICS_COPY_FOLDER = 'Total: {0}, Copied: {1}, Shortcut created {2}, Shortcut exists {3}, Duplicate: {4}, Merged: {5}, Copy Failed: {6}, Not writable: {7}, Permissions Failed: {8}'
@@ -465,6 +472,8 @@ TASKLIST_TITLE_NOT_FOUND = 'Task list title not found'
 THREAD = 'thread'
 THREADS = 'threads'
 TO = 'To'
+TO_LC = 'to'
+TO_MAXIMUM_OF = 'to maximum of'
 TO_SET_UP_GOOGLE_CHAT = """
 To set up Google Chat for your API project, please go to:

@@ -501,8 +510,7 @@ USING_N_PROCESSES = '{0},0/{1},Using {2} {3}...\n'
 VALUES_ARE_NOT_CONSISTENT = 'Values are not consistent'
 VERSION_UPDATE_AVAILABLE = 'Version update available'
 WAITING_FOR_DATA_TRANSFER_TO_COMPLETE_SLEEPING = 'Waiting for Data Transfer to complete. Sleeping {0} seconds\n'
-WAITING_FOR_SERVICE_ACCOUNT_CREATION_TO_COMPLETE_SLEEPING = 'Waiting for Service Account creation to complete. Sleeping {0} seconds\n'
-WAITING_FOR_SHARED_DRIVE_CREATION_TO_COMPLETE_SLEEPING = 'Waiting for Shared Drive creation to complete. Sleeping {0} seconds\n'
+WAITING_FOR_ITEM_CREATION_TO_COMPLETE_SLEEPING = 'Waiting for {0} creation to complete. Sleeping {1} seconds\n'
 WHAT_IS_YOUR_PROJECT_ID = '\nWhat is your project ID? '
 WILL_RERUN_WITH_NO_BROWSER_TRUE = 'Will re-run command with no_browser true\n'
 WITH = 'with'
--- a/src/gam/gamlib/yubikey.py
+++ b/src/gam/gamlib/yubikey.py
@@ -112,6 +112,8 @@ class YubiKey():
      return publicKeyData
    except ValueError as err:
      systemErrorExit(YUBIKEY_VALUE_ERROR_RC, f'YubiKey - {err}')
+    except TypeError as err:
+      systemErrorExit(YUBIKEY_NOT_FOUND_RC, f'YubiKey - {err} - {Msg.IS_YUBIKEY_INSERTED}')

  def get_serial_number(self):
    try:
@@ -168,6 +170,8 @@ class YubiKey():
        piv.put_object(OBJECT_ID.CHUID, generate_chuid())
    except ValueError as err:
      systemErrorExit(YUBIKEY_VALUE_ERROR_RC, f'YubiKey - {err}')
+    except TypeError as err:
+      systemErrorExit(YUBIKEY_NOT_FOUND_RC, f'YubiKey - {err} - {Msg.IS_YUBIKEY_INSERTED}')

  def sign(self, message):
    if mplock is not None:
@@ -191,6 +195,8 @@ class YubiKey():
          systemErrorExit(YUBIKEY_APDU_ERROR_RC, f'YubiKey - {err}')
    except ValueError as err:
      systemErrorExit(YUBIKEY_VALUE_ERROR_RC, f'YubiKey - {err}')
+    except TypeError as err:
+      systemErrorExit(YUBIKEY_NOT_FOUND_RC, f'YubiKey - {err} - {Msg.IS_YUBIKEY_INSERTED}')
    if mplock is not None:
      mplock.release()
    return signed
--- a/src/gam/googleapiclient/discovery.py
+++ b/src/gam/googleapiclient/discovery.py
@@ -1170,9 +1170,11 @@ def createMethod(methodName, methodDesc, rootDesc, schema):
        elif "response" not in methodDesc:
            model = RawModel()

+        api_version = methodDesc.get("apiVersion", None)
+
        headers = {}
        headers, params, query, body = model.request(
-            headers, actual_path_params, actual_query_params, body_value
+            headers, actual_path_params, actual_query_params, body_value, api_version
        )

        expanded_url = uritemplate.expand(pathUrl, params)
--- a/src/gam/googleapiclient/model.py
+++ b/src/gam/googleapiclient/model.py
@@ -27,10 +27,18 @@ import json
 import logging
 import platform
 import urllib
+import warnings

 from googleapiclient import version as googleapiclient_version
 from googleapiclient.errors import HttpError

+try:
+    from google.api_core.version_header import API_VERSION_METADATA_KEY
+
+    HAS_API_VERSION = True
+except ImportError:
+    HAS_API_VERSION = False
+
 _LIBRARY_VERSION = googleapiclient_version.__version__
 _PY_VERSION = platform.python_version()

@@ -121,7 +129,7 @@ class BaseModel(Model):
            LOGGER.info("query: %s", query)
            LOGGER.info("--request-end--")

-    def request(self, headers, path_params, query_params, body_value):
+    def request(self, headers, path_params, query_params, body_value, api_version=None):
        """Updates outgoing requests with a serialized body.

        Args:
@@ -129,7 +137,10 @@ class BaseModel(Model):
          path_params: dict, parameters that appear in the request path
          query_params: dict, parameters that appear in the query
          body_value: object, the request body as a Python object, which must be
-                      serializable by json.
+              serializable by json.
+          api_version: str, The precise API version represented by this request,
+              which will result in an API Version header being sent along with the
+              HTTP request.
        Returns:
          A tuple of (headers, path_params, query, body)

@@ -155,6 +166,15 @@ class BaseModel(Model):
            _PY_VERSION,
        )

+        if api_version and HAS_API_VERSION:
+            headers[API_VERSION_METADATA_KEY] = api_version
+        elif api_version:
+            warnings.warn(
+                "The `api_version` argument is ignored as a newer version of "
+                "`google-api-core` is required to use this feature."
+                "Please upgrade `google-api-core` to 2.19.0 or newer."
+            )
+
        if body_value is not None:
            headers["content-type"] = self.content_type
            body_value = self.serialize(body_value)
--- a/src/gam/googleapiclient/version.py
+++ b/src/gam/googleapiclient/version.py
@@ -12,4 +12,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-__version__ = "2.124.0"
+__version__ = "2.146.0"
--- a/src/gam/serviceaccountlookup-v1.json
+++ b/src/gam/serviceaccountlookup-v1.json
@@ -2,7 +2,7 @@
  "basePath": "",
  "baseUrl": "https://www.googleapis.com/service_accounts/v1",
  "canonicalName": "serviceaccountlookup",
-  "description": "Psuedo-API to lookup public certificates for a service account anonymously",
+  "description": "Pseudo-API to lookup public certificates for a service account anonymously",
  "discoveryVersion": "v1",
  "documentationLink": "https://example.com/",
  "fullyEncodeReservedExpansion": true,
@@ -135,7 +135,7 @@
    }
  },
  "servicePath": "",
-  "title": "Service Account Lookup Psuedo-API",
+  "title": "Service Account Lookup Pseudo-API",
  "version": "v1",
  "version_module": true
 }
--- a/src/new-gam-install-script.sh
+++ b/src/new-gam-install-script.sh
@@ -0,0 +1,441 @@
+#!/usr/bin/env bash
+
+usage()
+{
+cat << EOF
+GAM installation script.
+
+OPTIONS:
+   -h      show help.
+   -d      Directory where gam folder will be installed. Default is \$HOME/bin/
+   -a      Architecture to install (i386, x86_64, x86_64_legacy, arm, arm64). Default is to detect your arch with "uname -m".
+   -o      OS we are running (linux, macos). Default is to detect your OS with "uname -s".
+   -b      OS version. Default is to detect on MacOS and Linux.
+   -l      Just upgrade GAM to latest version. Skips project creation and auth.
+   -p      Profile update (true, false). Should script add gam command to environment. Default is true.
+   -u      Admin user email address to use with GAM. Default is to prompt.
+   -r      Regular user email address. Used to test service account access to user data. Default is to prompt.
+   -v      Version to install (latest, prerelease, draft, 3.8, etc). Default is latest.
+   -s      Strip gam component from extracted files, files will be downloaded directly to $target_dir
+EOF
+}
+
+target_dir="$HOME/bin"
+target_gam="gam7/gam"
+gamarch=$(uname -m)
+gamos=$(uname -s)
+osversion=""
+update_profile=true
+upgrade_only=false
+gamversion="latest"
+adminuser=""
+regularuser=""
+strip_gam="--strip-components 0"
+
+while getopts "hd:a:o:b:lp:u:r:v:s" OPTION
+do
+     case $OPTION in
+         h) usage; exit;;
+         d) target_dir="$OPTARG";;
+         a) gamarch="$OPTARG";;
+         o) gamos="$OPTARG";;
+         b) osversion="$OPTARG";;
+         l) upgrade_only=true;;
+         p) update_profile="$OPTARG";;
+         u) adminuser="$OPTARG";;
+         r) regularuser="$OPTARG";;
+         v) gamversion="$OPTARG";;
+         s) strip_gam="--strip-components 1"; target_gam="gam";;
+         ?) usage; exit;;
+     esac
+done
+
+# remove possible / from end of target_dir
+target_dir=${target_dir%/}
+
+update_profile() {
+        [ "$2" -eq 1 ] || [ -f "$1" ] || return 1
+
+        grep -F "$alias_line" "$1" > /dev/null 2>&1
+        if [ $? -ne 0 ]; then
+                echo_yellow "Adding gam alias to profile file $1."
+                echo -e "\n$alias_line" >> "$1"
+        else
+          echo_yellow "gam alias already exists in profile file $1. Skipping add."
+        fi
+}
+
+echo_red()
+{
+echo -e "\x1B[1;31m$1"
+echo -e '\x1B[0m'
+}
+
+echo_green()
+{
+echo -e "\x1B[1;32m$1"
+echo -e '\x1B[0m'
+}
+
+echo_yellow()
+{
+echo -e "\x1B[1;33m$1"
+echo -e '\x1B[0m'
+}
+
+version_gt()
+{
+# MacOS < 10.13 doesn't support sort -V
+echo "" | sort -V > /dev/null 2>&1
+vsort_failed=$?
+if [ "${1}" = "${2}" ]; then
+  true
+elif (( $vsort_failed != 0 )); then
+  false
+else
+  test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"
+fi
+}
+
+if [ "$gamversion" == "latest" ]; then
+  release_url="https://api.github.com/repos/GAM-team/GAM/releases/latest"
+elif [ "$gamversion" == "prerelease" -o "$gamversion" == "draft" ]; then
+  release_url="https://api.github.com/repos/GAM-team/GAM/releases"
+else
+  release_url="https://api.github.com/repos/GAM-team/GAM/releases/tags/v$gamversion"
+fi
+
+if [ -z ${GHCLIENT+x} ]; then
+  check_type="unauthenticated"
+  curl_opts=( )
+else
+  check_type="authenticated"
+  curl_opts=( "$GHCLIENT" )
+fi
+echo_yellow "Checking GitHub URL $release_url for $gamversion GAM release ($check_type)..."
+release_json=$(curl \
+	--silent \
+	"${curl_opts[@]}" \
+	-H "Accept: application/vnd.github+json" \
+	-H "X-GitHub-Api-Version: 2022-11-28" \
+	"$release_url" \
+	2>&1 /dev/null)
+
+echo_yellow "Getting file and download URL..."
+# Python is sadly the nearest to universal way to safely handle JSON with Bash
+# At least this code should be compatible with just about any Python version ever
+# unlike GAM itself. If some users don't have Python we can try grep / sed / etc
+# but that gets really ugly
+pycode="import json
+import sys
+
+attrib = sys.argv[1]
+gamversion = sys.argv[2]
+
+release = json.load(sys.stdin)
+if type(release) is list:
+  for a_release in release:
+    if a_release['prerelease'] and gamversion != 'prerelease':
+      continue
+    elif a_release['draft'] and gamversion != 'draft':
+      continue
+    release = a_release
+    break
+try:
+  for asset in release['assets']:
+    print(asset[attrib])
+  #else:
+  #  print('ERROR: Attribute: {0} for version {1} not found'.format(attrib, gamversion))
+except KeyError:
+  print('ERROR: assets value not found in JSON value of:\n\n%s' % release)"
+
+pycmd="python3"
+$pycmd -V >/dev/null 2>&1
+rc=$?
+if (( $rc != 0 )); then
+  pycmd="python"
+fi
+$pycmd -V >/dev/null 2>&1
+rc=$?
+if (( $rc != 0 )); then
+  pycmd="/usr/bin/python3"
+fi
+$pycmd -V >/dev/null 2>&1
+rc=$?
+if (( $rc != 0 )); then
+  pycmd="python2"
+fi
+$pycmd -V >/dev/null 2>&1
+rc=$?
+if (( $rc != 0 )); then
+  echo_red "ERROR: No version of python installed."
+  exit
+fi
+download_urls=$(echo "$release_json" | $pycmd -c "$pycode" browser_download_url "$gamversion")
+if [[ ${download_urls:0:5} = "ERROR" ]]; then
+  echo_red "${download_urls}"
+  exit
+fi
+
+case $gamos in
+  [lL]inux)
+    gamos="linux"
+    download_urls=$(echo -e "$download_urls" | grep "\-linux-")
+    if [ "$osversion" == "" ]; then
+      this_glibc_ver=$(ldd --version | awk '/ldd/{print $NF}')
+    else
+      this_glibc_ver=$osversion
+    fi
+    echo "This Linux distribution uses glibc $this_glibc_ver"
+    case $gamarch in
+      x86_64)
+	download_urls=$(echo -e "$download_urls" | grep "\-x86_64-")
+	gam_x86_64_glibc_vers=$(echo -e "$download_urls" | \
+		grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' \
+	        | cut -c 6-9 )
+	useglibc="legacy"
+        for gam_glibc_ver in $gam_x86_64_glibc_vers; do
+          if version_gt $this_glibc_ver $gam_glibc_ver; then
+            useglibc="glibc$gam_glibc_ver"
+            echo_green "Using GAM compiled against $useglibc"
+            break
+          fi
+        done
+        download_url=$(echo -e "$download_urls" | grep "$useglibc")
+	;;
+      arm|arm64|aarch64)
+        download_urls=$(echo -e "$download_urls" | grep "\-aarch64-")
+        gam_arm64_glibc_vers=$(echo -e "$download_urls" | \
+                grep --only-matching 'glibc[0-9\.]*\.tar\.xz$' \
+                | cut -c 6-9 )
+        useglibc="legacy"
+        for gam_glibc_ver in $gam_arm64_glibc_vers; do
+          if version_gt $this_glibc_ver $gam_glibc_ver; then
+            useglibc="glibc$gam_glibc_ver"
+            echo_green "Using GAM compiled against $useglibc"
+            break
+          fi
+        done
+        download_url=$(echo -e "$download_urls" | grep "$useglibc")
+	;;
+      *)
+        echo_red "ERROR: this installer currently only supports x86_64 and arm64 Linux. Looks like you're running on $gamarch. Exiting."
+        exit
+    esac
+    ;;
+  [Mm]ac[Oo][sS]|[Dd]arwin)
+    gamos="macos"
+    fullversion=$(sw_vers -productVersion)
+    # override osversion only if it wasn't set by cli arguments
+    osversion=${osversion:-$fullversion:0:2}
+    download_urls=$(echo -e "$download_urls" | grep "\-macos-")
+    case $gamarch in
+      x86_64)
+        download_url=$(echo -e "$download_urls" | grep "\-x86_64")
+	minimum_version=13
+        ;;
+      arm|arm64|aarch64)
+        download_url=$(echo -e "$download_urls" | grep "\-aarch64")
+	minimum_version=14
+        ;;
+      *)
+        echo_red "ERROR: this installer currently only supports x86_64 and arm64 MacOS. Looks like you're running on ${gamarch}. Exiting."
+        exit
+	;;
+    esac
+    if [[ "$osversion" -ge "$minimum_version" ]]; then
+      echo_green "You are running MacOS ${fullversion}, good. Using GAM with ${download_url}."
+    else
+      echo_red "Sorry, you are running MacOS ${fullversion} but GAM on ${gamarch} requires MacOS ${minimum_version}. Exiting."
+      exit
+    fi
+    ;;
+  MINGW64_NT*)
+    gamos="windows"
+    echo "You are running Windows"
+    download_url=$(echo -e "$download_urls" | grep "\-windows-" | grep ".zip")
+    ;;
+  *)
+    echo_red "Sorry, this installer currently only supports Linux and MacOS. Looks like you're running on ${gamos}. Exiting."
+    exit
+    ;;
+esac
+
+# Temp dir for archive
+temp_archive_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
+
+# Clean up after ourselves even if we are killed with CTRL-C
+trap "rm -rf $temp_archive_dir" EXIT
+
+# hack to grab the end of the URL which should be the filename.
+name=$(echo -e "$download_url" | rev | cut -f1 -d "/" | rev)
+
+echo_yellow "Downloading ${download_url} to $temp_archive_dir ($check_type)..."
+# Save archive to temp w/o losing our path
+(cd "$temp_archive_dir" && curl -O -L -s "${curl_opts[@]}" "$download_url")
+
+mkdir -p "$target_dir"
+
+echo_yellow "Extracting archive to $target_dir"
+if [[ "$name" =~ tar.xz|tar.gz|tar ]]; then
+  tar $strip_gam -xf "$temp_archive_dir"/"$name" -C "$target_dir"
+elif [[ "$name" == *.zip ]]; then
+  unzip -o "${temp_archive_dir}/${name}" -d "${target_dir}"
+else
+  echo "I don't know what to do with files like ${name}. Giving up."
+  exit 1
+fi
+rc=$?
+if (( $rc != 0 )); then
+  echo_red "ERROR: extracting the GAM archive with tar failed with error $rc. Exiting."
+  exit
+else
+  echo_green "Finished extracting GAM archive."
+fi
+
+# Update profile to add gam command
+if [ "$update_profile" = true ]; then
+  alias_line="alias gam=\"${target_dir// /\\ }/$target_gam\""
+  if [ "$gamos" == "linux" ]; then
+    update_profile "$HOME/.bash_aliases" 0 || update_profile "$HOME/.bash_profile" 0 || update_profile "$HOME/.bashrc" 0
+    update_profile "$HOME/.zshrc" 0
+  elif [ "$gamos" == "macos" ]; then
+    update_profile "$HOME/.bash_aliases" 0 || update_profile "$HOME/.bash_profile" 0 || update_profile "$HOME/.bashrc" 0 || update_profile "$HOME/.profile" 1
+    update_profile "$HOME/.zshrc" 1
+  fi
+else
+  echo_yellow "skipping profile update."
+fi
+
+if [ "$upgrade_only" = true ]; then
+  echo_green "Here's information about your GAM upgrade:"
+  "$target_dir/$target_gam" version extended
+  rc=$?
+  if (( $rc != 0 )); then
+    echo_red "ERROR: Failed running GAM for the first time with return code $rc. Please report this error to GAM mailing list. Exiting."
+    exit
+  fi
+
+  echo_green "GAM upgrade complete!"
+  exit
+fi
+
+# Set config command
+#config_cmd="config no_browser false"
+
+while true; do
+  read -p "Can you run a full browser on this machine? (usually Y for MacOS, N for Linux if you SSH into this machine) " yn
+  case $yn in
+    [Yy]*)
+      break
+      ;;
+    [Nn]*)
+#      config_cmd="config no_browser true"
+      touch "$target_dir/gam/nobrowser.txt" > /dev/null 2>&1
+      break
+      ;;
+    *)
+      echo_red "Please answer yes or no."
+      ;;
+  esac
+done
+echo
+
+project_created=false
+while true; do
+  read -p "GAM is now installed. Are you ready to set up a Google API project for GAM? (yes or no) " yn
+  case $yn in
+    [Yy]*)
+      if [ "$adminuser" == "" ]; then
+        read -p "Please enter your Google Workspace admin email address: " adminuser
+      fi
+#      "$target_dir/$target_gam" $config_cmd create project $adminuser
+      "$target_dir/$target_gam" create project $adminuser
+      rc=$?
+      if (( $rc == 0 )); then
+        echo_green "Project creation complete."
+        project_created=true
+        break
+      else
+        echo_red "Project creation failed. Trying again. Say N to skip project creation."
+      fi
+      ;;
+    [Nn]*)
+      echo -e "\nYou can create an API project later by running:\n\ngam create project\n"
+      break
+      ;;
+    *)
+      echo_red "Please answer yes or no."
+      ;;
+  esac
+done
+
+admin_authorized=false
+while $project_created; do
+  read -p "Are you ready to authorize GAM to perform Google Workspace management operations as your admin account? (yes or no) " yn
+  case $yn in
+    [Yy]*)
+#      "$target_dir/$target_gam" $config_cmd oauth create $adminuser
+      "$target_dir/$target_gam" oauth create $adminuser
+      rc=$?
+      if (( $rc == 0 )); then
+        echo_green "Admin authorization complete."
+        admin_authorized=true
+        break
+      else
+        echo_red "Admin authorization failed. Trying again. Say N to skip admin authorization."
+      fi
+      ;;
+     [Nn]*)
+       echo -e "\nYou can authorize an admin later by running:\n\ngam oauth create\n"
+       break
+       ;;
+     *)
+       echo_red "Please answer yes or no."
+       ;;
+  esac
+done
+
+service_account_authorized=false
+while $admin_authorized; do
+  read -p "Are you ready to authorize GAM to manage Google Workspace user data and settings? (yes or no) " yn
+  case $yn in
+    [Yy]*)
+      if [ "$regularuser" == "" ]; then
+        read -p "Please enter the email address of a regular Google Workspace user: " regularuser
+      fi
+      echo_yellow "Great! Checking service account scopes.This will fail the first time. Follow the steps to authorize and retry. It can take a few minutes for scopes to PASS after they've been authorized in the admin console."
+#      "$target_dir/$target_gam" $config_cmd user $regularuser check serviceaccount
+      "$target_dir/$target_gam" user $regularuser check serviceaccount
+      rc=$?
+      if (( $rc == 0 )); then
+        echo_green "Service account authorization complete."
+        service_account_authorized=true
+        break
+      else
+        echo_red "Service account authorization failed. Confirm you entered the scopes correctly in the admin console. It can take a few minutes for scopes to PASS after they are entered in the admin console so if you're sure you entered them correctly, go grab a coffee and then hit Y to try again. Say N to skip admin authorization."
+      fi
+      ;;
+     [Nn]*)
+       echo -e "\nYou can authorize a service account later by running:\n\ngam user $adminuser check serviceaccount\n"
+       break
+       ;;
+     *)
+       echo_red "Please answer yes or no."
+       ;;
+  esac
+done
+
+echo_green "Here's information about your new GAM installation:"
+#"$target_dir/$target_gam" $config_cmd save version extended
+"$target_dir/$target_gam" version extended
+rc=$?
+if (( $rc != 0 )); then
+  echo_red "ERROR: Failed running GAM for the first time with $rc. Please report this error to GAM mailing list. Exiting."
+  exit
+fi
+
+echo_green "GAM installation and setup complete!"
+if [ "$update_profile" = true ]; then
+  echo_green "Please restart your terminal shell or to get started right away run:\n\n$alias_line"
+fi
--- a/src/serviceaccountlookup-v1.json
+++ b/src/serviceaccountlookup-v1.json
@@ -2,7 +2,7 @@
  "basePath": "",
  "baseUrl": "https://www.googleapis.com/service_accounts/v1",
  "canonicalName": "serviceaccountlookup",
-  "description": "Psuedo-API to lookup public certificates for a service account anonymously",
+  "description": "Pseudo-API to lookup public certificates for a service account anonymously",
  "discoveryVersion": "v1",
  "documentationLink": "https://example.com/",
  "fullyEncodeReservedExpansion": true,
@@ -135,7 +135,7 @@
    }
  },
  "servicePath": "",
-  "title": "Service Account Lookup Psuedo-API",
+  "title": "Service Account Lookup Pseudo-API",
  "version": "v1",
  "version_module": true
 }
--- a/src/setup.cfg
+++ b/src/setup.cfg
@@ -13,10 +13,10 @@ keywords = google, oauth2, gsuite, google-apps, google-admin-sdk, google-drive,
 classifiers =
    Programming Language :: Python :: 3
    Programming Language :: Python :: 3 :: Only
-    Programming Language :: Python :: 3.8
    Programming Language :: Python :: 3.9
    Programming Language :: Python :: 3.10
    Programming Language :: Python :: 3.11
+    Programming Language :: Python :: 3.12
    License :: OSI Approved :: Apache License

 [options]
--- a/src/tools/gen-wix-xml-filelist.py
+++ b/src/tools/gen-wix-xml-filelist.py
@@ -0,0 +1,58 @@
+import os
+import sys
+import uuid
+
+source_dir = sys.argv[1]
+template_file = sys.argv[2]
+target_file = sys.argv[3]
+
+existing_components = {
+    'gam.exe': '''      <Component Id="gam_exe" Guid="d046ea24-c9f8-40ca-84db-70b0119933ff">
+        <File Name="gam.exe" KeyPath="yes" />
+        <Environment Id="PATH" Name="PATH" Value="[INSTALLFOLDER]" Permanent="yes" Part="last" Action="set" System="yes" />
+      </Component>
+''',
+    'LICENSE': '''      <Component Id="license" Guid="c76864c5-d005-44d5-bb7c-a27e5923792d">
+        <File Name="LICENSE" KeyPath="yes" />
+      </Component>
+''',
+    'gam-setup.bat': '''      <Component Id="gam_setup_bat" Guid="5e6bbacb-d86f-4d80-a10b-89b81ee63fcb">
+        <File Name="gam-setup.bat" KeyPath="yes" />
+      </Component>
+''',
+    'GamCommands.txt': '''      <Component Id="GamCommands_txt" Guid="a2dca862-b222-469e-a637-95ea2a1c53e7">
+        <File Name="GamCommands.txt" KeyPath="yes" />
+      </Component>
+''',
+    'GamUpdate.txt': '''      <Component Id="GamUpdate_txt" Guid="1b7cdd48-0fff-4943-a219-102fcd14c755">
+        <File Name="GamUpdate.txt" KeyPath="yes" />
+      </Component>
+''',
+    'cacerts.pem': '''      <Component Id="cacerts_pem" Guid="61fe2b2d-1646-4bed-b844-193965e97727">
+        <File Name="cacerts.pem" KeyPath="yes" />
+      </Component>
+''',
+}
+
+component_xml = ''
+all_files = []
+for root, dirs, files in os.walk(source_dir):
+    for filename in files:
+        relpath = os.path.relpath(root, source_dir)
+        if relpath == '.':
+            all_files.append(filename)
+        else:
+            all_files.append(os.path.join(relpath, filename))
+all_files.sort()
+for filename in all_files:
+    component_xml += existing_components.get(filename,
+                                             f'      <Component>\n        <File Name="{filename}" KeyPath="yes"/>\n      </Component>\n')
+
+with open(template_file, 'r') as f:
+    template = f.read()
+
+full_xml = template.replace('REPLACE_ME_WITH_FILE_COMPONENTS', component_xml)
+
+with open(target_file, 'w') as f:
+    f.write(full_xml)
+