Bug fixes: whatis, print shareddriveorganizers

.github/workflows/build.yml

@@ -126,7 +126,7 @@ jobs:
         with:
           path: |
             cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250422
+          key: gam-${{ matrix.jid }}-20250611
 
       - name: Untar Cache archive
         if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'

src/GamCommands.txt

@@ -1383,7 +1383,7 @@ gam show projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>]
         [states all|active|deleterequested] [showiampolicies 0|1|3]
 gam print projects [[admin] <EmailAddress>] [all|<ProjectIDEntity>] [todrive <ToDriveAttribute>*]
         [states all|active|deleterequested] [showiampolicies 0|1|3 [onememberperrow]]
-        [delimiter <Character>]] [[formatjson [quotechar <Character>]]
+        [delimiter <Character>] [[formatjson [quotechar <Character>]]
 gam info currentprojectid
 
 gam create|add svcacct [[admin] <EmailAddress>] [<ProjectIDEntity>]
@@ -2396,12 +2396,14 @@ gam <CrOSTypeEntity> update <CrOSAttribute>+ [quickcrosmove [<Boolean>]] [nobatc
         autoupdatethrough|
         backlightinfo|
         bootmode|
+        chromeostype|
         cpuinfo|
         cpustatusreports|
         deprovisionreason|
         devicefiles|
         deviceid|
         devicelicensetype|
+        diskspaceusage|
         diskvolumereports|
         dockmacaddress|
         ethernetmacaddress|
@@ -2409,6 +2411,7 @@ gam <CrOSTypeEntity> update <CrOSAttribute>+ [quickcrosmove [<Boolean>]] [nobatc
         extendedsupporteligible|
         extendedsupportstart|
         extendedsupportenabled|
+        faninfo|
         firmwareversion|
         firstenrollmenttime|
         lastdeprovisiontimestamp|
@@ -2722,6 +2725,7 @@ gam print chromschemas [todrive <ToDriveAttribute>*]
         <ChromePolicySchemaFieldName>* [fields <ChromePolicySchemaFieldNameList>]
         [[formatjson [quotechar <Character>]]
 
+gam info chromeschema std <SchemaName>
 gam show chromeschemas std
         [filter <String>]
 
@@ -4116,7 +4120,7 @@ gam print devices [todrive <ToDriveAttribute>*]
         <DeviceFieldName>* [fields <DeviceFieldNameList>] [userfields <DeviceUserFieldNameList>]
         [orderby <DeviceOrderByFieldName> [ascending|descending]]
         [all|company|personal|nocompanydevices|nopersonaldevices]
-        [nodeviceusers]
+        [nodeviceusers|oneuserperrow]
         [formatjson [quotechar <Character>]]
         [showitemcountonly]
 
@@ -4816,6 +4820,17 @@ gam show shareddrives
         [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
         [formatjson] [noorgunits [<Boolean>]]
 
+gam print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
 gam print oushareddrives [todrive <ToDriveAttribute>*]
         [ou|org|orgunit <OrgUnitPath>]
         [formatjson [quotechar <Character>]]
@@ -8323,6 +8338,19 @@ gam <UserTypeEntity> show shareddrives
         [fields <SharedDriveFieldNameList>] [noorgunits [<Boolean>]]
         [formatjson]
 
+gam <UserTypeEntity> print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+	
 # Users - Force Signout and Turn Off 2-Step Verification
 
 gam <UserTypeEntity> signout

src/GamUpdate.txt

@@ -1,8 +1,130 @@
+7.09.04
+
+Fixed bug in `gam whatis <EmailItem>` where the check for an invitable user always failed.
+
+Fixed bug in `gam print shareddriveorganizers` where no organizers were displayed when `domain` in `gam.cfg` was blank.
+
+Updated to Python 3.13.5
+
+7.09.03
+
+Updated `gam <UserTypeEntity> create focustime|outofoffice ... timerange <Time> <Time>` to check
+that the first `<Time>` is less than the second `Time`; previously the event was not created.
+
+For new installs the `enforce_expansive_access` Boolean variable in `gam.cfg` now defaults to True.
+For existing installations, if `enforce_expansive_access` has not been added to `gam.cfg`,
+a default value of True will be used.
+
+7.09.02
+
+Added command `gam info chromeschema std <SchemaName>` to display a Chrome policy schema in the same format as Legacy GAM.
+
+Improved output of `gam show chromeschemas [std]` and `gam info chromeschema [std]` to more accurately display the schemas.
+
+7.09.01
+
+Fixed bug in `gam <UserTypeEntity> print diskusage` where the `ownedByMe` column was
+blank for the top folder.
+
+Fixed bug in `gam update chromepolicy` where the following error was generated
+when updating policies with simple numerical values.
+```
+ERROR: Missing argument: Expected <value>"
+```
+
+7.09.00
+
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled prompting you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
+
+Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value
+for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+It's default value is False.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+gam <UserTypeEntity> transfer drive
+```
+
+Fixed bug in `gam print shareddriveorganizers` that caused a trap when an organizer was a deleted user.
+
+Updated to Python 3.13.4
+
+7.08.02
+
+Updated the defaults in `gam print shareddriveorganizers` to match the most common use case, not the script.
+
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+These commands produce the same result.
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
+7.08.01
+
+Added option `shareddrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))` to
+`gam print shareddriveorganizers` that displays organizers for a specific list of Shared Drive IDs.
+
+7.08.00
+
+Added the following command that can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+```
+gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin] [shareddriveadminquery|query <QuerySharedDrive>]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+The command defaults match the script defaults:
+* `domainlist` - All domains
+* `includetypes` - user,group
+* `oneorganizer` - False
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+For example, to get a single organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+```
+
+7.07.17
+
+Added option `oneuserperrow` to `gam print devices` to have each of a
+device's users displayed on a separate row with all of the other device fields.
+
+7.07.16
+
+Added `chromeostype`, `diskspaceusage` and `faninfo` to `<CrOSFieldName>` for use in `gam info|print cros`.
+
+Fixed bugs/cleaned output in  `gam info|print cros`.
+
 7.07.15
 
 Added option `shareddrivesoption included|included_if_account_is_not_a_member|not_included` to `gam create vaultexport`.
 
-The previous option 'includeshareddrives <Boolean>` is mapped as follows:
+The previous option `includeshareddrives <Boolean>` is mapped as follows:
 * `includeshareddrives false` - `shareddrivesoption included_if_account_is_not_a_member`
 * `includeshareddrives true` - `shareddrivesoption included`
 

src/callgam.py

@@ -11,7 +11,7 @@ if __name__ == '__main__':
 # One time initialization
   if platform.system() != 'Linux':
     multiprocessing.freeze_support()
-    multiprocessing.set_start_method('spawn')
+    multiprocessing.set_start_method('spawn', force=True)
   initializeLogging()
 #
   CallGAMCommand(['gam', 'version'])

src/gam.py

@@ -11,5 +11,5 @@ from gam.__main__ import main
 if __name__ == '__main__':
   if platform.system() != 'Linux':
     multiprocessing.freeze_support()
-    multiprocessing.set_start_method('spawn')
+    multiprocessing.set_start_method('spawn', force=True)
   main()

src/gam/__init__.py

@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """
 
 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.07.15'
+__version__ = '7.09.04'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'
 
 #pylint: disable=wrong-import-position
@@ -4785,8 +4785,9 @@ def defaultSvcAcctScopes():
   scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], False)
   saScopes = {}
   for scope in scopesList:
-    saScopes.setdefault(scope['api'], [])
-    saScopes[scope['api']].append(scope['scope'])
+    if not scope.get('offByDefault'):
+      saScopes.setdefault(scope['api'], [])
+      saScopes[scope['api']].append(scope['scope'])
   saScopes[API.DRIVEACTIVITY].append(API.DRIVE_SCOPE)
   saScopes[API.DRIVE2] = saScopes[API.DRIVE3]
   saScopes[API.DRIVETD] = saScopes[API.DRIVE3]
@@ -12232,7 +12233,7 @@ def checkServiceAccount(users):
 
   def authorizeScopes(message):
     long_url = ('https://admin.google.com/ac/owl/domainwidedelegation'
-                f'?clientScopeToAdd={",".join(checkScopes)}'
+                f'?clientScopeToAdd={",".join(sorted(checkScopes))}'
                 f'&clientIdToAdd={service_account}&overwriteClientId=true')
     if GC.Values[GC.DOMAIN]:
       long_url += f'&dn={GC.Values[GC.DOMAIN]}'
@@ -12244,10 +12245,12 @@ def checkServiceAccount(users):
   allScopes = API.getSvcAcctScopes(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], Act.Get() == Act.UPDATE)
   checkScopesSet = set()
   saScopes = {}
+  checkDeprecatedScopes = True
   useColor = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if myarg in {'scope', 'scopes'}:
+      checkDeprecatedScopes = False
       for scope in getString(Cmd.OB_API_SCOPE_URL_LIST).lower().replace(',', ' ').split():
         api = API.getSvcAcctScopeAPI(scope)
         if api is not None:
@@ -12264,10 +12267,12 @@ def checkServiceAccount(users):
     testPass = createGreenText('PASS')
     testFail = createRedText('FAIL')
     testWarn = createYellowText('WARN')
+    testDeprecated = createRedText('DEPRECATED')
   else:
     testPass = 'PASS'
     testFail = 'FAIL'
     testWarn = 'WARN'
+    testDeprecated = 'DEPRECATED'
   if Act.Get() == Act.CHECK:
     if not checkScopesSet:
       for scope in iter(GM.Globals[GM.SVCACCT_SCOPES].values()):
@@ -12275,7 +12280,7 @@ def checkServiceAccount(users):
   else:
     if not checkScopesSet:
       scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], True)
-      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES])
+      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES] if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] else None)
       if selectedScopes is None:
         return False
       i = 0
@@ -12337,8 +12342,8 @@ def checkServiceAccount(users):
   if saTokenStatus == testFail:
     invalidOauth2serviceJsonExit(f'Authentication{auth_error}')
   _getSvcAcctData() # needed to read in GM.OAUTH2SERVICE_JSON_DATA
-  if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] and API.IAM not in GM.Globals[GM.SVCACCT_SCOPES]:
-    GM.Globals[GM.SVCACCT_SCOPES][API.IAM] = [API.CLOUD_PLATFORM_SCOPE]
+  if API.IAM not in GM.Globals[GM.SVCACCT_SCOPES]:
+    GM.Globals[GM.SVCACCT_SCOPES][API.IAM] = [API.IAM_SCOPE]
   key_type = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA].get('key_type', 'default')
   if key_type == 'default':
     printMessage(Msg.SERVICE_ACCOUNT_CHECK_PRIVATE_KEY_AGE)
@@ -12399,6 +12404,38 @@ def checkServiceAccount(users):
         allScopesPass = False
       printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
     Ind.Decrement()
+    if checkDeprecatedScopes:
+      deprecatedScopes = sorted(API.DEPRECATED_SCOPES)
+      jcount = len(deprecatedScopes)
+      printKeyValueListWithCount([Msg.DEPRECATED_SCOPES, '',
+                                  Ent.Singular(Ent.USER), user,
+                                  Ent.Choose(Ent.SCOPE, jcount), jcount],
+                                 i, count)
+      Ind.Increment()
+      j = 0
+      for scope in deprecatedScopes:
+        j += 1
+        # try with and without email scope
+        for scopes in [[scope, API.USERINFO_EMAIL_SCOPE], [scope]]:
+          try:
+            credentials = getSvcAcctCredentials(scopes, user)
+            credentials.refresh(request)
+            break
+          except (httplib2.HttpLib2Error, google.auth.exceptions.TransportError, RuntimeError) as e:
+            handleServerError(e)
+          except google.auth.exceptions.RefreshError:
+            continue
+        if credentials.token:
+          token_info = callGAPI(oa2, 'tokeninfo', access_token=credentials.token)
+          if scope in token_info.get('scope', '').split(' ') and user == token_info.get('email', user).lower():
+            scopeStatus = testDeprecated
+            allScopesPass = False
+          else:
+            scopeStatus = testPass
+        else:
+          scopeStatus = testPass
+        printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
+      Ind.Decrement()
     service_account = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_id']
     if allScopesPass:
       if Act.Get() == Act.CHECK:
@@ -13101,7 +13138,7 @@ def doWhatIs():
     entityUnknownWarning(Ent.EMAIL, email)
     setSysExitRC(ENTITY_IS_UKNOWN_RC)
     return
-  if not invitableCheck or not getSvcAcctCredentials(API.CLOUDIDENTITY_USERINVITATIONS, _getAdminEmail(), softErrors=True):
+  if not invitableCheck:
     isInvitableUser = False
   else:
     isInvitableUser, ci = _getIsInvitableUser(None, email)
@@ -17102,11 +17139,11 @@ DATA_TRANSFER_SORT_TITLES = ['id', 'requestTime', 'oldOwnerUserEmail', 'newOwner
 
 # gam print datatransfers|transfers [todrive <ToDriveAttribute>*]
 #	[olduser|oldowner <UserItem>] [newuser|newowner <UserItem>]
-#	[status <String>] [delimiter <Character>]]
+#	[status <String>] [delimiter <Character>]
 #	(addcsvdata <FieldName> <String>)*
 # gam show datatransfers|transfers
 #	[olduser|oldowner <UserItem>] [newuser|newowner <UserItem>]
-#	[status <String>] [delimiter <Character>]]
+#	[status <String>] [delimiter <Character>]
 def doPrintShowDataTransfers():
   dt = buildGAPIObject(API.DATATRANSFER)
   apps = getTransferApplications(dt)
@@ -23759,12 +23796,14 @@ CROS_FIELDS_CHOICE_MAP = {
   'autoupdatethrough': 'autoUpdateThrough',
   'backlightinfo': 'backlightInfo',
   'bootmode': 'bootMode',
+  'chromeostype': 'chromeOsType',
   'cpuinfo': 'cpuInfo',
   'cpustatusreports': 'cpuStatusReports',
   'deprovisionreason': 'deprovisionReason',
   'devicefiles': ['deviceFiles.type', 'deviceFiles.createTime'],
   'deviceid': 'deviceId',
   'devicelicensetype': 'deviceLicenseType',
+  'diskspaceusage': 'diskSpaceUsage',
   'diskvolumereports': 'diskVolumeReports',
   'dockmacaddress': 'dockMacAddress',
   'ethernetmacaddress': 'ethernetMacAddress',
@@ -23772,6 +23811,7 @@ CROS_FIELDS_CHOICE_MAP = {
   'extendedsupporteligible': 'extendedSupportEligible',
   'extendedsupportstart': 'extendedSupportStart',
   'extendedsupportenabled': 'extendedSupportEnabled',
+  'faninfo': 'fanInfo',
   'firmwareversion': 'firmwareVersion',
   'firstenrollmenttime': 'firstEnrollmentTime',
   'lastdeprovisiontimestamp': 'lastDeprovisionTimestamp',
@@ -23819,6 +23859,7 @@ CROS_SCALAR_PROPERTY_PRINT_ORDER = [
   'notes',
   'serialNumber',
   'status',
+  'chromeOsType',
   'deviceLicenseType',
   'model',
   'firmwareVersion',
@@ -23839,6 +23880,7 @@ CROS_SCALAR_PROPERTY_PRINT_ORDER = [
   'manufactureDate',
   'supportEndDate',
   'autoUpdateExpiration',
+  'autoUpdateThrough',
   'willAutoRenew',
   ]
 
@@ -23863,8 +23905,11 @@ CROS_TIME_OBJECTS = {
   'lastDeprovisionTimestamp',
   'lastEnrollmentTime',
   'lastSync',
+  'rebootTime',
   'reportTime',
   'supportEndDate',
+  'updateTime',
+  'updateCheckTime',
   }
 CROS_FIELDS_WITH_CRS_NLS = {'notes'}
 CROS_START_ARGUMENTS = ['start', 'startdate', 'oldestdate']
@@ -23981,13 +24026,13 @@ def infoCrOSDevices(entityList):
             printKeyValueWithCRsNLs(up, cros[up])
         else:
           printKeyValueList([up, formatLocalTime(cros[up])])
-    up = 'tpmVersionInfo'
-    if up in cros:
-      printKeyValueList([up, ''])
-      Ind.Increment()
-      for key, value in sorted(iter(cros[up].items())):
-        printKeyValueList([key, value])
-      Ind.Decrement()
+    for up in ['diskSpaceUsage', 'osUpdateStatus', 'tpmVersionInfo']:
+      if up in cros:
+        printKeyValueList([up, ''])
+        Ind.Increment()
+        for key, value in sorted(iter(cros[up].items())):
+          printKeyValueList([key, value])
+        Ind.Decrement()
     if not noLists:
       activeTimeRanges = _filterActiveTimeRanges(cros, True, listLimit, startDate, endDate, activeTimeRangesOrder)
       if activeTimeRanges:
@@ -24041,6 +24086,9 @@ def infoCrOSDevices(entityList):
         entityActionNotPerformedWarning([Ent.CROS_DEVICE, deviceId, Ent.DEVICE_FILE, downloadfile],
                                         Msg.NO_ENTITIES_FOUND.format(Ent.Plural(Ent.DEVICE_FILE)), i, count)
         Act.Set(Act.INFO)
+      cpuInfo = _filterBasicList(cros, 'cpuInfo', True, listLimit)
+      if cpuInfo:
+        showJSON('cpuInfo', cpuInfo, dictObjectsKey={'cpuInfo': 'model'})
       cpuStatusReports = _filterCPUStatusReports(cros, True, listLimit, startTime, endTime)
       if cpuStatusReports:
         printKeyValueList(['cpuStatusReports'])
@@ -24058,6 +24106,12 @@ def infoCrOSDevices(entityList):
             printKeyValueList(['cpuUtilizationPercentageInfo', cpuStatusReport['cpuUtilizationPercentageInfo']])
           Ind.Decrement()
         Ind.Decrement()
+      backlightInfo = _filterBasicList(cros, 'backLightInfo', True, listLimit)
+      if backlightInfo:
+        showJSON('backlightInfo', backlightInfo, dictObjectsKey={'backlightInfo': 'path'})
+      fanInfo = _filterBasicList(cros, 'fanInfo', True, listLimit)
+      if fanInfo:
+        showJSON('fanInfo', fanInfo)
       diskVolumeReports = _filterBasicList(cros, 'diskVolumeReports', True, listLimit)
       if diskVolumeReports:
         printKeyValueList(['diskVolumeReports'])
@@ -24284,7 +24338,7 @@ CROS_ENTITIES_MAP = {
   }
 
 CROS_INDEXED_TITLES = ['activeTimeRanges', 'recentUsers', 'deviceFiles',
-                       'cpuStatusReports', 'diskVolumeReports', 'lastKnownNetwork', 'screenshotFiles', 'systemRamFreeReports']
+                       'cpuStatusReports', 'cpuInfo', 'backlightInfo', 'fanInfo', 'diskVolumeReports', 'lastKnownNetwork', 'screenshotFiles', 'systemRamFreeReports']
 
 # gam print cros [todrive <ToDriveAttribute>*]
 #	[(query <QueryCrOS>)|(queries <QueryCrOSList>) [querytime<String> <Time>]
@@ -24331,12 +24385,15 @@ def doPrintCrOSDevices(entityList=None):
     if not noLists and not selectedLists:
       csvPF.WriteRowTitles(flattenJSON(cros, listLimit=listLimit, timeObjects=CROS_TIME_OBJECTS))
       return
-    attrib = 'tpmVersionInfo'
-    if attrib in cros:
-      for key, value in sorted(iter(cros[attrib].items())):
-        attribKey = f'{attrib}{GC.Values[GC.CSV_OUTPUT_SUBFIELD_DELIMITER]}{key}'
-        cros[attribKey] = value
-      cros.pop(attrib)
+    for attrib in ['diskSpaceUsage', 'osUpdateStatus', 'tpmVersionInfo']:
+      if attrib in cros:
+        for key, value in sorted(iter(cros[attrib].items())):
+          attribKey = f'{attrib}{GC.Values[GC.CSV_OUTPUT_SUBFIELD_DELIMITER]}{key}'
+          if key not in CROS_TIME_OBJECTS:
+            cros[attribKey] = value
+          else:
+            cros[attribKey] = formatLocalTime(value)
+        cros.pop(attrib)
     activeTimeRanges = _filterActiveTimeRanges(cros, selectedLists.get('activeTimeRanges', False), listLimit, startDate, endDate, activeTimeRangesOrder)
     recentUsers = _filterRecentUsers(cros, selectedLists.get('recentUsers', False), listLimit)
     deviceFiles = _filterDeviceFiles(cros, selectedLists.get('deviceFiles', False), listLimit, startTime, endTime)
@@ -24350,8 +24407,10 @@ def doPrintCrOSDevices(entityList=None):
       return
     row = {}
     for attrib in cros:
-      if attrib not in {'kind', 'etag', 'tpmVersionInfo', 'recentUsers', 'activeTimeRanges',
-                        'deviceFiles', 'cpuStatusReports', 'diskVolumeReports', 'lastKnownNetwork', 'screenshotFiles', 'systemRamFreeReports'}:
+      if attrib in {'cpuInfo', 'backlightInfo', 'fanInfo'}:
+        flattenJSON({attrib: cros[attrib]}, flattened=row)
+      elif attrib not in {'kind', 'etag', 'diskSpaceUsage', 'osUpdateStatus', 'tpmVersionInfo', 'activeTimeRanges', 'recentUsers',
+                          'deviceFiles', 'cpuStatusReports', 'diskVolumeReports', 'lastKnownNetwork', 'screenshotFiles', 'systemRamFreeReports'}:
         if attrib not in CROS_TIME_OBJECTS:
           row[attrib] = cros[attrib]
         else:
@@ -25888,7 +25947,7 @@ def exitIfChatNotConfigured(chat, kvList, errMsg, i, count):
   if (('No bot associated with this project.' in errMsg) or
       ('Invalid project number.' in errMsg) or
       ('Google Chat app not found.' in errMsg)):
-    systemErrorExit(API_ACCESS_DENIED_RC, Msg.TO_SET_UP_GOOGLE_CHAT.format(setupChatURL(chat)))
+    systemErrorExit(API_ACCESS_DENIED_RC, Msg.TO_SET_UP_GOOGLE_CHAT.format(setupChatURL(chat), GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['project_id']))
   entityActionFailedWarning(kvList, errMsg, i, count)
 
 def _getChatAdminAccess(adminAPI, userAPI):
@@ -28059,7 +28118,10 @@ def simplifyChromeSchema(schema):
                  'settings': {}
                 }
   fieldDescriptions = schema['fieldDescriptions']
+  savedSettingName = ''
+  savedTypeName = ''
   for mtype in schema['definition']['messageType']:
+    numSettings = len(mtype['field'])
     for setting in mtype['field']:
       setting_name = setting['name']
       setting_dict = {'name': setting_name,
@@ -28067,6 +28129,9 @@ def simplifyChromeSchema(schema):
                       'descriptions':  [],
                       'type': setting['type'],
                      }
+      if mtype['name'] == savedTypeName and numSettings == 1:
+        setting_dict['name'] = savedSettingName
+        savedTypeName = ''
       if setting_dict['type'] == 'TYPE_STRING' and setting.get('label') == 'LABEL_REPEATED':
         setting_dict['type'] = 'TYPE_LIST'
       if setting_dict['type'] == 'TYPE_ENUM':
@@ -28088,6 +28153,8 @@ def simplifyChromeSchema(schema):
                   break
             break
       elif setting_dict['type'] == 'TYPE_MESSAGE':
+        savedSettingName = setting_name
+        savedTypeName = setting['typeName']
         continue
       else:
         setting_dict['enums'] = None
@@ -28193,14 +28260,11 @@ def doDeleteChromePolicy():
     entityActionFailedWarning(kvList, str(e))
 
 CHROME_SCHEMA_SPECIAL_CASES = {
+# duration
   'chrome.users.AutoUpdateCheckPeriodNewV2':
     {'autoupdatecheckperiodminutesnew':
        {'casedField': 'autoUpdateCheckPeriodMinutesNew',
         'type': 'duration', 'minVal': 1, 'maxVal': 720}},
-  'chrome.users.Avatar':
-    {'useravatarimage':
-       {'casedField': 'userAvatarImage',
-        'type': 'downloadUri'}},
   'chrome.users.BrowserSwitcherDelayDurationV2':
     {'browserswitcherdelayduration':
        {'casedField': 'browserSwitcherDelayDuration',
@@ -28242,10 +28306,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
     {'maxinvalidationfetchdelay':
        {'casedField': 'maxInvalidationFetchDelay',
         'type': 'duration', 'minVal': 1, 'maxVal': 30, 'default': 10}},
-  'chrome.users.PrintingMaxSheetsAllowed':
-    {'printingmaxsheetsallowednullable':
-       {'casedField': 'printingMaxSheetsAllowedNullable',
-        'type': 'value', 'minVal': 1, 'maxVal': None}},
   'chrome.users.PrintJobHistoryExpirationPeriodNewV2':
     {'printjobhistoryexpirationperioddaysnew':
        {'casedField': 'printJobHistoryExpirationPeriodDaysNew',
@@ -28253,7 +28313,16 @@ CHROME_SCHEMA_SPECIAL_CASES = {
   'chrome.users.RelaunchNotificationWithDurationV2':
     {'relaunchnotificationperiodduration':
        {'casedField': 'relaunchNotificationPeriodDuration',
-        'type': 'duration', 'minVal': -1, 'maxVal': None}},
+        'type': 'duration', 'minVal': 1, 'maxVal': 168},
+     'relaunchinitialquietperiodduration':
+       {'casedField': 'relaunchInitialQuietPeriodDuration',
+        'type': 'duration', 'minVal': 0, 'maxVal': None},
+     'relaunchwindowstarttime':
+       {'casedField': 'relaunchWindowStartTime',
+        'type': 'timeOfDay'},
+     'relaunchwindowdurationmin':
+       {'casedField': 'relaunchWindowDurationMin',
+        'type': 'duration', 'minVal': 1, 'maxVal': 1440}},
   'chrome.users.SecurityTokenSessionSettingsV2':
     {'securitytokensessionnotificationseconds':
        {'casedField': 'securityTokenSessionNotificationSeconds',
@@ -28269,10 +28338,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
      'updatessuppressedstarttime':
        {'casedField': 'updatesSuppressedStartTime',
         'type': 'timeOfDay'}},
-  'chrome.users.Wallpaper':
-    {'wallpaperimage':
-       {'casedField': 'wallpaperImage',
-        'type': 'downloadUri'}},
   'chrome.devices.EnableReportUploadFrequencyV2':
     {'reportdeviceuploadfrequency':
        {'casedField': 'reportDeviceUploadFrequency',
@@ -28281,10 +28346,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
     {'uptimelimitduration':
        {'casedField': 'uptimeLimitDuration',
         'type': 'duration', 'minVal': 1, 'maxVal': 365}},
-  'chrome.devices.SignInWallpaperImage':
-    {'devicewallpaperimage':
-       {'casedField': 'deviceWallpaperImage',
-        'type': 'downloadUri'}},
   'chrome.devices.kiosk.AcPowerSettingsV2':
     {'acidletimeout':
        {'casedField': 'acIdleTimeout',
@@ -28311,10 +28372,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
      'batteryscreenofftimeout':
        {'casedField': 'batteryScreenOffTimeout',
         'type': 'duration', 'minVal': 0, 'maxVal': 35000}},
-  'chrome.devices.managedguest.Avatar':
-    {'useravatarimage':
-       {'casedField': 'userAvatarImage',
-        'type': 'downloadUri'}},
   'chrome.devices.managedguest.BrowsingDataLifetimeV2':
     {'browsinghistoryttl':
        {'casedField': 'browsingHistoryTtl',
@@ -28356,6 +28413,56 @@ CHROME_SCHEMA_SPECIAL_CASES = {
     {'sessiondurationlimit':
        {'casedField': 'sessionDurationLimit',
         'type': 'duration', 'minVal': 1, 'maxVal': 1440}},
+# value
+  'chrome.users.GaiaLockScreenOfflineSigninTimeLimitDays':
+    {'gaialockscreenofflinesignintimelimitdays':
+       {'casedField': 'gaiaLockScreenOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.users.GaiaOfflineSigninTimeLimitDays':
+    {'gaiaofflinesignintimelimitdays':
+       {'casedField': 'gaiaOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.users.PrintingMaxSheetsAllowed':
+    {'printingmaxsheetsallowednullable':
+       {'casedField': 'printingMaxSheetsAllowedNullable',
+        'type': 'value', 'minVal': 1, 'maxVal': None}},
+  'chrome.users.RemoteAccessHostClipboardSizeBytes':
+    {'remoteaccesshostclipboardsizebytes':
+       {'casedField': 'remoteAccessHostClipboardSizeBytes',
+        'type': 'value', 'minVal': 0, 'maxVal': 2147483647}},
+  'chrome.users.SamlLockScreenOfflineSigninTimeLimitDays':
+    {'samllockscreenofflinesignintimelimitdays':
+       {'casedField': 'samlLockScreenOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.devices.ExtensionCacheSize':
+    {'extensioncachesize':
+       {'casedField': 'extensionCacheSize',
+        'type': 'value', 'minVal': 1048576, 'maxVal': None, 'default': 268435456}},
+  'chrome.devices.managedguest.PrintingMaxSheetsAllowed':
+    {'printingmaxsheetsallowednullable':
+       {'casedField': 'printingMaxSheetsAllowedNullable',
+        'type': 'value', 'minVal': 1, 'maxVal': None}},
+  'chrome.devices.managedguest.RemoteAccessHostClipboardSizeBytes':
+    {'remoteaccesshostclipboardsizebytes':
+       {'casedField': 'remoteAccessHostClipboardSizeBytes',
+        'type': 'value', 'minVal': 0, 'maxVal': 2147483647}},
+# downloadUri
+  'chrome.users.Avatar':
+    {'useravatarimage':
+       {'casedField': 'userAvatarImage',
+        'type': 'downloadUri'}},
+  'chrome.users.Wallpaper':
+    {'wallpaperimage':
+       {'casedField': 'wallpaperImage',
+        'type': 'downloadUri'}},
+  'chrome.devices.SignInWallpaperImage':
+    {'devicewallpaperimage':
+       {'casedField': 'deviceWallpaperImage',
+        'type': 'downloadUri'}},
+  'chrome.devices.managedguest.Avatar':
+    {'useravatarimage':
+       {'casedField': 'userAvatarImage',
+        'type': 'downloadUri'}},
   'chrome.devices.managedguest.Wallpaper':
     {'wallpaperimage':
        {'casedField': 'wallpaperImage',
@@ -28377,7 +28484,7 @@ def doUpdateChromePolicy():
       return value
     #if vtype == timeOfDay:
     hours, minutes = value.split(':')
-    return {vtype: {'hours': hours, 'minutes': minutes}}
+    return {vtype: {'hours': int(hours), 'minutes': int(minutes)}}
 
   cp = buildGAPIObject(API.CHROMEPOLICY)
   cd = buildGAPIObject(API.DIRECTORY)
@@ -28833,7 +28940,7 @@ def _showChromePolicySchema(schema, FJQC, i=0, count=0):
     return
   printEntity([Ent.CHROME_POLICY_SCHEMA, schema['name']], i, count)
   Ind.Increment()
-  showJSON(None, schema)
+  showJSON(None, schema, dictObjectsKey={'messageType': 'name', 'field': 'name', 'fieldDescriptions': 'field'})
   Ind.Decrement()
 
 CHROME_POLICY_SCHEMA_FIELDS_CHOICE_MAP = {
@@ -28856,6 +28963,9 @@ CHROME_POLICY_SCHEMA_FIELDS_CHOICE_MAP = {
 #	[formatjson]
 def doInfoChromePolicySchemas():
   cp = buildGAPIObject(API.CHROMEPOLICY)
+  if checkArgumentPresent('std'):
+    doInfoChromePolicySchemasStd(cp)
+    return
   FJQC = FormatJSONQuoteChar()
   fieldsList = []
   name = _getChromePolicySchemaName()
@@ -28884,7 +28994,7 @@ def doInfoChromePolicySchemas():
 #	[filter <String>]
 #	<ChromePolicySchemaFieldName>* [fields <ChromePolicySchemaFieldNameList>]
 #	[[formatjson [quotechar <Character>]]
-def doPrintShowChromeSchemas():
+def doPrintShowChromePolicySchemas():
   def _printChromePolicySchema(schema):
     row = flattenJSON(schema)
     if not FJQC.formatJSON:
@@ -28898,10 +29008,12 @@ def doPrintShowChromeSchemas():
       row['JSON'] = json.dumps(cleanJSON(schema), ensure_ascii=False, sort_keys=True)
       csvPF.WriteRowNoFilter(row)
 
-  if checkArgumentPresent('std'):
-    doShowChromeSchemasStd()
-    return
   cp = buildGAPIObject(API.CHROMEPOLICY)
+  if checkArgumentPresent('std'):
+    if not Act.csvFormat():
+      doShowChromePolicySchemasStd(cp)
+      return
+    unknownArgumentExit()
   parent = _getCustomersCustomerIdWithC()
   csvPF = CSVPrintFile(['name', 'schemaName', 'policyDescription',
                         'policyApiLifecycle.policyApiLifecycleStage',
@@ -28961,9 +29073,51 @@ def doPrintShowChromeSchemas():
   if csvPF:
     csvPF.writeCSVfile('Chrome Policy Schemas')
 
+def _showChromePolicySchemaStd(schema):
+  printKeyValueList([f'{schema.get("name")}', f'{schema.get("description")}'])
+  Ind.Increment()
+  for val in schema['settings'].values():
+    vtype = val.get('type')
+    printKeyValueList([f'{val.get("name")}', f'{vtype}'])
+    Ind.Increment()
+    if vtype == 'TYPE_ENUM':
+      enums = val.get('enums', [])
+      descriptions = val.get('descriptions', [])
+      for i in range(len(val.get('enums', []))):
+        printKeyValueList([f'{enums[i]}', f'{descriptions[i]}'])
+    elif vtype == 'TYPE_BOOL':
+      pvs = val.get('descriptions')
+      for pvi in pvs:
+        if isinstance(pvi, dict):
+          pvalue = pvi.get('value')
+          pdescription = pvi.get('description')
+          printKeyValueList([f'{pvalue}', f'{pdescription}'])
+        elif isinstance(pvi, list):
+          printKeyValueList([f'{pvi[0]}'])
+    else:
+      description = val.get('descriptions')
+      if len(description) > 0:
+        printKeyValueList([f'{description[0]}'])
+    Ind.Decrement()
+  Ind.Decrement()
+
+# gam info chromeschema std <SchemaName>
+def doInfoChromePolicySchemasStd(cp):
+  name = _getChromePolicySchemaName()
+  checkForExtraneousArguments()
+  try:
+    schema = callGAPI(cp.customers().policySchemas(), 'get',
+                      throwReasons=[GAPI.NOT_FOUND, GAPI.BAD_REQUEST, GAPI.FORBIDDEN],
+                      name=name)
+    _, schema_dict = simplifyChromeSchema(schema)
+    _showChromePolicySchemaStd(schema_dict)
+  except GAPI.notFound:
+    entityUnknownWarning(Ent.CHROME_POLICY_SCHEMA, name)
+  except (GAPI.badRequest, GAPI.forbidden):
+    accessErrorExit(None)
+
 # gam show chromeschemas std [filter <String>]
-def doShowChromeSchemasStd():
-  cp = buildGAPIObject(API.CHROMEPOLICY)
+def doShowChromePolicySchemasStd(cp):
   sfilter = None
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
@@ -28979,33 +29133,8 @@ def doShowChromeSchemasStd():
   for schema in result:
     schema_name, schema_dict = simplifyChromeSchema(schema)
     schemas[schema_name.lower()] = schema_dict
-  for _, value in sorted(iter(schemas.items())):
-    printKeyValueList([f'{value.get("name")}', f'{value.get("description")}'])
-    Ind.Increment()
-    for val in value['settings'].values():
-      vtype = val.get('type')
-      printKeyValueList([f'{val.get("name")}', f'{vtype}'])
-      Ind.Increment()
-      if vtype == 'TYPE_ENUM':
-        enums = val.get('enums', [])
-        descriptions = val.get('descriptions', [])
-        for i in range(len(val.get('enums', []))):
-          printKeyValueList([f'{enums[i]}', f'{descriptions[i]}'])
-      elif vtype == 'TYPE_BOOL':
-        pvs = val.get('descriptions')
-        for pvi in pvs:
-          if isinstance(pvi, dict):
-            pvalue = pvi.get('value')
-            pdescription = pvi.get('description')
-            printKeyValueList([f'{pvalue}', f'{pdescription}'])
-          elif isinstance(pvi, list):
-            printKeyValueList([f'{pvi[0]}'])
-      else:
-        description = val.get('descriptions')
-        if len(description) > 0:
-          printKeyValueList([f'{description[0]}'])
-      Ind.Decrement()
-    Ind.Decrement()
+  for _, schema in sorted(iter(schemas.items())):
+    _showChromePolicySchemaStd(schema)
     printBlankLine()
 
 # gam create chromenetwork
@@ -29565,7 +29694,7 @@ DEVICE_ORDERBY_CHOICE_MAP = {
 #	<DeviceFieldName>* [fields <DeviceFieldNameList>] [userfields <DeviceUserFieldNameList>]
 #	[orderby <DeviceOrderByFieldName> [ascending|descending]]
 #	[all|company|personal|nocompanydevices|nopersonaldevices]
-#	[nodeviceusers]
+#	[nodeviceusers|oneuserperrow]
 #	[formatjson [quotechar <Character>]]
 # 	[showitemcountonly]
 def doPrintCIDevices():
@@ -29581,7 +29710,7 @@ def doPrintCIDevices():
   queries = [None]
   view, entityType = DEVICE_VIEW_CHOICE_MAP['all']
   getDeviceUsers = True
-  showItemCountOnly = False
+  oneUserPerRow = showItemCountOnly = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if csvPF and myarg == 'todrive':
@@ -29596,6 +29725,8 @@ def doPrintCIDevices():
       view, entityType = DEVICE_VIEW_CHOICE_MAP[myarg]
     elif myarg == 'nodeviceusers':
       getDeviceUsers = False
+    elif myarg in {'oneuserperrow', 'oneitemperrow'}:
+      getDeviceUsers = oneUserPerRow = True
     elif getFieldsList(myarg, DEVICE_FIELDS_CHOICE_MAP, fieldsList, initialField='name'):
       pass
     elif getFieldsList(myarg, DEVICEUSER_FIELDS_CHOICE_MAP, userFieldsList, initialField='name', fieldsArg='userfields'):
@@ -29609,6 +29740,8 @@ def doPrintCIDevices():
   fields = getItemFieldsFromFieldsList('devices', fieldsList)
   userFields = getItemFieldsFromFieldsList('deviceUsers', userFieldsList)
   substituteQueryTimes(queries, queryTimes)
+  if FJQC.formatJSON and oneUserPerRow:
+    csvPF.SetJSONTitles(['name', 'user.name', 'JSON'])
   itemCount = 0
   for query in queries:
     printGettingAllAccountEntities(entityType, query)
@@ -29650,13 +29783,26 @@ def doPrintCIDevices():
       except (GAPI.invalid, GAPI.invalidArgument, GAPI.permissionDenied) as e:
         entityActionFailedWarning([entityType, None], str(e))
     for device in devices:
-      row = flattenJSON(device, timeObjects=DEVICE_TIME_OBJECTS)
-      if not FJQC.formatJSON:
-        csvPF.WriteRowTitles(row)
-      elif csvPF.CheckRowTitles(row):
-        csvPF.WriteRowNoFilter({'name': device['name'],
-                                'JSON': json.dumps(cleanJSON(device, timeObjects=DEVICE_TIME_OBJECTS),
-                                                   ensure_ascii=False, sort_keys=True)})
+      if not oneUserPerRow or 'users' not in device:
+        row = flattenJSON(device, timeObjects=DEVICE_TIME_OBJECTS)
+        if not FJQC.formatJSON:
+          csvPF.WriteRowTitles(row)
+        elif csvPF.CheckRowTitles(row):
+          csvPF.WriteRowNoFilter({'name': device['name'],
+                                  'JSON': json.dumps(cleanJSON(device, timeObjects=DEVICE_TIME_OBJECTS),
+                                                     ensure_ascii=False, sort_keys=True)})
+      else:
+        deviceUsers = device.pop('users')
+        baserow = flattenJSON(device, timeObjects=DEVICE_TIME_OBJECTS)
+        for deviceUser in deviceUsers:
+          row = flattenJSON({'user': deviceUser}, flattened=baserow.copy(), timeObjects=DEVICE_TIME_OBJECTS)
+          if not FJQC.formatJSON:
+            csvPF.WriteRowTitles(row)
+          elif csvPF.CheckRowTitles(row):
+            device['user'] = deviceUser
+            csvPF.WriteRowNoFilter({'name': device['name'], 'user.name': deviceUser['name'],
+                                    'JSON': json.dumps(cleanJSON(device, timeObjects=DEVICE_TIME_OBJECTS),
+                                                       ensure_ascii=False, sort_keys=True)})
   if showItemCountOnly:
     writeStdout(f'{itemCount}\n')
     return
@@ -51449,6 +51595,9 @@ def getStatusEventDateTime(dateType, dateList):
   if dateType == 'timerange':
     startTime = getTimeOrDeltaFromNow(returnDateTime=True)[0]
     endTime = getTimeOrDeltaFromNow(returnDateTime=True)[0]
+    if startTime >= endTime:
+      Cmd.Backup()
+      usageErrorExit(Msg.INVALID_EVENT_TIMERANGE.format(dateType, startTime, endTime))
     recurrence = []
     while checkArgumentPresent(['recurrence']):
       recurrence.append(getString(Cmd.OB_RECURRENCE))
@@ -57220,6 +57369,7 @@ def printDiskUsage(users):
             topFolder['path'] = f'{SHARED_DRIVES}{pathDelimiter}{topFolder["name"]}'
           else:
             topFolder['path'] = topFolder['name']
+          topFolder.pop('ownedByMe', None)
         elif topFolder['name'] == MY_DRIVE and not topFolder.get('parents'):
           topFolder['path'] = MY_DRIVE
         else:
@@ -57230,7 +57380,6 @@ def printDiskUsage(users):
           if owners:
             topFolder['Owner'] = owners[0].get('emailAddress', 'Unknown')
             trashFolder['Owner'] = topFolder['Owner']
-        topFolder.pop('ownedByMe', None)
         topFolder.pop('parents', None)
         topFolder.update(zeroFolderInfo)
         topFolder.pop(sizeField, None)
@@ -58677,7 +58826,7 @@ def initCopyMoveOptions(copyCmd):
     'showPermissionMessages': False,
     'sendEmailIfRequired': False,
     'useDomainAdminAccess': False,
-    'enforceExpansiveAccess': False,
+    'enforceExpansiveAccess': GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS],
     'copiedShortcutsPointToCopiedFiles': True,
     'createShortcutsForNonmovableFiles': False,
     'duplicateFiles': DUPLICATE_FILE_OVERWRITE_OLDER,
@@ -62057,7 +62206,8 @@ def transferDrive(users):
   targetUserFolderPattern = '#user# old files'
   targetUserOrphansFolderPattern = '#user# orphaned files'
   targetIds = [None, None]
-  createShortcutsForNonmovableFiles = enforceExpansiveAccess = False
+  createShortcutsForNonmovableFiles = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   mergeWithTarget = False
   thirdPartyOwners = {}
   skipFileIdEntity = initDriveFileEntity()
@@ -62363,7 +62513,8 @@ def transferOwnership(users):
   body = {}
   newOwner = getEmailAddress()
   OBY = OrderBy(DRIVEFILE_ORDERBY_CHOICE_MAP)
-  changeParents = enforceExpansiveAccess = filepath = includeTrashed = noRecursion = False
+  changeParents = filepath = includeTrashed = noRecursion = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   pathDelimiter = '/'
   csvPF = fileTree = None
   addParents = ''
@@ -62689,7 +62840,8 @@ def claimOwnership(users):
   onlyOwners = set()
   skipOwners = set()
   subdomains = []
-  enforceExpansiveAccess = filepath = includeTrashed = False
+  filepath = includeTrashed = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   pathDelimiter = '/'
   addParents = ''
   parentBody = {}
@@ -63464,7 +63616,7 @@ def doCreateDriveFileACL():
 def updateDriveFileACLs(users, useDomainAdminAccess=False):
   fileIdEntity = getDriveFileEntity()
   isEmail, permissionId = getPermissionId()
-  enforceExpansiveAccess = None
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   removeExpiration = showTitles = updateSheetProtectedRanges = False
   showDetails = True
   csvPF = None
@@ -63502,9 +63654,6 @@ def updateDriveFileACLs(users, useDomainAdminAccess=False):
   _checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess)
   if 'role' not in body:
     missingArgumentExit(f'role {formatChoiceList(DRIVEFILE_ACL_ROLES_MAP)}')
-  updateKwargs = {'useDomainAdminAccess': useDomainAdminAccess}
-  if enforceExpansiveAccess is not None:
-    updateKwargs['enforceExpansiveAccess'] = enforceExpansiveAccess
   printKeys, timeObjects = _getDriveFileACLPrintKeysTimeObjects()
   if csvPF and showTitles:
     csvPF.AddTitles(fileNameTitle)
@@ -63542,7 +63691,7 @@ def updateDriveFileACLs(users, useDomainAdminAccess=False):
         permission = callGAPI(drive.permissions(), 'update',
                               bailOnInternalError=True,
                               throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_UPDATE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE],
-                              **updateKwargs,
+                              useDomainAdminAccess=useDomainAdminAccess, enforceExpansiveAccess=enforceExpansiveAccess,
                               fileId=fileId, permissionId=permissionId, removeExpiration=removeExpiration,
                               transferOwnership=body.get('role', '') == 'owner', body=body, fields='*', supportsAllDrives=True)
         if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET:
@@ -63793,7 +63942,7 @@ def doCreatePermissions():
 def deleteDriveFileACLs(users, useDomainAdminAccess=False):
   fileIdEntity = getDriveFileEntity()
   isEmail, permissionId = getPermissionId()
-  enforceExpansiveAccess = None
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   showTitles = updateSheetProtectedRanges = False
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
@@ -63808,9 +63957,6 @@ def deleteDriveFileACLs(users, useDomainAdminAccess=False):
     else:
       unknownArgumentExit()
   _checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess)
-  deleteKwargs = {'useDomainAdminAccess': useDomainAdminAccess}
-  if enforceExpansiveAccess is not None:
-    deleteKwargs['enforceExpansiveAccess'] = enforceExpansiveAccess
   i, count, users = getEntityArgument(users)
   for user in users:
     i += 1
@@ -63843,7 +63989,7 @@ def deleteDriveFileACLs(users, useDomainAdminAccess=False):
                 break
         callGAPI(drive.permissions(), 'delete',
                  throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_DELETE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE],
-                 **deleteKwargs,
+                 useDomainAdminAccess=useDomainAdminAccess, enforceExpansiveAccess=enforceExpansiveAccess,
                  fileId=fileId, permissionId=permissionId, supportsAllDrives=True)
         entityActionPerformed([Ent.USER, user, entityType, fileName, Ent.PERMISSION_ID, permissionId], j, jcount)
         if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET:
@@ -63922,7 +64068,7 @@ def deletePermissions(users, useDomainAdminAccess=False):
     jsonData = getJSON([])
     PM = PermissionMatch()
     PM.SetDefaultMatch(False, {'role': 'owner'})
-  enforceExpansiveAccess = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
   while Cmd.ArgumentsRemaining():
     myarg = getArgument()
     if myarg in ADMIN_ACCESS_OPTIONS:
@@ -66011,6 +66157,195 @@ def printShowSharedDriveACLs(users, useDomainAdminAccess=False):
 def doPrintShowSharedDriveACLs():
   printShowSharedDriveACLs([_getAdminEmail()], True)
 
+PRINT_ORGANIZER_TYPES = {'group', 'user'}
+
+# gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+#	[adminaccess|asadmin]
+#	[(shareddriveadminquery|query <QuerySharedDrive>) |
+#	 (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+#	[matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
+#	[domainlist <DomainList>]
+#	[includetypes user|group]
+#	[oneorganizer [<Boolean>]]
+#	[shownorganizerdrives false|true|only]
+#	[includefileorganizers [<Boolean>]]
+#	[delimiter <Character>]
+def printSharedDriveOrganizers(users, useDomainAdminAccess=False):
+  csvPF = CSVPrintFile(['id', 'name', 'organizers', 'createdTime'], 'sortall')
+  delimiter = GC.Values[GC.CSV_OUTPUT_FIELD_DELIMITER]
+  roles = set(['organizer'])
+  includeTypes = set()
+  showNoOrganizerDrives = SHOW_NO_PERMISSIONS_DRIVES_CHOICE_MAP['false']
+  fieldsList = ['role', 'type', 'emailAddress']
+  cd = entityList = orgUnitId = query = matchPattern = None
+  domainList = set()
+  if GC.Values[GC.DOMAIN]:
+    domainList.add(GC.Values[GC.DOMAIN])
+  else:
+    domainList.add(GM.Globals[GM.DECODED_ID_TOKEN].get('hd', 'UNKNOWN').lower())
+  oneOrganizer = True
+  while Cmd.ArgumentsRemaining():
+    myarg = getArgument()
+    if csvPF and myarg == 'todrive':
+      csvPF.GetTodriveParameters()
+    elif myarg == 'delimiter':
+      delimiter = getCharacter()
+    elif myarg in {'shareddrive', 'shareddrives', 'teamdrive', 'teamdrives'}:
+      sharedDriveArg = myarg
+      itemList = getString(Cmd.OB_SHAREDDRIVE_ID_LIST)
+      if itemList != 'select':
+        entityList =  itemList.replace(',', ' ').split()
+      else:
+        entityList = getEntityList(Cmd.OB_SHAREDDRIVE_ID_LIST)
+    elif myarg in {'teamdriveadminquery', 'shareddriveadminquery', 'query'}:
+      queryArg = myarg
+      queryLocation = Cmd.Location()
+      query = getString(Cmd.OB_QUERY, minLen=0) or None
+      if query:
+        query = mapQueryRelativeTimes(query, ['createdTime'])
+    elif myarg == 'matchname':
+      matchPattern = getREPattern(re.IGNORECASE)
+    elif myarg in {'ou', 'org', 'orgunit'}:
+      orgLocation = Cmd.Location()
+      if cd is None:
+        cd = buildGAPIObject(API.DIRECTORY)
+      orgUnitPath, orgUnitId = getOrgUnitId(cd)
+      orgUnitId = orgUnitId[3:]
+      orgUnitInfo = {'orgUnit': orgUnitPath, 'orgUnitId': orgUnitId}
+    elif myarg in ADMIN_ACCESS_OPTIONS:
+      useDomainAdminAccess = True
+    elif myarg == 'domainlist':
+      domainList = set(getString(Cmd.OB_DOMAIN_NAME_LIST, minLen=0).replace(',', ' ').lower().split())
+    elif myarg == 'includetypes':
+      for itype in getString(Cmd.OB_ORGANIZER_TYPE_LIST).lower().replace(',', ' ').split():
+        if itype in PRINT_ORGANIZER_TYPES:
+          includeTypes.add(itype)
+        else:
+          invalidChoiceExit(itype, PRINT_ORGANIZER_TYPES, True)
+    elif myarg == 'oneorganizer':
+      oneOrganizer = getBoolean()
+    elif myarg == 'shownoorganizerdrives':
+      showNoOrganizerDrives = getChoice(SHOW_NO_PERMISSIONS_DRIVES_CHOICE_MAP, defaultChoice=1, mapChoice=True)
+    elif myarg in {'includefileorganizers', 'includecontentmanagers'}:
+      if getBoolean():
+        roles.add('fileOrganizer')
+    else:
+      unknownArgumentExit()
+  if query:
+    if not useDomainAdminAccess:
+      Cmd.SetLocation(queryLocation-1)
+      usageErrorExit(Msg.ONLY_ADMINISTRATORS_CAN_PERFORM_SHARED_DRIVE_QUERIES)
+    if entityList:
+      Cmd.SetLocation(queryLocation-1)
+      usageErrorExit(Msg.ARE_MUTUALLY_EXCLUSIVE.format(queryArg, sharedDriveArg))
+  if orgUnitId is not None:
+    if not useDomainAdminAccess:
+      Cmd.SetLocation(orgLocation-1)
+      usageErrorExit(Msg.ONLY_ADMINISTRATORS_CAN_SPECIFY_SHARED_DRIVE_ORGUNIT)
+    csvPF.AddTitles(['orgUnit', 'orgUnitId'])
+  if not includeTypes:
+    includeTypes = set(['user'])
+  fields = getItemFieldsFromFieldsList('permissions', fieldsList, True)
+  i, count, users = getEntityArgument(users)
+  for user in users:
+    i += 1
+    user, drive = buildGAPIServiceObject(API.DRIVE3, user, i, count)
+    if not drive:
+      continue
+    if entityList is None:
+      if useDomainAdminAccess:
+        printGettingAllAccountEntities(Ent.SHAREDDRIVE, query)
+        pageMessage = getPageMessage()
+      else:
+        printGettingAllEntityItemsForWhom(Ent.SHAREDDRIVE, user, i, count, query)
+        pageMessage = getPageMessageForWhom()
+      try:
+        feed = callGAPIpages(drive.drives(), 'list', 'drives',
+                             pageMessage=pageMessage,
+                             throwReasons=GAPI.DRIVE_USER_THROW_REASONS+[GAPI.INVALID_QUERY, GAPI.INVALID,
+                                                                         GAPI.QUERY_REQUIRES_ADMIN_CREDENTIALS,
+                                                                         GAPI.NO_LIST_TEAMDRIVES_ADMINISTRATOR_PRIVILEGE,
+                                                                         GAPI.FILE_NOT_FOUND],
+                             q=query, useDomainAdminAccess=useDomainAdminAccess,
+                             fields='nextPageToken,drives(id,name,createdTime,orgUnitId)', pageSize=100)
+      except (GAPI.invalidQuery, GAPI.invalid, GAPI.queryRequiresAdminCredentials,
+              GAPI.noListTeamDrivesAdministratorPrivilege, GAPI.fileNotFound) as e:
+        entityActionFailedWarning([Ent.USER, user, Ent.SHAREDDRIVE, None], str(e), i, count)
+        continue
+      except (GAPI.serviceNotAvailable, GAPI.authError, GAPI.domainPolicy) as e:
+        userDriveServiceNotEnabledWarning(user, str(e), i, count)
+        continue
+    else:
+      feed = []
+      jcount = len(entityList)
+      j = 0
+      for driveId in entityList:
+        j +=1
+        try:
+          feed.append(callGAPI(drive.drives(), 'get',
+                               throwReasons=GAPI.DRIVE_USER_THROW_REASONS+[GAPI.NOT_FOUND],
+                               useDomainAdminAccess=useDomainAdminAccess,
+                               driveId=driveId, fields='id,name,createdTime,orgUnitId'))
+        except (GAPI.fileNotFound, GAPI.notFound) as e:
+          entityActionNotPerformedWarning([Ent.USER, user, Ent.SHAREDDRIVE_ID, driveId], str(e), j, jcount)
+          continue
+        except (GAPI.serviceNotAvailable, GAPI.authError, GAPI.domainPolicy) as e:
+          userDriveServiceNotEnabledWarning(user, str(e), i, count)
+          break
+    matchFeed = []
+    jcount = len(feed)
+    j = 0
+    for shareddrive in feed:
+      j += 1
+      if ((matchPattern is not None and matchPattern.match(shareddrive['name']) is None) or
+          (orgUnitId is not None and orgUnitId != shareddrive.get('orgUnitId'))):
+        continue
+      printGettingAllEntityItemsForWhom(Ent.PERMISSION, shareddrive['name'], j, jcount)
+      shareddrive['createdTime'] = formatLocalTime(shareddrive['createdTime'])
+      shareddrive['organizers'] = []
+      try:
+        permissions = callGAPIpages(drive.permissions(), 'list', 'permissions',
+                                    pageMessage=getPageMessageForWhom(),
+                                    throwReasons=GAPI.DRIVE3_GET_ACL_REASONS,
+                                    retryReasons=GAPI.SERVICE_NOT_AVAILABLE_RETRY_REASONS,
+                                    useDomainAdminAccess=useDomainAdminAccess,
+                                    fileId=shareddrive['id'], fields=fields, supportsAllDrives=True)
+        for permission in permissions:
+          if permission['type'] in includeTypes and permission['role'] in roles and permission.get('emailAddress', ''):
+            if domainList:
+              _, domain = permission['emailAddress'].lower().split('@', 1)
+              if domain not in domainList:
+                continue
+            shareddrive['organizers'].append(permission['emailAddress'])
+            if oneOrganizer:
+              break
+        if not shareddrive['organizers']:
+          if showNoOrganizerDrives == 0: # no organizers and showNoOrganizerDrives False - ignore
+            continue
+          matchFeed.append(shareddrive) # no organizers and showNoOrganizerDrives Only/True - keep
+          continue
+        if showNoOrganizerDrives < 0: # organizers and showNoOrganizerDrives Only/True - ignore
+          continue
+        matchFeed.append(shareddrive)
+      except (GAPI.fileNotFound, GAPI.forbidden, GAPI.internalError,
+              GAPI.insufficientAdministratorPrivileges, GAPI.insufficientFilePermissions,
+              GAPI.unknownError, GAPI.invalid):
+        pass
+    if len(matchFeed) == 0:
+      setSysExitRC(NO_ENTITIES_FOUND_RC)
+    for shareddrive in matchFeed:
+      row = {'id': shareddrive['id'], 'name': shareddrive['name'],
+             'organizers': delimiter.join(shareddrive['organizers']),
+             'createdTime': shareddrive['createdTime']}
+      if orgUnitId:
+        row.update(orgUnitInfo)
+      csvPF.WriteRowTitles(row)
+  if csvPF:
+    csvPF.writeCSVfile('SharedDrive Organizers')
+
+def doPrintSharedDriveOrganizers():
+  printSharedDriveOrganizers([_getAdminEmail()], True)
+
 LOOKERSTUDIO_ASSETTYPE_CHOICE_MAP = {
   'report': ['REPORT'],
   'datasource': ['DATA_SOURCE'],
@@ -75843,7 +76178,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_CHROMENEEDSATTN:	doPrintShowChromeNeedsAttn,
       Cmd.ARG_CHROMEPOLICY:	doPrintShowChromePolicies,
       Cmd.ARG_CHROMEPROFILE:	doPrintShowChromeProfiles,
-      Cmd.ARG_CHROMESCHEMA:	doPrintShowChromeSchemas,
+      Cmd.ARG_CHROMESCHEMA:	doPrintShowChromePolicySchemas,
       Cmd.ARG_CHROMESNVALIDITY:	doPrintChromeSnValidity,
       Cmd.ARG_CHROMEVERSIONS:	doPrintShowChromeVersions,
       Cmd.ARG_CIGROUP:		doPrintCIGroups,
@@ -75897,6 +76232,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_SCHEMA:		doPrintShowUserSchemas,
       Cmd.ARG_SHAREDDRIVE:	doPrintShowSharedDrives,
       Cmd.ARG_SHAREDDRIVEACLS:	doPrintShowSharedDriveACLs,
+      Cmd.ARG_SHAREDDRIVEORGANIZERS:	doPrintSharedDriveOrganizers,
       Cmd.ARG_SITE:		deprecatedDomainSites,
       Cmd.ARG_SITEACL:		deprecatedDomainSites,
       Cmd.ARG_SITEACTIVITY:	deprecatedDomainSites,
@@ -75974,7 +76310,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_CHROMENEEDSATTN:	doPrintShowChromeNeedsAttn,
       Cmd.ARG_CHROMEPOLICY:	doPrintShowChromePolicies,
       Cmd.ARG_CHROMEPROFILE:	doPrintShowChromeProfiles,
-      Cmd.ARG_CHROMESCHEMA:	doPrintShowChromeSchemas,
+      Cmd.ARG_CHROMESCHEMA:	doPrintShowChromePolicySchemas,
       Cmd.ARG_CHROMEVERSIONS:	doPrintShowChromeVersions,
       Cmd.ARG_CIGROUPMEMBERS:	doShowCIGroupMembers,
       Cmd.ARG_CIPOLICY:		doPrintShowCIPolicies,
@@ -76245,6 +76581,7 @@ MAIN_COMMANDS_OBJ_ALIASES = {
   Cmd.ARG_TEAMDRIVES:		Cmd.ARG_SHAREDDRIVE,
   Cmd.ARG_TEAMDRIVEACLS:	Cmd.ARG_SHAREDDRIVEACLS,
   Cmd.ARG_TEAMDRIVEINFO:	Cmd.ARG_SHAREDDRIVEINFO,
+  Cmd.ARG_TEAMDRIVEORGANIZERS:	Cmd.ARG_SHAREDDRIVEORGANIZERS,
   Cmd.ARG_TEAMDRIVETHEMES:	Cmd.ARG_SHAREDDRIVETHEMES,
   Cmd.ARG_TOKENS:		Cmd.ARG_TOKEN,
   Cmd.ARG_TRANSFER:		Cmd.ARG_DATATRANSFER,
@@ -76937,6 +77274,7 @@ USER_COMMANDS_WITH_OBJECTS = {
       Cmd.ARG_SENDAS:		printShowSendAs,
       Cmd.ARG_SHAREDDRIVE:	printShowSharedDrives,
       Cmd.ARG_SHAREDDRIVEACLS:	printShowSharedDriveACLs,
+      Cmd.ARG_SHAREDDRIVEORGANIZERS:	printSharedDriveOrganizers,
       Cmd.ARG_SHEET:		infoPrintShowSheets,
       Cmd.ARG_SHEETRANGE:	printShowSheetRanges,
       Cmd.ARG_SIGNATURE:	printShowSignature,
@@ -77294,6 +77632,7 @@ USER_COMMANDS_OBJ_ALIASES = {
   Cmd.ARG_TEAMDRIVES:		Cmd.ARG_SHAREDDRIVE,
   Cmd.ARG_TEAMDRIVEACLS:	Cmd.ARG_SHAREDDRIVEACLS,
   Cmd.ARG_TEAMDRIVEINFO:	Cmd.ARG_SHAREDDRIVEINFO,
+  Cmd.ARG_TEAMDRIVEORGANIZERS:	Cmd.ARG_SHAREDDRIVEORGANIZERS,
   Cmd.ARG_TEAMDRIVETHEMES:	Cmd.ARG_SHAREDDRIVETHEMES,
   Cmd.ARG_THREADS:		Cmd.ARG_THREAD,
   Cmd.ARG_TOKENS:		Cmd.ARG_TOKEN,

src/gam/gamlib/glapi.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -118,6 +118,7 @@ JWT_APIS = {
   ACCESSCONTEXTMANAGER: [CLOUD_PLATFORM_SCOPE],
   CHAT: ['https://www.googleapis.com/auth/chat.bot'],
   CLOUDRESOURCEMANAGER: [CLOUD_PLATFORM_SCOPE],
+  IAM: [IAM_SCOPE],
   ORGPOLICY: [CLOUD_PLATFORM_SCOPE],
   }
 #
@@ -131,6 +132,12 @@ APIS_NEEDING_ACCESS_TOKEN = {
   CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
   }
 #
+DEPRECATED_SCOPES = {
+  'https://www.googleapis.com/auth/cloud-identity',
+  'https://www.googleapis.com/auth/cloud-platform',
+  'https://www.googleapis.com/auth/iam',
+  }
+#
 REFRESH_PERM_ERRORS = [
   'invalid_grant: reauth related error (rapt_required)', # no way to reauth today
   'invalid_grant: Token has been expired or revoked',
@@ -596,7 +603,7 @@ _SVCACCT_SCOPES = [
   {'name': 'Cloud Identity Devices API',
    'api': CLOUDIDENTITY_DEVICES,
    'subscopes': READONLY,
-   'scope': 'https://www.googleapis.com/auth/cloud-identity'},
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.devices'},
 #  {'name': 'Cloud Identity User Invitations API',
 #   'api': CLOUDIDENTITY_USERINVITATIONS,
 #   'subscopes': READONLY,
@@ -645,10 +652,11 @@ _SVCACCT_SCOPES = [
    'api': GMAIL,
    'subscopes': [],
    'scope': 'https://www.googleapis.com/auth/gmail.settings.sharing'},
-  {'name': 'Identity and Access Management API',
-   'api': IAM,
-   'subscopes': [],
-   'scope': CLOUD_PLATFORM_SCOPE},
+#  {'name': 'Identity and Access Management API',
+#   'api': IAM,
+#   'offByDefault': True,
+#   'subscopes': [],
+#   'scope': CLOUD_PLATFORM_SCOPE},
   {'name': 'Keep API',
    'api': KEEP,
    'subscopes': READONLY,

src/gam/gamlib/glcfg.py

@@ -163,6 +163,8 @@ EMAIL_BATCH_SIZE = 'email_batch_size'
 ENABLE_DASA = 'enable_dasa'
 # Enable Cloud Session Reauthentication by borrowing a RAPT token from gcloud command
 ENABLE_GCLOUD_REAUTH = 'enable_gcloud_reauth'
+# Value for enforceExpansiveAccess for commands that delete or update drive file ACLs/permissions.
+ENFORCE_EXPANSIVE_ACCESS = 'enforce_expansive_access'
 # When retrieving lists of calendar events from API, how many should be retrieved in each chunk
 EVENT_MAX_RESULTS = 'event_max_results'
 # Path to extra_args.txt
@@ -377,6 +379,7 @@ Defaults = {
   DEVICE_MAX_RESULTS: '200',
   DOMAIN: '',
   DRIVE_DIR: '',
+  ENFORCE_EXPANSIVE_ACCESS: TRUE,
   DRIVE_MAX_RESULTS: '1000',
   DRIVE_V3_BETA: FALSE,
   DRIVE_V3_NATIVE_NAMES: TRUE,
@@ -545,6 +548,7 @@ VAR_INFO = {
   DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
   DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
   DRIVE_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMDRIVEDIR'},
+  ENFORCE_EXPANSIVE_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
   DRIVE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
   DRIVE_V3_BETA: {VAR_TYPE: TYPE_BOOLEAN},
   DRIVE_V3_NATIVE_NAMES: {VAR_TYPE: TYPE_BOOLEAN},

src/gam/gamlib/glclargs.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -755,6 +755,7 @@ class GamCLArgs():
   ARG_SHAREDDRIVES = 'shareddrives'
   ARG_SHAREDDRIVEACLS = 'shareddriveacls'
   ARG_SHAREDDRIVEINFO = 'shareddriveinfo'
+  ARG_SHAREDDRIVEORGANIZERS = 'shareddriveorganizers'
   ARG_SHAREDDRIVETHEMES = 'shareddrivethemes'
   ARG_SHEET = 'sheet'
   ARG_SHEETS = 'sheets'
@@ -784,6 +785,7 @@ class GamCLArgs():
   ARG_TEAMDRIVES = 'teamdrives'
   ARG_TEAMDRIVEACLS = 'teamdriveacls'
   ARG_TEAMDRIVEINFO = 'teamdriveinfo'
+  ARG_TEAMDRIVEORGANIZERS = 'teamdriveorganizers'
   ARG_TEAMDRIVETHEMES = 'teamdrivethemes'
   ARG_THREAD = 'thread'
   ARG_THREADS = 'threads'
@@ -964,6 +966,7 @@ class GamCLArgs():
   OB_MOBILE_ENTITY = 'MobileEntity'
   OB_NETWORK_ID = 'networkID'
   OB_NAME = 'Name'
+  OB_ORGANIZER_TYPE_LIST = 'OrganizerTypeList'
   OB_ORGUNIT_ENTITY = 'OrgUnitEntity'
   OB_ORGUNIT_ITEM = 'OrgUnitItem'
   OB_ORGUNIT_PATH = 'OrgUnitPath'

src/gam/gamlib/glentity.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #

src/gam/gamlib/glmsgs.py

@@ -140,12 +140,13 @@ SERVICE_ACCOUNT_PRIVATE_KEY_AGE = 'Service Account Private Key age: {0} days'
 SERVICE_ACCOUNT_SKIPPING_KEY_AGE_CHECK = 'Skipping Private Key age check: {0} rotation not necessary'
 UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS = 'Please run "gam update project" to view/manage service account keys'
 DOMAIN_WIDE_DELEGATION_AUTHENTICATION = 'Domain-wide Delegation authentication'
+DEPRECATED_SCOPES = 'Deprecated scopes that GAM should NEVER have DwD access to'
 SCOPE_AUTHORIZATION_PASSED = '''All scopes PASSED!
 
 Service Account Client name: {0} is fully authorized.
 '''
 SCOPE_AUTHORIZATION_UPDATE_PASSED = '''All scopes PASSED!
-To authorize them (in case some scopes were unselected), please go to the following link in your browser:
+To update authorization (in case some scopes were unselected), please go to the following link in your browser:
 {0}
     {1}
 
@@ -156,8 +157,8 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 '''
-SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED!
-To authorize them, please go to the following link in your browser:
+SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED or should be DISABLED!
+To update authorization, please go to the following link in your browser:
 {0}
     {1}
 
@@ -309,6 +310,7 @@ INVALID_ATTENDEE_CHANGE = 'Invalid attendee change "{0}"'
 INVALID_CHARSET = 'Invalid charset "{0}"'
 INVALID_DATE_TIME_RANGE = '{0} {1} must be greater than/equal to {2} {3}'
 INVALID_ENTITY = 'Invalid {0}, {1}'
+INVALID_EVENT_TIMERANGE = '{0} {1} must be less than {2}'
 INVALID_FILE_SELECTION_WITH_ADMIN_ACCESS = 'Invalid file selection with adminaccess|asadmin'
 INVALID_GROUP = 'Invalid Group'
 INVALID_HTTP_HEADER = 'Invalid http header data: {0}'

src/gam/gamlib/glskus.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (C) 2023 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #

src/gam/gamlib/glverlibs.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 
-# Copyright (C) 2023 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #

wiki/ChromeOS-Devices.md

@@ -106,12 +106,14 @@ The second form is backwards compatible with Legacy GAM and selection with `<CrO
         autoupdatethrough|
         backlightinfo|
         bootmode|
+        chromeostype|
         cpuinfo|
         cpustatusreports|
         deprovisionreason|
         devicefiles|
         deviceid|
         devicelicensetype|
+        diskspaceusage|
         diskvolumereports|
         dockmacaddress|
         ethernetmacaddress|
@@ -119,6 +121,7 @@ The second form is backwards compatible with Legacy GAM and selection with `<CrO
         extendedsupporteligible|
         extendedsupportstart|
         extendedsupportenabled|
+        faninfo|
         firmwareversion|
         firstenrollmenttime|
         lastdeprovisiontimestamp|

wiki/Cloud-Identity-Devices.md

@@ -210,7 +210,7 @@ gam print devices [todrive <ToDriveAttribute>*]
         <DeviceFieldName>* [fields <DeviceFieldNameList>] [userfields <DeviceUserFieldNameList>]
         [orderby <DeviceOrderByFieldName> [ascending|descending]]
         [all|company|personal|nocompanydevices|nopersonaldevices]
-        [nodeviceusers]
+        [nodeviceusers|oneuserperrow]
         [formatjson [quotechar <Character>]]
 ```
 By default, all devices are displayed; use the query options to limit the display.
@@ -231,6 +231,9 @@ Select the view of devices to display:
 By default, Gam makes additional API calls to display the device users for the devices;
 use `nodeviceuser` to suppress making the additional calls.
 
+By default, when device users are displayed, they are all displayed on one row;
+use `oneuserperrow` to have each of a device's users displayed on a separate row with all of the other device fields.
+
 By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format,
 * `formatjson` - Display the fields in JSON format.
 

wiki/GamUpdates.md

@@ -10,6 +10,131 @@ Add the `-s` option to the end of the above commands to suppress creating the `g
 
 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation
 
+### 7.09.03
+
+Updated `gam <UserTypeEntity> create focustime|outofoffice ... timerange <Time> <Time>` to check
+that the first `<Time>` is less than the second `Time`; previously the event was not created.
+
+For new installs the `enforce_expansive_access` Boolean variable in `gam.cfg` now defaults to True.
+For existing installations, if `enforce_expansive_access` has not been added to `gam.cfg`,
+a default value of True will be used.
+
+### 7.09.02
+
+Added command `gam info chromeschema std <SchemaName>` to display a Chrome policy schema in the same format as Legacy GAM.
+
+Improved output of `gam show chromeschemas [std]` and `gam info chromeschema [std]` to more accurately display the schemas.
+
+### 7.09.01
+
+Fixed bug in `gam <UserTypeEntity> print diskusage` where the `ownedByMe` column was
+blank for the top folder.
+
+Fixed bug in `gam update chromepolicy` where the following error was generated
+when updating policies with simple numerical values.
+```
+ERROR: Missing argument: Expected <value>"
+```
+
+### 7.09.00
+
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled prompting you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
+
+Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value
+for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+It's default value is False.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+gam <UserTypeEntity> transfer drive
+```
+
+Fixed bug in `gam print shareddriveorganizers` that caused a trap when an organizer was a deleted user.
+
+Updated to Python 3.13.4
+
+### 7.08.02
+
+Updated the defaults in `gam print shareddriveorganizers` to match the most common use case, not the script.
+
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+These commands produce the same result.
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
+### 7.08.01
+
+Added option `shareddrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))` to
+`gam print shareddriveorganizers` that displays organizers for a specific list of Shared Drive IDs.
+
+See: https://github.com/GAM-team/GAM/wiki/Shared-Drives#display-shared-drive-organizers
+
+### 7.08.00
+
+Added the following command that can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccessasadmin] [shareddriveadminquery|query <QuerySharedDrive>]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+See: https://github.com/GAM-team/GAM/wiki/Shared-Drives#display-shared-drive-organizers
+
+The command defaults match the script defaults:
+* `domainlist` - All domains
+* `includetypes` - user,group
+* `oneorganizer` - False
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+```
+
+### 7.07.17
+
+Added option `oneuserperrow` to `gam print devices` to have each of a
+device's users displayed on a separate row with all of the other device fields.
+
+### 7.07.16
+
+Added `chromeostype`, `diskspaceusage` and `faninfo` to `<CrOSFieldName>` for use in `gam info|print cros`.
+
+Fixed bugs/cleaned output in  `gam info|print cros`.
+
+### 7.07.15
+
+Added option `shareddrivesoption included|included_if_account_is_not_a_member|not_included` to `gam create vaultexport`.
+
+The previous option `includeshareddrives <Boolean>` is mapped as follows:
+* `includeshareddrives false` - `shareddrivesoption included_if_account_is_not_a_member`
+* `includeshareddrives true` - `shareddrivesoption included`
+
 ### 7.07.14
 
 Update `gam setup chat` output to include the following that shows the actual Cloud Pub/Sub Topic Name.

wiki/Groups-Membership.md

@@ -152,7 +152,7 @@ gam update group|groups <GroupEntity> create|add [<GroupRole>]
         [preview] [actioncsv]
         <UserItem>|<UserTypeEntity>
 ```
-To add a group as a memmber of another group, just specify its email address.
+To add a group as a member of another group, just specify its email address.
 ```
 gam update group group1@domain.com add member group2@domain.com
 ```
@@ -208,7 +208,7 @@ gam update group|groups <GroupEntity> delete|remove [<GroupRole>]
 ```
 `<GroupRole>` is ignored, deletions take place regardless of role.
 
-To remove a group as a memmber of another group, just specify its email address.
+To remove a group as a member of another group, just specify its email address.
 ```
 gam update group group1@domain.com remove group2@domain.com
 ```

wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md

@@ -251,9 +251,9 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.07.14 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -989,9 +989,9 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.07.14 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.09.03 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAM7
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

wiki/Shared-Drives.md

@@ -15,6 +15,7 @@
 - [Display Shared Drive Counts](#display-shared-drive-counts)
 - [Display List of Shared Drives in an Organizational Unit](#display-list-of-shared-drives-in-an-organizational-unit)
 - [Display Count of Shared Drives in an Organizational Unit](#display-count-of-shared-drives-in-an-organizational-unit)
+- [Display Shared Drive Organizers](#display-shared-drive-organizers)
 - [Display all Shared Drives with no members](#display-all-shared-drives-with-no-members)
 - [Display all Shared Drives with no organizers](#display-all-shared-drives-with-no-organizers)
 - [Display all Shared Drives with a specific organizer](#display-all-shared-drives-with-a-specific-organizer)
@@ -30,6 +31,7 @@
 - [Display ACLs for Shared Drives with all organizers outside of your domain](#display-acls-for-shared-drives-with-all-organizers-outside-of-your-domain)
 - [Display ACLs for Shared Drives with all ACLs outside of your domain](#display-acls-for-shared-drives-with-all-acls-outside-of-your-domain)
 - [Clean up scammed Shared Drives](#clean-up-scammed-shared-drives)
+- [Delete old empty Shared Drives](#delete-old-empty-shared-drives)
 
 ## API documentation
 * [Drive API - Drives](https://developers.google.com/drive/api/reference/rest/v3/drives)
@@ -77,6 +79,9 @@
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 
+<OrganizerType> ::= user|group
+<OrganizerTypeList> ::= "<OrganizerType>(,<OrganizerType>)*"
+
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
@@ -227,14 +232,14 @@ Three forms of the commands are available:
 
 ## Display Shared Drive themes
 ```
-gam show teamdrivethemes
+gam show shareddrivethemes
 ```
 ## Manage Shared Drives
 
 ## Create a Shared Drive
 The user that creates a Shared Drive is given the permission role organizer for the Shared Drive,
 ```
-gam [<UserTypeEntity>] create teamdrive <Name>
+gam [<UserTypeEntity>] create shareddrive <Name>
         [(theme|themeid <String>)|
          ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
         (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
@@ -243,7 +248,7 @@ gam [<UserTypeEntity>] create teamdrive <Name>
         [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
         [adminaccess|asadmin]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
   * `<Float>` - X coordinate, typically 0.0
   * `<Float>` - Y coordinate, typically 0.0
@@ -276,9 +281,9 @@ When either of these options is chosen, no infomation about Shared Drive restric
 To retrieve the Shared Drive ID with `returnidonly`:
 ```
 Linux/MacOS
-teamDriveId=$(gam create teamdrive ... returnidonly)
+teamDriveId=$(gam create shareddrive ... returnidonly)
 Windows PowerShell
-$teamDriveId = & gam create teamdrive ... returnidonly
+$teamDriveId = & gam create shareddrive ... returnidonly
 ```
 
 ## Bulk Create Shared Drives
@@ -288,7 +293,7 @@ As a newly created Drive can't be updated for 30+ seconds; split the operation i
 
 Make a CSV file SharedDriveNames.csv with at least one column, name.
 ```
-gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam create teamdrive "~name" csv
+gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam create shareddrive "~name" csv
 ```
 This will create a three column CSV file SharedDrivesCreated.csv with columns: User,name,id
 * There will be a row for each Shared Drive.
@@ -319,14 +324,14 @@ gam redirect stdout ./StudentSharedDrivesAccess.txt multiprocess redirect stderr
 
 These commands are used to set basic Shared Drive settings.
 ```
-gam [<UserTypeEntity>] update teamdrive <SharedDriveEntity> [name <Name>]
+gam [<UserTypeEntity>] update shareddrive <SharedDriveEntity> [name <Name>]
         [adminaccess|asadmin]
         [(theme|themeid <String>)|
          ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
         (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
         [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
 * `color` - set the Shared Drive color
 * `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
@@ -338,7 +343,7 @@ This option is only available when the command is run as an administrator.
 
 ## Delete a Shared Drive
 ```
-gam [<UserTypeEntity>] delete teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] delete shareddrive <SharedDriveEntity>
         [adminaccess|asadmin] [allowitemdeletion]
 ```
 By default, deleting a Shared Drive that contains any files/folders will fail.
@@ -347,24 +352,24 @@ This is not reversible, proceed with caution.
 
 ## Change Shared Drive visibility
 ```
-gam [<UserTypeEntity>] hide teamdrive <SharedDriveEntity>
-gam [<UserTypeEntity>] unhide teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] hide shareddrive <SharedDriveEntity>
+gam [<UserTypeEntity>] unhide shareddrive <SharedDriveEntity>
 ```
 
 ## Display Shared Drives
 These commands are used to get information about Shared Drives themselves, not the files/folders on the Shared Drives.
 ```
-gam [<UserTypeEntity>] info teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] info shareddrive <SharedDriveEntity>
         [adminaccess|asadmin]
         [fields <SharedDriveFieldNameList>] [formatjson]
-gam [<UserTypeEntity>] show teamdriveinfo <SharedDriveEntity>
+gam [<UserTypeEntity>] show shareddriveinfo <SharedDriveEntity>
         [adminaccess|asadmin]
         [fields <SharedDriveFieldNameList>] [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam [<UserTypeEntity>] show teamdrives
+gam [<UserTypeEntity>] show shareddrives
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [fields <SharedDriveFieldNameList>] [formatjson]
@@ -377,7 +382,7 @@ By default, all Shared Drives are displayed; use the following options to select
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam [<UserTypeEntity>] print teamdrives [todrive <ToDriveAttribute>*]
+gam [<UserTypeEntity>] print shareddrives [todrive <ToDriveAttribute>*]
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
@@ -399,22 +404,67 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Examples
 Print information about all Shared Drives in the organization.
 ```
-gam print teamdrives
-gam user admin@domain.com print teamdrives adminaccess
+gam print shareddrives
+gam user admin@domain.com print shareddrives adminaccess
 ```
 Print information about Shared Drives that have admin@domain.com as a member.
 ```
-gam user admin@domain.com print teamdrives
+gam user admin@domain.com print shareddrives
+```
+
+## Display Shared Drive Organizers
+The following command can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+```
+gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+Options `shareddriveadminquery|query` and `shareddrives|teamdrives` are mutually exclusive.
+
+Options `shareddriveadminquery|query` and `orgunit|org|ou` require `adminaccess|asadmin`.
+
+By default, organizers for all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
+* `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
+* `shareddrives|teamdrives <SharedDriveIDList>` - Select the Shared Drive IDs specified in `<SharedDriveIDList>`
+* `shareddrives|teamdrives select <FileSelector>|<CSVFileSelector>` - Select the Shared Drive IDs specified in `<FileSelector>|<CSVFileSelector>`
+* `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
+* `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
+
+For multiple organizers:
+* `delimiter <Character>` - Separate `organizers` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
+
+The command defaults do not match the script defaults, they are set for the most common use case:
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
 ```
 
 ## Display all Shared Drives with no members
 ```
-gam print teamdrives query "memberCount = 0"
+gam print shareddrives query "memberCount = 0"
 ```
 
 ## Display all Shared Drives with no organizers
 ```
-gam print teamdrives query "organizerCount = 0"
+gam print shareddrives query "organizerCount = 0"
 ```
 
 ## Display Shared Drive Counts
@@ -450,20 +500,20 @@ count = & gam print shareddrives showitemcountonly
 ## Display all Shared Drives with a specific organizer
 Substitute actual email address for `organizer@domain.com`.
 ```
-gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
+gam config csv_output_header_filter "id,name" print shareddriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
 ```
 
 ## Display all Shared Drives without a specific organizer
 Substitute actual email address for `organizer@domain.com`.
 ```
-gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
+gam config csv_output_header_filter "id,name" print shareddriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
 ```
 
 ## Display List of Shared Drives in an Organizational Unit
 Get the orgUnitID of the desired OU and use it (without the id:) in the print|show command. Adjust fields as desired.
 ```
-gam show teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
-gam print teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam show shareddrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam print shareddrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
 ```
 Alternative method; `<OrgUnitPath>` defaults to `/`.
 ```
@@ -551,12 +601,12 @@ These commands are used to transfer ACLs from one Shared Drive to another.
 * `copy` - Copy all ACLs from the source Shared Drive to the target Shared Drive. The role of an existing ACL in the target Shared Drive will never be reduced.
 * `sync` - Add/delete/update ACLs in the target Shared Drive to match those in the source Shared Drive.
 ```
-gam [<UserTypeEntity>] copy teamdriveacls <SharedDriveEntity> to <SharedDriveEntity>
+gam [<UserTypeEntity>] copy shareddriveacls <SharedDriveEntity> to <SharedDriveEntity>
         [showpermissionsmessages [<Boolean>]]
         [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
         (mappermissionsdomain <DomainName> <DomainName>)*
         [adminaccess|asadmin]
-gam [<UserTypeEntity>] sync teamdriveacls <SharedDriveEntity> with <SharedDriveEntity>
+gam [<UserTypeEntity>] sync shareddriveacls <SharedDriveEntity> with <SharedDriveEntity>
         [showpermissionsmessages [<Boolean>]]
         [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
         (mappermissionsdomain <DomainName> <DomainName>)*
@@ -594,7 +644,7 @@ gam [<UserTypeEntity>] print drivefileacls <SharedDriveEntityAdmin> [todrive <To
 ### Examples:
 Find all the organizers and file organizers on the Golgafrincham shared drive in CSV form.
 ```
- gam print drivefileacls teamdrive "Golgafrincham" pm role organizer em pm role fileorganizer em oneitemperrow
+ gam print drivefileacls shareddrive "Golgafrincham" pm role organizer em pm role fileorganizer em oneitemperrow
 ```
 
 By default, all Shared Drives specified are displayed; use the following option to select a subset of those Shared Drives.
@@ -625,7 +675,7 @@ gam config csv_output_header_drop_filter "User,createdTime,permission.photoLink,
 
 ## Display Shared Drive access for selected Shared Drives
 ```
-gam [<UserTypeEntity>] show teamdriveacls
+gam [<UserTypeEntity>] show shareddriveacls
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -634,7 +684,7 @@ gam [<UserTypeEntity>] show teamdriveacls
         [shownopermissionsdrives false|true|only]
         [formatjson]
 
-gam [<UserTypeEntity>] print teamdriveacls [todrive <ToDriveAttribute>*]
+gam [<UserTypeEntity>] print shareddriveacls [todrive <ToDriveAttribute>*]
         [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -661,7 +711,7 @@ By default, all ACLS are displayed; use the following options to select a subset
 * `role|roles <SharedDriveACLRoleList>` - Display ACLs for the specified roles only.
 * `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified
 
-With `print teamdriveacls` or `show teamdrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
+With `print shareddriveacls` or `show shareddrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
 When `oneitemperrow` is specified, each ACL is output on a separate row/line with the matching Shared Drive id and name. This simplifies processing the CSV file with subsequent Gam commands.
 
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
@@ -673,35 +723,35 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Examples
 Find all organizers and viewers on the shared drive Heart of Gold in CSV form.
 ```
- gam print teamdriveacls matchname "Heart of Gold" role organizer,reader oneitemperrow
+ gam print shareddriveacls matchname "Heart of Gold" role organizer,reader oneitemperrow
 ```
 
 Print ACLs for all Shared Drives in the organization created after November 1, 2017.
 ```
-gam print teamdriveacls teamdriveadminquery "createdTime > '2017-11-01T00:00:00'"
+gam print shareddriveacls shareddriveadminquery "createdTime > '2017-11-01T00:00:00'"
 ```
 
 Print ACLs for all Shared Drives in the organization with foo@bar.com as an organizer.
 ```
-gam print teamdriveacls user foo@bar.com role organizer
+gam print shareddriveacls user foo@bar.com role organizer
 ```
 
 Print ACLs for all Shared Drives in the organization with foo@bar.com or groups that contain foo@bar.com as a reader.
 ```
-gam print teamdriveacls user foo@bar.com role reader checkgroups
+gam print shareddriveacls user foo@bar.com role reader checkgroups
 ```
 
 ## Display ACLs for Shared Drives with no organizers
 ### For all Shared Drives
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsNoOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0"
+gam redirect csv ./SharedDriveACLsNoOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0"
 
 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsNoOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0" oneitemperrow
+gam redirect csv ./SharedDriveACLsNoOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0" oneitemperrow
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.
 ```
 One row per Shared Drive, all ACLs on the same row
 gam redirect csv ./SharedDriveACLsNoOrganizers.csv multiprocess csv ./SharedDrives.csv gam print drivefileacls "~id" addtitle "~name" fields id,domain,emailaddress,role,type,deleted pm role organizer em pma skip pmselect
@@ -714,13 +764,13 @@ gam redirect csv ./SharedDriveACLsNoOrganizersOIPR.csv multiprocess csv ./Shared
 ### For all Shared Drives
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
 
 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.
 ```
 One row per Shared Drive, all ACLs on the same row
 gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv multiprocess csv ./SharedDrives.csv gam print drivefileacls "~id" addtitle "~name" fields id,domain,emailaddress,role,type,deleted pm role organizer domainlist domain.com,... em pma skip pmselect
@@ -734,13 +784,13 @@ gam redirect csv ./SharedDriveACLsAllExternalOrganizersOIPR.csv multiprocess csv
 Include a permission match `pm domainlist domain.com,... em` that lists your internal domain(s).
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternal.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternal.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
 
 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
+gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.
 
 Include a permission match `pm domainlist domain.com,... em` that lists your internal domain(s).
 ```
@@ -763,16 +813,16 @@ to get the Shared Drive ACLs for the scammed Shared Drives.
 
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternal.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternal.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
 
 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
+gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
 ```
 
 ### Add an organizer from your domain
 Sustitute an appropriate value for `admin@domain.com`.
 ```
-gam redirect stdout ./AddOrganizer.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam add drivefileacl teamdriveid "~id" user admin@domain.com role organizer
+gam redirect stdout ./AddOrganizer.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam add drivefileacl shareddriveid "~id" user admin@domain.com role organizer
 ```
 
 ### Delete non domain ACLs
@@ -781,7 +831,7 @@ you must delete all rows in `SharedDriveACLsAllExternalOIPR.csv` that have the s
 
 This will disable all non-domain users access to the Shared Drive.
 ```
-gam redirect stdout ./DeleteExternalACLs.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternalOIPR.csv gam delete drivefileacl teamdriveid "~id" "id:~~permission.id~~"
+gam redirect stdout ./DeleteExternalACLs.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternalOIPR.csv gam delete drivefileacl shareddriveid "~id" "id:~~permission.id~~"
 ```
 
 ### Delete the Shared Drives
@@ -789,5 +839,21 @@ The `allowitemdeletion` option allows deletion of non-empty Shared Drives. This
 
 This is not reversible, proceed with caution.
 ```
-gam redirect stdout ./DeleteSharedDrives.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam delete teamdrive "~id" allowitemdeletion
+gam redirect stdout ./DeleteSharedDrives.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam delete shareddrive "~id" allowitemdeletion
 ```
+
+## Delete old empty Shared Drives
+```
+# Get a list of Shared Drives organizers for Shared Drives created before one year ago; alter date<-1y as required.
+gam config csv_output_row_filter "createdTime:date<-1y" redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+
+# Inspect shareddriveOrganizers.csv, you'll have to deal with Shared Drives with no organizer/manager
+
+# Get old empty Shared Drives
+gam config num_threads 10 csv_input_row_filter "organizers:regex:^.+$" csv_output_row_filter "Total:count=0" redirect csv ./OldEmptySharedDrives.csv multiprocess redirect stderr - multiprocess csv ./TeamDriveOrganizers.csv gam user "~organizers" print filecounts select shareddriveid "~id" showsize
+
+# Inspect OldEmptySharedDrives.csv, if you're confident of the results, proceed
+
+# Delete old empty Shared Drives
+gam redirect stdout ./DeleteOldEmptySharedDrives.txt multiprocess redirect stderr stdout csv ./OldEmptySharedDrives.csv gam user "~User" delete shareddrive "~id"
+```

wiki/Users-Gmail-Delegates.md

@@ -1,4 +1,5 @@
 # Users - Gmail - Delegates
+- [Notes](#notes)
 - [API documentation](#api-documentation)
 - [Definitions](#definitions)
 - [Aliases](#aliases)
@@ -8,6 +9,11 @@
 - [Display Gmail delegates](#display-gmail-delegates)
 - [Delete all delegates for a user](#delete-all-delegates-for-a-user)
 
+## Notes
+
+To use Gmail delegation, the delegator and delagatee must be in org units where
+mail delegation is enabled. In the admin console, go to Apps/Google Workspace/Gmail/User Settings.
+
 ## API documentation
 * [Gmail API - Delegates](https://developers.google.com/gmail/api/v1/reference/users.settings.delegates)
 * [Delegation Notes](https://support.google.com/a/answer/7223765)

wiki/Users-Shared-Drives.md

@@ -12,6 +12,7 @@
   - [Change Shared Drive visibility](#change-shared-drive-visibility)
 - [Display Shared Drives](#display-shared-drives)
 - [Display Shared Drive Counts](#display-shared-drive-counts)
+- [Display Shared Drive Organizers](#display-shared-drive-organizers)
 - [Manage Shared Drive access](#manage-shared-drive-access)
 - [Display Shared Drive access](#display-shared-drive-access)
   - [Display Shared Drive access for specific Shared Drives](#display-shared-drive-access-for-specific-shared-drives)
@@ -72,6 +73,9 @@
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |
 
+<OrganizerType> ::= user|group
+<OrganizerTypeList> ::= "<OrganizerType>(,<OrganizerType>)*"
+
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
@@ -200,14 +204,14 @@ sharingfoldersrequiresorganizerpermission true
 
 ## Display Shared Drive themes
 ```
-gam <UserTypeEntity> show teamdrivethemes
+gam <UserTypeEntity> show shareddrivethemes
 ```
 ## Manage Shared Drives
 
 ## Create a Shared Drive
 The user that creates a Shared Drive is given the permission role organizer for the Shared Drive,
 ```
-gam <UserTypeEntity> create teamdrive <Name>
+gam <UserTypeEntity> create shareddrive <Name>
         [(theme|themeid <String>)|
          ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
         (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
@@ -215,7 +219,7 @@ gam <UserTypeEntity> create teamdrive <Name>
         [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
         [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
   * `<Float>` - X coordinate, typically 0.0
   * `<Float>` - Y coordinate, typically 0.0
@@ -248,9 +252,9 @@ When either of these options is chosen, no infomation about Shared Drive restric
 To retrieve the Shared Drive ID with `returnidonly`:
 ```
 Linux/MacOS
-teamDriveId=$(gam user user@domain.com create teamdrive ... returnidonly)
+teamDriveId=$(gam user user@domain.com create shareddrive ... returnidonly)
 Windows PowerShell
-$teamDriveId = & gam user user@domain.com create teamdrive ... returnidonly
+$teamDriveId = & gam user user@domain.com create shareddrive ... returnidonly
 ```
 
 ## Bulk Create Shared Drives
@@ -260,7 +264,7 @@ As a newly created Drive can't be updated for 30+ seconds; split the operation i
 
 Make a CSV file SharedDriveNames.csv with at least two columns, User and name.
 ```
-gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam user "~User" create teamdrive "~name" csv
+gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam user "~User" create shareddrive "~name" csv
 ```
 This will create a three column CSV file SharedDriveNamesIDs.csv with columns: User,name,id
 * There will be a row for each Shared Drive.
@@ -274,13 +278,13 @@ gam redirect stdout ./SharedDrivesUpdated.txt multiprocess redirect stderr stdou
 
 This command is used to set basic Shared Drive settings.
 ```
-gam <UserTypeEntity> update teamdrive <SharedDriveEntity> [adminaccess|asadmin] [name <Name>]
+gam <UserTypeEntity> update shareddrive <SharedDriveEntity> [adminaccess|asadmin] [name <Name>]
         [(theme|themeid <String>)|
          ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
         (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
         [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
 * `color` - set the Shared Drive color
 * `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
@@ -291,7 +295,7 @@ This option is only available when the command is run as an administrator.
 
 ## Delete a Shared Drive
 ```
-gam <UserTypeEntity> delete teamdrive <SharedDriveEntity> [allowitemdeletion] [adminaccess|asadmin]
+gam <UserTypeEntity> delete shareddrive <SharedDriveEntity> [allowitemdeletion] [adminaccess|asadmin]
 ```
 By default, deleting a Shared Drive that contains any files/folders will fail.
 The `allowitemdeletion` option allows a Super Admin to delete a non-empty Shared Drive.
@@ -299,19 +303,19 @@ This is not reversible, proceed with caution.
 
 ## Change Shared Drive visibility
 ```
-gam <UserTypeEntity> hide teamdrive <SharedDriveEntity>
-gam <UserTypeEntity> unhide teamdrive <SharedDriveEntity>
+gam <UserTypeEntity> hide shareddrive <SharedDriveEntity>
+gam <UserTypeEntity> unhide shareddrive <SharedDriveEntity>
 ```
 ## Display Shared Drives
 ```
-gam <UserTypeEntity> show teamdriveinfo <SharedDriveEntity>
-gam <UserTypeEntity> info teamdrive <SharedDriveEntity>
+gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
+gam <UserTypeEntity> info shareddrive <SharedDriveEntity>
         [fields <SharedDriveFieldNameList>]
         [guiroles [<Boolean>] [formatjson]
-gam <UserTypeEntity> show teamdriveinfo <SharedDriveEntity>
+gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
         [fields <SharedDriveFieldNameList>]
         [guiroles [<Boolean>] [formatjson]
-gam <UserTypeEntity> show teamdrives
+gam <UserTypeEntity> show shareddrives
         [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>]
         [guiroles [<Boolean>] [formatjson]
@@ -323,7 +327,7 @@ By default, Gam displays all Teams Drives accessible by the user.
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam <UserTypeEntity> print teamdrives [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
         [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
         [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
 ```
@@ -386,6 +390,51 @@ count=$(gam user user@domain.com print shareddrives showitemcountonly)
 Windows PowerShell
 count = & gam user user@domain.com print shareddrives showitemcountonly
 ```
+## Display Shared Drive Organizers
+The following command can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+```
+gam <UserTypeEntity> print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+Options `shareddriveadminquery|query` and `shareddrives|teamdrives` are mutually exclusive.
+
+Options `shareddriveadminquery|query` and `orgunit|org|ou` require `adminaccess|asadmin`.
+
+By default, organizers for all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
+* `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
+* `shareddrives|teamdrives <SharedDriveIDList>` - Select the Shared Drive IDs specified in `<SharedDriveIDList>`
+* `shareddrives|teamdrives select <FileSelector>|<CSVFileSelector>` - Select the Shared Drive IDs specified in `<FileSelector>|<CSVFileSelector>`
+* `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
+* `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
+
+For multiple organizers:
+* `delimiter <Character>` - Separate `organizers` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
+
+The command defaults do not match the script defaults, they are set for the most common use case:
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
 ## Manage Shared Drive access
 These commands must be issued by a user with Shared Drive permission role organizer.
 ### Process single ACLs.
@@ -458,14 +507,14 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 
 ## Display Shared Drive access for selected Shared Drives
 ```
-gam <UserTypeEntity> show teamdriveacls
+gam <UserTypeEntity> show shareddriveacls
         adminaccess [teamdriveadminquery|query <QueryTeamDrive>]
         [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
         <PermissionMatch>* [<PermissionMatchAction>] [pmselect]
         [oneitemperrow] [<DrivePermissionsFieldName>*|(fields <DrivePermissionsFieldNameList>)]
         [formatjson [quotechar <Character>]]
-gam <UserTypeEntity> print teamdriveacls [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> print shareddriveacls [todrive <ToDriveAttribute>*]
         adminaccess [teamdriveadminquery|query <QueryTeamDrive>]
 	[matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
         [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -488,7 +537,7 @@ By default, all ACLS are displayed; use the following options to select a subset
 * `role|roles <SharedDriveACLRoleList>` - Display ACLs for the specified roles only.
 * `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified
 
-With `print teamdriveacls` or `show teamdrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
+With `print shareddriveacls` or `show shareddrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
 When `oneitemperrow` is specified, each ACL is output on a separate row/line with the matching Shared Drive id and name. This simplifies processing the CSV file with subsequent Gam commands.
 
 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain

wiki/Vault-Takeout.md

@@ -243,7 +243,8 @@ gam create vaultexport|export matter <MatterItem> [name <String>] corpus calenda
         [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>] [timezone <TimeZone>]
         [locationquery <StringList>] [peoplequery <StringList>] [minuswords <StringList>]
         [responsestatuses <AttendeeStatus>(,<AttendeeStatus>)*] [calendarversiondate <Date>|<Time>]
-        [includeshareddrives <Boolean>] [driveversiondate <Date>|<Time>] [includeaccessinfo <Boolean>]
+        [(includeshareddrives <Boolean>)|(shareddrivesoption included|included_if_account_is_not_a_member|not_included)]
+        [driveversiondate <Date>|<Time>] [includeaccessinfo <Boolean>]
         [driveclientsideencryption any|encrypted|unencrypted]
         [includerooms <Boolean>]
         [excludedrafts <Boolean>] [mailclientsideencryption any|encrypted|unencrypted]
@@ -315,8 +316,11 @@ For `corpus calendar`, you can specify the format of the exported data:
 
 For `corpus drive`, you can specify advanced search options:
 * `driveversiondate <Date>|<Time>` - Search the versions of the Drive file as of the reference date. These timestamps are in GMT and rounded down to the given date.
-* `includeshareddrives False` - Do not include Shared Drives in the search, this is the default.
-* `includeshareddrives True` - Include Shared Drives in the search.
+* `includeshareddrives False` - Mapped to `sharedrivesoption included_if_account_is_not_a_member`
+* `includeshareddrives True` - Mapped to `sharedrivesoption included`
+* `sharedrivesoption included` - Resources in shared drives are included in the search
+* `sharedrivesoption included_if_account_is_not_a_member` - Resources in shared drives where account is not a member are included in the search, this is the default
+* `sharedrivesoption not_included` - Resources in shared drives are not included in the search
 * `driveclientsideencryption any` - Include both client-side encrypted and unencrypted content in search, this is the default.
 * `driveclientsideencryption encrypted` - Include client-side encrypted content only in search.
 * `driveclientsideencryption unencrypted` - Include client-side unencrypted content only in search.
@@ -599,7 +603,7 @@ gam create vaulthold|hold matter <MatterItem> [name <String>] corpus calendar|dr
         [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
         [includerooms <Boolean>]
         [covereddata calllogs|textmessages|voicemails]
-        [includeshareddrives|includeteamdrives <Boolean>]
+        [includeshareddrives <Boolean>]
         [showdetails|returnidonly]
 ```
 Specify the name of the hold:
@@ -621,8 +625,8 @@ Specify the search method, this option is required:
 The `query <QueryVaultCorpus>` option can still be used but it is much simpler to use the following options.
 
 For `corpus drive`, you can specify advanced search options:
-* `includeshareddrives False` - Do not include Shared Drives in the search, this is the default.
-* `includeshareddrives True` - Include Shared Drives in the search.
+* `includeshareddrives False` - Files in shared drives are not included in the hold, this is the default
+* `includeshareddrives True` - Files in shared drives are included in the hold
 
 For `corpus mail`, you can specify search terms to limit the search.
 * `terms <String>` - [Vault search](https://support.google.com/vault/answer/2474474)
@@ -652,12 +656,12 @@ gam update vaulthold|hold <HoldItem> matter <MatterItem>
         [terms <String>] [start|starttime <Date>|<Time>] [end|endtime <Date>|<Time>]
         [includerooms <Boolean>]
         [covereddata calllogs|textmessages|voicemails]
-        [includeshareddrives|includeteamdrives <Boolean>]
+        [includeshareddrives <Boolean>]
         [showdetails]
 ```
 For a hold with `corpus drive`, you can specify advanced search options:
-* `includeshareddrives False` - Do not include Shared Drives in the search, this is the default.
-* `includeshareddrives True` - Include Shared Drives in the search.
+* `includeshareddrives False` - Files in shared drives are not included in the hold, this is the default
+* `includeshareddrives True` - Files in shared drives are included in the hold
 
 For a hold with `corpus mail`, you can specify search terms to limit the search.
 * `terms <String>` - [Vault search](https://support.google.com/vault/answer/2474474)

wiki/Version-and-Help.md

@@ -3,9 +3,9 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.07.14 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -15,9 +15,9 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.07.14 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -27,9 +27,9 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.07.14 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.03 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
   Current: 5.35.08
-   Latest: 7.07.14
+   Latest: 7.09.03
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.07.14
+7.09.03
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,9 +82,9 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.07.14 - https://github.com/GAM-team/GAM
+GAM 7.09.03 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com

wiki/gam.cfg.md

@@ -328,6 +328,16 @@ enable_dasa
         admin_email, customer_id and domain must be set when enable_dasa is True,
         customer_id may not be set to my_customer
         Signal file: OldGamPath/enabledasa.txt
+enforce_expansive_access
+        The default value for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+        gam <UserTypeEntity> delete permissions
+        gam <UserTypeEntity> delete drivefileacl
+        gam <UserTypeEntity> update drivefileacl
+        gam <UserTypeEntity> copy drivefile
+        gam <UserTypeEntity> move drivefile
+        gam <UserTypeEntity> transfer ownership
+        gam <UserTypeEntity> claim ownership
+        Default: True
 event_max_results
         When retrieving lists of Calendar events from API,
         how many should be retrieved in each API call