Improved output of gam info|show chromeschemas

Update Chrome-Policies.md
Fixed bug in gam update chromepolicy
2026-06-07 15:51:38 +00:00 · 2025-06-06 18:38:43 -07:00 · 2025-06-06 17:24:08 -07:00 · 2025-06-05 22:53:23 -07:00 · 2025-06-05 22:53:05 -07:00 · 2025-06-05 22:47:12 -07:00
16 changed files with 744 additions and 298 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -126,7 +126,7 @@ jobs:
        with:
          path: |
            cache.tar.xz
-          key: gam-${{ matrix.jid }}-20250422
+          key: gam-${{ matrix.jid }}-20250603

      - name: Untar Cache archive
        if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
--- a/src/GamCommands.txt
+++ b/src/GamCommands.txt
@@ -2725,6 +2725,7 @@ gam print chromschemas [todrive <ToDriveAttribute>*]
        <ChromePolicySchemaFieldName>* [fields <ChromePolicySchemaFieldNameList>]
        [[formatjson [quotechar <Character>]]

+gam info chromeschema std <SchemaName>
 gam show chromeschemas std
        [filter <String>]

@@ -4820,7 +4821,8 @@ gam show shareddrives
        [formatjson] [noorgunits [<Boolean>]]

 gam print shareddriveorganizers [todrive <ToDriveAttribute>*]
-        [shareddriveadminquery|query <QuerySharedDrive>]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
        [orgunit|org|ou <OrgUnitPath>]
        [matchname <REMatchPattern>]
        [domainlist <DomainList>]
@@ -8337,7 +8339,9 @@ gam <UserTypeEntity> show shareddrives
        [formatjson]

 gam <UserTypeEntity> print shareddriveorganizers [todrive <ToDriveAttribute>*]
-        [adminaccess|asadmin] [shareddriveadminquery|query <QuerySharedDrive>]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
        [orgunit|org|ou <OrgUnitPath>]
        [matchname <REMatchPattern>]
        [domainlist <DomainList>]
--- a/src/GamUpdate.txt
+++ b/src/GamUpdate.txt
@@ -1,3 +1,69 @@
+7.09.02
+
+Added command `gam info chromeschema std <SchemaName>` to display a Chrome policy schema in the same format as Legacy GAM.
+
+Improved output of `gam show chromeschemas [std]` and `gam info chromeschema [std]` to more accurately display the schemas.
+
+7.09.01
+
+Fixed bug in `gam <UserTypeEntity> print diskusage` where the `ownedByMe` column was
+blank for the top folder.
+
+Fixed bug in `gam update chromepolicy` where the following error was generated
+when updating policies with simple numerical values.
+```
+ERROR: Missing argument: Expected <value>"
+```
+
+7.09.00
+
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled prompting you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
+
+Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value
+for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+It's default value is False.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+gam <UserTypeEntity> transfer drive
+```
+
+Fixed bug in `gam print shareddriveorganizers` that caused a trap when an organizer was a deleted user.
+
+Updated to Python 3.13.4
+
+7.08.02
+
+Updated the defaults in `gam print shareddriveorganizers` to match the most common use case, not the script.
+
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+These commands produce the same result.
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
+7.08.01
+
+Added option `shareddrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))` to
+`gam print shareddriveorganizers` that displays organizers for a specific list of Shared Drive IDs.
+
 7.08.00

 Added the following command that can be used instead of the `GetTeamDriveOrganizers.py` script.
@@ -16,7 +82,7 @@ gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
 ```
 The command defaults match the script defaults:
 * `domainlist` - All domains
-* `includetypes` - user,groups
+* `includetypes` - user,group
 * `oneorganizer` - False
 * `shownoorganizerdrives` - True
 * `includefileorganizers` - False
--- a/src/callgam.py
+++ b/src/callgam.py
@@ -11,7 +11,7 @@ if __name__ == '__main__':
 # One time initialization
  if platform.system() != 'Linux':
    multiprocessing.freeze_support()
-    multiprocessing.set_start_method('spawn')
+    multiprocessing.set_start_method('spawn', force=True)
  initializeLogging()
 #
  CallGAMCommand(['gam', 'version'])
--- a/src/gam.py
+++ b/src/gam.py
@@ -11,5 +11,5 @@ from gam.__main__ import main
 if __name__ == '__main__':
  if platform.system() != 'Linux':
    multiprocessing.freeze_support()
-    multiprocessing.set_start_method('spawn')
+    multiprocessing.set_start_method('spawn', force=True)
  main()
--- a/src/gam/init.py
+++ b/src/gam/init.py
@@ -25,7 +25,7 @@ https://github.com/GAM-team/GAM/wiki
 """

 __author__ = 'GAM Team <google-apps-manager@googlegroups.com>'
-__version__ = '7.08.00'
+__version__ = '7.09.02'
 __license__ = 'Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)'

 #pylint: disable=wrong-import-position
@@ -4785,8 +4785,9 @@ def defaultSvcAcctScopes():
  scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], False)
  saScopes = {}
  for scope in scopesList:
-    saScopes.setdefault(scope['api'], [])
-    saScopes[scope['api']].append(scope['scope'])
+    if not scope.get('offByDefault'):
+      saScopes.setdefault(scope['api'], [])
+      saScopes[scope['api']].append(scope['scope'])
  saScopes[API.DRIVEACTIVITY].append(API.DRIVE_SCOPE)
  saScopes[API.DRIVE2] = saScopes[API.DRIVE3]
  saScopes[API.DRIVETD] = saScopes[API.DRIVE3]
@@ -12232,7 +12233,7 @@ def checkServiceAccount(users):

  def authorizeScopes(message):
    long_url = ('https://admin.google.com/ac/owl/domainwidedelegation'
-                f'?clientScopeToAdd={",".join(checkScopes)}'
+                f'?clientScopeToAdd={",".join(sorted(checkScopes))}'
                f'&clientIdToAdd={service_account}&overwriteClientId=true')
    if GC.Values[GC.DOMAIN]:
      long_url += f'&dn={GC.Values[GC.DOMAIN]}'
@@ -12244,10 +12245,12 @@ def checkServiceAccount(users):
  allScopes = API.getSvcAcctScopes(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], Act.Get() == Act.UPDATE)
  checkScopesSet = set()
  saScopes = {}
+  checkDeprecatedScopes = True
  useColor = False
  while Cmd.ArgumentsRemaining():
    myarg = getArgument()
    if myarg in {'scope', 'scopes'}:
+      checkDeprecatedScopes = False
      for scope in getString(Cmd.OB_API_SCOPE_URL_LIST).lower().replace(',', ' ').split():
        api = API.getSvcAcctScopeAPI(scope)
        if api is not None:
@@ -12264,10 +12267,12 @@ def checkServiceAccount(users):
    testPass = createGreenText('PASS')
    testFail = createRedText('FAIL')
    testWarn = createYellowText('WARN')
+    testDeprecated = createRedText('DEPRECATED')
  else:
    testPass = 'PASS'
    testFail = 'FAIL'
    testWarn = 'WARN'
+    testDeprecated = 'DEPRECATED'
  if Act.Get() == Act.CHECK:
    if not checkScopesSet:
      for scope in iter(GM.Globals[GM.SVCACCT_SCOPES].values()):
@@ -12275,7 +12280,7 @@ def checkServiceAccount(users):
  else:
    if not checkScopesSet:
      scopesList = API.getSvcAcctScopesList(GC.Values[GC.USER_SERVICE_ACCOUNT_ACCESS_ONLY], True)
-      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES])
+      selectedScopes = getScopesFromUser(scopesList, False, GM.Globals[GM.SVCACCT_SCOPES] if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] else None)
      if selectedScopes is None:
        return False
      i = 0
@@ -12337,8 +12342,8 @@ def checkServiceAccount(users):
  if saTokenStatus == testFail:
    invalidOauth2serviceJsonExit(f'Authentication{auth_error}')
  _getSvcAcctData() # needed to read in GM.OAUTH2SERVICE_JSON_DATA
-  if GM.Globals[GM.SVCACCT_SCOPES_DEFINED] and API.IAM not in GM.Globals[GM.SVCACCT_SCOPES]:
-    GM.Globals[GM.SVCACCT_SCOPES][API.IAM] = [API.CLOUD_PLATFORM_SCOPE]
+  if API.IAM not in GM.Globals[GM.SVCACCT_SCOPES]:
+    GM.Globals[GM.SVCACCT_SCOPES][API.IAM] = [API.IAM_SCOPE]
  key_type = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA].get('key_type', 'default')
  if key_type == 'default':
    printMessage(Msg.SERVICE_ACCOUNT_CHECK_PRIVATE_KEY_AGE)
@@ -12399,6 +12404,38 @@ def checkServiceAccount(users):
        allScopesPass = False
      printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
    Ind.Decrement()
+    if checkDeprecatedScopes:
+      deprecatedScopes = sorted(API.DEPRECATED_SCOPES)
+      jcount = len(deprecatedScopes)
+      printKeyValueListWithCount([Msg.DEPRECATED_SCOPES, '',
+                                  Ent.Singular(Ent.USER), user,
+                                  Ent.Choose(Ent.SCOPE, jcount), jcount],
+                                 i, count)
+      Ind.Increment()
+      j = 0
+      for scope in deprecatedScopes:
+        j += 1
+        # try with and without email scope
+        for scopes in [[scope, API.USERINFO_EMAIL_SCOPE], [scope]]:
+          try:
+            credentials = getSvcAcctCredentials(scopes, user)
+            credentials.refresh(request)
+            break
+          except (httplib2.HttpLib2Error, google.auth.exceptions.TransportError, RuntimeError) as e:
+            handleServerError(e)
+          except google.auth.exceptions.RefreshError:
+            continue
+        if credentials.token:
+          token_info = callGAPI(oa2, 'tokeninfo', access_token=credentials.token)
+          if scope in token_info.get('scope', '').split(' ') and user == token_info.get('email', user).lower():
+            scopeStatus = testDeprecated
+            allScopesPass = False
+          else:
+            scopeStatus = testPass
+        else:
+          scopeStatus = testPass
+        printPassFail(scope, f'{scopeStatus}{currentCount(j, jcount)}')
+      Ind.Decrement()
    service_account = GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['client_id']
    if allScopesPass:
      if Act.Get() == Act.CHECK:
@@ -25910,7 +25947,7 @@ def exitIfChatNotConfigured(chat, kvList, errMsg, i, count):
  if (('No bot associated with this project.' in errMsg) or
      ('Invalid project number.' in errMsg) or
      ('Google Chat app not found.' in errMsg)):
-    systemErrorExit(API_ACCESS_DENIED_RC, Msg.TO_SET_UP_GOOGLE_CHAT.format(setupChatURL(chat)))
+    systemErrorExit(API_ACCESS_DENIED_RC, Msg.TO_SET_UP_GOOGLE_CHAT.format(setupChatURL(chat), GM.Globals[GM.OAUTH2SERVICE_JSON_DATA]['project_id']))
  entityActionFailedWarning(kvList, errMsg, i, count)

 def _getChatAdminAccess(adminAPI, userAPI):
@@ -28081,7 +28118,10 @@ def simplifyChromeSchema(schema):
                 'settings': {}
                }
  fieldDescriptions = schema['fieldDescriptions']
+  savedSettingName = ''
+  savedTypeName = ''
  for mtype in schema['definition']['messageType']:
+    numSettings = len(mtype['field'])
    for setting in mtype['field']:
      setting_name = setting['name']
      setting_dict = {'name': setting_name,
@@ -28089,6 +28129,9 @@ def simplifyChromeSchema(schema):
                      'descriptions':  [],
                      'type': setting['type'],
                     }
+      if mtype['name'] == savedTypeName and numSettings == 1:
+        setting_dict['name'] = savedSettingName
+        savedTypeName = ''
      if setting_dict['type'] == 'TYPE_STRING' and setting.get('label') == 'LABEL_REPEATED':
        setting_dict['type'] = 'TYPE_LIST'
      if setting_dict['type'] == 'TYPE_ENUM':
@@ -28110,6 +28153,8 @@ def simplifyChromeSchema(schema):
                  break
            break
      elif setting_dict['type'] == 'TYPE_MESSAGE':
+        savedSettingName = setting_name
+        savedTypeName = setting['typeName']
        continue
      else:
        setting_dict['enums'] = None
@@ -28215,14 +28260,11 @@ def doDeleteChromePolicy():
    entityActionFailedWarning(kvList, str(e))

 CHROME_SCHEMA_SPECIAL_CASES = {
+# duration
  'chrome.users.AutoUpdateCheckPeriodNewV2':
    {'autoupdatecheckperiodminutesnew':
       {'casedField': 'autoUpdateCheckPeriodMinutesNew',
        'type': 'duration', 'minVal': 1, 'maxVal': 720}},
-  'chrome.users.Avatar':
-    {'useravatarimage':
-       {'casedField': 'userAvatarImage',
-        'type': 'downloadUri'}},
  'chrome.users.BrowserSwitcherDelayDurationV2':
    {'browserswitcherdelayduration':
       {'casedField': 'browserSwitcherDelayDuration',
@@ -28264,10 +28306,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
    {'maxinvalidationfetchdelay':
       {'casedField': 'maxInvalidationFetchDelay',
        'type': 'duration', 'minVal': 1, 'maxVal': 30, 'default': 10}},
-  'chrome.users.PrintingMaxSheetsAllowed':
-    {'printingmaxsheetsallowednullable':
-       {'casedField': 'printingMaxSheetsAllowedNullable',
-        'type': 'value', 'minVal': 1, 'maxVal': None}},
  'chrome.users.PrintJobHistoryExpirationPeriodNewV2':
    {'printjobhistoryexpirationperioddaysnew':
       {'casedField': 'printJobHistoryExpirationPeriodDaysNew',
@@ -28291,10 +28329,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
     'updatessuppressedstarttime':
       {'casedField': 'updatesSuppressedStartTime',
        'type': 'timeOfDay'}},
-  'chrome.users.Wallpaper':
-    {'wallpaperimage':
-       {'casedField': 'wallpaperImage',
-        'type': 'downloadUri'}},
  'chrome.devices.EnableReportUploadFrequencyV2':
    {'reportdeviceuploadfrequency':
       {'casedField': 'reportDeviceUploadFrequency',
@@ -28303,10 +28337,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
    {'uptimelimitduration':
       {'casedField': 'uptimeLimitDuration',
        'type': 'duration', 'minVal': 1, 'maxVal': 365}},
-  'chrome.devices.SignInWallpaperImage':
-    {'devicewallpaperimage':
-       {'casedField': 'deviceWallpaperImage',
-        'type': 'downloadUri'}},
  'chrome.devices.kiosk.AcPowerSettingsV2':
    {'acidletimeout':
       {'casedField': 'acIdleTimeout',
@@ -28333,10 +28363,6 @@ CHROME_SCHEMA_SPECIAL_CASES = {
     'batteryscreenofftimeout':
       {'casedField': 'batteryScreenOffTimeout',
        'type': 'duration', 'minVal': 0, 'maxVal': 35000}},
-  'chrome.devices.managedguest.Avatar':
-    {'useravatarimage':
-       {'casedField': 'userAvatarImage',
-        'type': 'downloadUri'}},
  'chrome.devices.managedguest.BrowsingDataLifetimeV2':
    {'browsinghistoryttl':
       {'casedField': 'browsingHistoryTtl',
@@ -28378,6 +28404,56 @@ CHROME_SCHEMA_SPECIAL_CASES = {
    {'sessiondurationlimit':
       {'casedField': 'sessionDurationLimit',
        'type': 'duration', 'minVal': 1, 'maxVal': 1440}},
+# value
+  'chrome.users.GaiaLockScreenOfflineSigninTimeLimitDays':
+    {'gaialockscreenofflinesignintimelimitdays':
+       {'casedField': 'gaiaLockScreenOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.users.GaiaOfflineSigninTimeLimitDays':
+    {'gaiaofflinesignintimelimitdays':
+       {'casedField': 'gaiaOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.users.PrintingMaxSheetsAllowed':
+    {'printingmaxsheetsallowednullable':
+       {'casedField': 'printingMaxSheetsAllowedNullable',
+        'type': 'value', 'minVal': 1, 'maxVal': None}},
+  'chrome.users.RemoteAccessHostClipboardSizeBytes':
+    {'remoteaccesshostclipboardsizebytes':
+       {'casedField': 'remoteAccessHostClipboardSizeBytes',
+        'type': 'value', 'minVal': 0, 'maxVal': 2147483647}},
+  'chrome.users.SamlLockScreenOfflineSigninTimeLimitDays':
+    {'samllockscreenofflinesignintimelimitdays':
+       {'casedField': 'samlLockScreenOfflineSigninTimeLimitDays',
+        'type': 'value', 'minVal': 0, 'maxVal': 365}},
+  'chrome.devices.ExtensionCacheSize':
+    {'extensioncachesize':
+       {'casedField': 'extensionCacheSize',
+        'type': 'value', 'minVal': 1048576, 'maxVal': None, 'default': 268435456}},
+  'chrome.devices.managedguest.PrintingMaxSheetsAllowed':
+    {'printingmaxsheetsallowednullable':
+       {'casedField': 'printingMaxSheetsAllowedNullable',
+        'type': 'value', 'minVal': 1, 'maxVal': None}},
+  'chrome.devices.managedguest.RemoteAccessHostClipboardSizeBytes':
+    {'remoteaccesshostclipboardsizebytes':
+       {'casedField': 'remoteAccessHostClipboardSizeBytes',
+        'type': 'value', 'minVal': 0, 'maxVal': 2147483647}},
+# downloadUri
+  'chrome.users.Avatar':
+    {'useravatarimage':
+       {'casedField': 'userAvatarImage',
+        'type': 'downloadUri'}},
+  'chrome.users.Wallpaper':
+    {'wallpaperimage':
+       {'casedField': 'wallpaperImage',
+        'type': 'downloadUri'}},
+  'chrome.devices.SignInWallpaperImage':
+    {'devicewallpaperimage':
+       {'casedField': 'deviceWallpaperImage',
+        'type': 'downloadUri'}},
+  'chrome.devices.managedguest.Avatar':
+    {'useravatarimage':
+       {'casedField': 'userAvatarImage',
+        'type': 'downloadUri'}},
  'chrome.devices.managedguest.Wallpaper':
    {'wallpaperimage':
       {'casedField': 'wallpaperImage',
@@ -28855,7 +28931,7 @@ def _showChromePolicySchema(schema, FJQC, i=0, count=0):
    return
  printEntity([Ent.CHROME_POLICY_SCHEMA, schema['name']], i, count)
  Ind.Increment()
-  showJSON(None, schema)
+  showJSON(None, schema, dictObjectsKey={'messageType': 'name', 'field': 'name'})
  Ind.Decrement()

 CHROME_POLICY_SCHEMA_FIELDS_CHOICE_MAP = {
@@ -28878,6 +28954,9 @@ CHROME_POLICY_SCHEMA_FIELDS_CHOICE_MAP = {
 #	[formatjson]
 def doInfoChromePolicySchemas():
  cp = buildGAPIObject(API.CHROMEPOLICY)
+  if checkArgumentPresent('std'):
+    doInfoChromePolicySchemasStd(cp)
+    return
  FJQC = FormatJSONQuoteChar()
  fieldsList = []
  name = _getChromePolicySchemaName()
@@ -28906,7 +28985,7 @@ def doInfoChromePolicySchemas():
 #	[filter <String>]
 #	<ChromePolicySchemaFieldName>* [fields <ChromePolicySchemaFieldNameList>]
 #	[[formatjson [quotechar <Character>]]
-def doPrintShowChromeSchemas():
+def doPrintShowChromePolicySchemas():
  def _printChromePolicySchema(schema):
    row = flattenJSON(schema)
    if not FJQC.formatJSON:
@@ -28920,10 +28999,12 @@ def doPrintShowChromeSchemas():
      row['JSON'] = json.dumps(cleanJSON(schema), ensure_ascii=False, sort_keys=True)
      csvPF.WriteRowNoFilter(row)

-  if checkArgumentPresent('std'):
-    doShowChromeSchemasStd()
-    return
  cp = buildGAPIObject(API.CHROMEPOLICY)
+  if checkArgumentPresent('std'):
+    if not Act.csvFormat():
+      doShowChromePolicySchemasStd(cp)
+      return
+    unknownArgumentExit()
  parent = _getCustomersCustomerIdWithC()
  csvPF = CSVPrintFile(['name', 'schemaName', 'policyDescription',
                        'policyApiLifecycle.policyApiLifecycleStage',
@@ -28983,9 +29064,51 @@ def doPrintShowChromeSchemas():
  if csvPF:
    csvPF.writeCSVfile('Chrome Policy Schemas')

+def _showChromePolicySchemaStd(schema):
+  printKeyValueList([f'{schema.get("name")}', f'{schema.get("description")}'])
+  Ind.Increment()
+  for val in schema['settings'].values():
+    vtype = val.get('type')
+    printKeyValueList([f'{val.get("name")}', f'{vtype}'])
+    Ind.Increment()
+    if vtype == 'TYPE_ENUM':
+      enums = val.get('enums', [])
+      descriptions = val.get('descriptions', [])
+      for i in range(len(val.get('enums', []))):
+        printKeyValueList([f'{enums[i]}', f'{descriptions[i]}'])
+    elif vtype == 'TYPE_BOOL':
+      pvs = val.get('descriptions')
+      for pvi in pvs:
+        if isinstance(pvi, dict):
+          pvalue = pvi.get('value')
+          pdescription = pvi.get('description')
+          printKeyValueList([f'{pvalue}', f'{pdescription}'])
+        elif isinstance(pvi, list):
+          printKeyValueList([f'{pvi[0]}'])
+    else:
+      description = val.get('descriptions')
+      if len(description) > 0:
+        printKeyValueList([f'{description[0]}'])
+    Ind.Decrement()
+  Ind.Decrement()
+
+# gam info chromeschema std <SchemaName>
+def doInfoChromePolicySchemasStd(cp):
+  name = _getChromePolicySchemaName()
+  checkForExtraneousArguments()
+  try:
+    schema = callGAPI(cp.customers().policySchemas(), 'get',
+                      throwReasons=[GAPI.NOT_FOUND, GAPI.BAD_REQUEST, GAPI.FORBIDDEN],
+                      name=name)
+    _, schema_dict = simplifyChromeSchema(schema)
+    _showChromePolicySchemaStd(schema_dict)
+  except GAPI.notFound:
+    entityUnknownWarning(Ent.CHROME_POLICY_SCHEMA, name)
+  except (GAPI.badRequest, GAPI.forbidden):
+    accessErrorExit(None)
+
 # gam show chromeschemas std [filter <String>]
-def doShowChromeSchemasStd():
-  cp = buildGAPIObject(API.CHROMEPOLICY)
+def doShowChromePolicySchemasStd(cp):
  sfilter = None
  while Cmd.ArgumentsRemaining():
    myarg = getArgument()
@@ -29001,33 +29124,8 @@ def doShowChromeSchemasStd():
  for schema in result:
    schema_name, schema_dict = simplifyChromeSchema(schema)
    schemas[schema_name.lower()] = schema_dict
-  for _, value in sorted(iter(schemas.items())):
-    printKeyValueList([f'{value.get("name")}', f'{value.get("description")}'])
-    Ind.Increment()
-    for val in value['settings'].values():
-      vtype = val.get('type')
-      printKeyValueList([f'{val.get("name")}', f'{vtype}'])
-      Ind.Increment()
-      if vtype == 'TYPE_ENUM':
-        enums = val.get('enums', [])
-        descriptions = val.get('descriptions', [])
-        for i in range(len(val.get('enums', []))):
-          printKeyValueList([f'{enums[i]}', f'{descriptions[i]}'])
-      elif vtype == 'TYPE_BOOL':
-        pvs = val.get('descriptions')
-        for pvi in pvs:
-          if isinstance(pvi, dict):
-            pvalue = pvi.get('value')
-            pdescription = pvi.get('description')
-            printKeyValueList([f'{pvalue}', f'{pdescription}'])
-          elif isinstance(pvi, list):
-            printKeyValueList([f'{pvi[0]}'])
-      else:
-        description = val.get('descriptions')
-        if len(description) > 0:
-          printKeyValueList([f'{description[0]}'])
-      Ind.Decrement()
-    Ind.Decrement()
+  for _, schema in sorted(iter(schemas.items())):
+    _showChromePolicySchemaStd(schema)
    printBlankLine()

 # gam create chromenetwork
@@ -57259,6 +57357,7 @@ def printDiskUsage(users):
            topFolder['path'] = f'{SHARED_DRIVES}{pathDelimiter}{topFolder["name"]}'
          else:
            topFolder['path'] = topFolder['name']
+          topFolder.pop('ownedByMe', None)
        elif topFolder['name'] == MY_DRIVE and not topFolder.get('parents'):
          topFolder['path'] = MY_DRIVE
        else:
@@ -57269,7 +57368,6 @@ def printDiskUsage(users):
          if owners:
            topFolder['Owner'] = owners[0].get('emailAddress', 'Unknown')
            trashFolder['Owner'] = topFolder['Owner']
-        topFolder.pop('ownedByMe', None)
        topFolder.pop('parents', None)
        topFolder.update(zeroFolderInfo)
        topFolder.pop(sizeField, None)
@@ -58716,7 +58814,7 @@ def initCopyMoveOptions(copyCmd):
    'showPermissionMessages': False,
    'sendEmailIfRequired': False,
    'useDomainAdminAccess': False,
-    'enforceExpansiveAccess': False,
+    'enforceExpansiveAccess': GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS],
    'copiedShortcutsPointToCopiedFiles': True,
    'createShortcutsForNonmovableFiles': False,
    'duplicateFiles': DUPLICATE_FILE_OVERWRITE_OLDER,
@@ -62096,7 +62194,8 @@ def transferDrive(users):
  targetUserFolderPattern = '#user# old files'
  targetUserOrphansFolderPattern = '#user# orphaned files'
  targetIds = [None, None]
-  createShortcutsForNonmovableFiles = enforceExpansiveAccess = False
+  createShortcutsForNonmovableFiles = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
  mergeWithTarget = False
  thirdPartyOwners = {}
  skipFileIdEntity = initDriveFileEntity()
@@ -62402,7 +62501,8 @@ def transferOwnership(users):
  body = {}
  newOwner = getEmailAddress()
  OBY = OrderBy(DRIVEFILE_ORDERBY_CHOICE_MAP)
-  changeParents = enforceExpansiveAccess = filepath = includeTrashed = noRecursion = False
+  changeParents = filepath = includeTrashed = noRecursion = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
  pathDelimiter = '/'
  csvPF = fileTree = None
  addParents = ''
@@ -62728,7 +62828,8 @@ def claimOwnership(users):
  onlyOwners = set()
  skipOwners = set()
  subdomains = []
-  enforceExpansiveAccess = filepath = includeTrashed = False
+  filepath = includeTrashed = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
  pathDelimiter = '/'
  addParents = ''
  parentBody = {}
@@ -63503,7 +63604,7 @@ def doCreateDriveFileACL():
 def updateDriveFileACLs(users, useDomainAdminAccess=False):
  fileIdEntity = getDriveFileEntity()
  isEmail, permissionId = getPermissionId()
-  enforceExpansiveAccess = None
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
  removeExpiration = showTitles = updateSheetProtectedRanges = False
  showDetails = True
  csvPF = None
@@ -63541,9 +63642,6 @@ def updateDriveFileACLs(users, useDomainAdminAccess=False):
  _checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess)
  if 'role' not in body:
    missingArgumentExit(f'role {formatChoiceList(DRIVEFILE_ACL_ROLES_MAP)}')
-  updateKwargs = {'useDomainAdminAccess': useDomainAdminAccess}
-  if enforceExpansiveAccess is not None:
-    updateKwargs['enforceExpansiveAccess'] = enforceExpansiveAccess
  printKeys, timeObjects = _getDriveFileACLPrintKeysTimeObjects()
  if csvPF and showTitles:
    csvPF.AddTitles(fileNameTitle)
@@ -63581,7 +63679,7 @@ def updateDriveFileACLs(users, useDomainAdminAccess=False):
        permission = callGAPI(drive.permissions(), 'update',
                              bailOnInternalError=True,
                              throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_UPDATE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE],
-                              **updateKwargs,
+                              useDomainAdminAccess=useDomainAdminAccess, enforceExpansiveAccess=enforceExpansiveAccess,
                              fileId=fileId, permissionId=permissionId, removeExpiration=removeExpiration,
                              transferOwnership=body.get('role', '') == 'owner', body=body, fields='*', supportsAllDrives=True)
        if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET:
@@ -63832,7 +63930,7 @@ def doCreatePermissions():
 def deleteDriveFileACLs(users, useDomainAdminAccess=False):
  fileIdEntity = getDriveFileEntity()
  isEmail, permissionId = getPermissionId()
-  enforceExpansiveAccess = None
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
  showTitles = updateSheetProtectedRanges = False
  while Cmd.ArgumentsRemaining():
    myarg = getArgument()
@@ -63847,9 +63945,6 @@ def deleteDriveFileACLs(users, useDomainAdminAccess=False):
    else:
      unknownArgumentExit()
  _checkFileIdEntityDomainAccess(fileIdEntity, useDomainAdminAccess)
-  deleteKwargs = {'useDomainAdminAccess': useDomainAdminAccess}
-  if enforceExpansiveAccess is not None:
-    deleteKwargs['enforceExpansiveAccess'] = enforceExpansiveAccess
  i, count, users = getEntityArgument(users)
  for user in users:
    i += 1
@@ -63882,7 +63977,7 @@ def deleteDriveFileACLs(users, useDomainAdminAccess=False):
                break
        callGAPI(drive.permissions(), 'delete',
                 throwReasons=GAPI.DRIVE_ACCESS_THROW_REASONS+GAPI.DRIVE3_DELETE_ACL_THROW_REASONS+[GAPI.FILE_NEVER_WRITABLE],
-                 **deleteKwargs,
+                 useDomainAdminAccess=useDomainAdminAccess, enforceExpansiveAccess=enforceExpansiveAccess,
                 fileId=fileId, permissionId=permissionId, supportsAllDrives=True)
        entityActionPerformed([Ent.USER, user, entityType, fileName, Ent.PERMISSION_ID, permissionId], j, jcount)
        if updateSheetProtectedRanges and mimeType == MIMETYPE_GA_SPREADSHEET:
@@ -63961,7 +64056,7 @@ def deletePermissions(users, useDomainAdminAccess=False):
    jsonData = getJSON([])
    PM = PermissionMatch()
    PM.SetDefaultMatch(False, {'role': 'owner'})
-  enforceExpansiveAccess = False
+  enforceExpansiveAccess = GC.Values[GC.ENFORCE_EXPANSIVE_ACCESS]
  while Cmd.ArgumentsRemaining():
    myarg = getArgument()
    if myarg in ADMIN_ACCESS_OPTIONS:
@@ -66053,7 +66148,9 @@ def doPrintShowSharedDriveACLs():
 PRINT_ORGANIZER_TYPES = {'group', 'user'}

 # gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
-#	[adminaccess|asadmin] [shareddriveadminquery|query <QuerySharedDrive>]
+#	[adminaccess|asadmin]
+#	[(shareddriveadminquery|query <QuerySharedDrive>) |
+#	 (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
 #	[matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
 #	[domainlist <DomainList>]
 #	[includetypes user|group]
@@ -66068,16 +66165,24 @@ def printSharedDriveOrganizers(users, useDomainAdminAccess=False):
  includeTypes = set()
  showNoOrganizerDrives = SHOW_NO_PERMISSIONS_DRIVES_CHOICE_MAP['false']
  fieldsList = ['role', 'type', 'emailAddress']
-  cd = orgUnitId = query = matchPattern = None
-  domainList = []
-  oneOrganizer = False
+  cd = entityList = orgUnitId = query = matchPattern = None
+  domainList = [GC.Values[GC.DOMAIN]]
+  oneOrganizer = True
  while Cmd.ArgumentsRemaining():
    myarg = getArgument()
    if csvPF and myarg == 'todrive':
      csvPF.GetTodriveParameters()
    elif myarg == 'delimiter':
      delimiter = getCharacter()
+    elif myarg in {'shareddrive', 'shareddrives', 'teamdrive', 'teamdrives'}:
+      sharedDriveArg = myarg
+      itemList = getString(Cmd.OB_SHAREDDRIVE_ID_LIST)
+      if itemList != 'select':
+        entityList =  itemList.replace(',', ' ').split()
+      else:
+        entityList = getEntityList(Cmd.OB_SHAREDDRIVE_ID_LIST)
    elif myarg in {'teamdriveadminquery', 'shareddriveadminquery', 'query'}:
+      queryArg = myarg
      queryLocation = Cmd.Location()
      query = getString(Cmd.OB_QUERY, minLen=0) or None
      if query:
@@ -66094,7 +66199,7 @@ def printSharedDriveOrganizers(users, useDomainAdminAccess=False):
    elif myarg in ADMIN_ACCESS_OPTIONS:
      useDomainAdminAccess = True
    elif myarg == 'domainlist':
-      domainList = set(getString(Cmd.OB_DOMAIN_NAME_LIST).replace(',', ' ').lower().split())
+      domainList = set(getString(Cmd.OB_DOMAIN_NAME_LIST, minLen=0).replace(',', ' ').lower().split())
    elif myarg == 'includetypes':
      for itype in getString(Cmd.OB_ORGANIZER_TYPE_LIST).lower().replace(',', ' ').split():
        if itype in PRINT_ORGANIZER_TYPES:
@@ -66110,16 +66215,20 @@ def printSharedDriveOrganizers(users, useDomainAdminAccess=False):
        roles.add('fileOrganizer')
    else:
      unknownArgumentExit()
-  if query and not useDomainAdminAccess:
-    Cmd.SetLocation(queryLocation-1)
-    usageErrorExit(Msg.ONLY_ADMINISTRATORS_CAN_PERFORM_SHARED_DRIVE_QUERIES)
+  if query:
+    if not useDomainAdminAccess:
+      Cmd.SetLocation(queryLocation-1)
+      usageErrorExit(Msg.ONLY_ADMINISTRATORS_CAN_PERFORM_SHARED_DRIVE_QUERIES)
+    if entityList:
+      Cmd.SetLocation(queryLocation-1)
+      usageErrorExit(Msg.ARE_MUTUALLY_EXCLUSIVE.format(queryArg, sharedDriveArg))
  if orgUnitId is not None:
    if not useDomainAdminAccess:
      Cmd.SetLocation(orgLocation-1)
      usageErrorExit(Msg.ONLY_ADMINISTRATORS_CAN_SPECIFY_SHARED_DRIVE_ORGUNIT)
    csvPF.AddTitles(['orgUnit', 'orgUnitId'])
  if not includeTypes:
-    includeTypes = PRINT_ORGANIZER_TYPES
+    includeTypes = set(['user'])
  fields = getItemFieldsFromFieldsList('permissions', fieldsList, True)
  i, count, users = getEntityArgument(users)
  for user in users:
@@ -66127,28 +66236,46 @@ def printSharedDriveOrganizers(users, useDomainAdminAccess=False):
    user, drive = buildGAPIServiceObject(API.DRIVE3, user, i, count)
    if not drive:
      continue
-    if useDomainAdminAccess:
-      printGettingAllAccountEntities(Ent.SHAREDDRIVE, query)
-      pageMessage = getPageMessage()
+    if entityList is None:
+      if useDomainAdminAccess:
+        printGettingAllAccountEntities(Ent.SHAREDDRIVE, query)
+        pageMessage = getPageMessage()
+      else:
+        printGettingAllEntityItemsForWhom(Ent.SHAREDDRIVE, user, i, count, query)
+        pageMessage = getPageMessageForWhom()
+      try:
+        feed = callGAPIpages(drive.drives(), 'list', 'drives',
+                             pageMessage=pageMessage,
+                             throwReasons=GAPI.DRIVE_USER_THROW_REASONS+[GAPI.INVALID_QUERY, GAPI.INVALID,
+                                                                         GAPI.QUERY_REQUIRES_ADMIN_CREDENTIALS,
+                                                                         GAPI.NO_LIST_TEAMDRIVES_ADMINISTRATOR_PRIVILEGE,
+                                                                         GAPI.FILE_NOT_FOUND],
+                             q=query, useDomainAdminAccess=useDomainAdminAccess,
+                             fields='nextPageToken,drives(id,name,createdTime,orgUnitId)', pageSize=100)
+      except (GAPI.invalidQuery, GAPI.invalid, GAPI.queryRequiresAdminCredentials,
+              GAPI.noListTeamDrivesAdministratorPrivilege, GAPI.fileNotFound) as e:
+        entityActionFailedWarning([Ent.USER, user, Ent.SHAREDDRIVE, None], str(e), i, count)
+        continue
+      except (GAPI.serviceNotAvailable, GAPI.authError, GAPI.domainPolicy) as e:
+        userDriveServiceNotEnabledWarning(user, str(e), i, count)
+        continue
    else:
-      printGettingAllEntityItemsForWhom(Ent.SHAREDDRIVE, user, i, count, query)
-      pageMessage = getPageMessageForWhom()
-    try:
-      feed = callGAPIpages(drive.drives(), 'list', 'drives',
-                           pageMessage=pageMessage,
-                           throwReasons=GAPI.DRIVE_USER_THROW_REASONS+[GAPI.INVALID_QUERY, GAPI.INVALID,
-                                                                       GAPI.QUERY_REQUIRES_ADMIN_CREDENTIALS,
-                                                                       GAPI.NO_LIST_TEAMDRIVES_ADMINISTRATOR_PRIVILEGE,
-                                                                       GAPI.FILE_NOT_FOUND],
-                           q=query, useDomainAdminAccess=useDomainAdminAccess,
-                           fields='nextPageToken,drives(id,name,createdTime,orgUnitId)', pageSize=100)
-    except (GAPI.invalidQuery, GAPI.invalid, GAPI.queryRequiresAdminCredentials,
-            GAPI.noListTeamDrivesAdministratorPrivilege, GAPI.fileNotFound) as e:
-      entityActionFailedWarning([Ent.USER, user, Ent.SHAREDDRIVE, None], str(e), i, count)
-      continue
-    except (GAPI.serviceNotAvailable, GAPI.authError, GAPI.domainPolicy) as e:
-      userDriveServiceNotEnabledWarning(user, str(e), i, count)
-      continue
+      feed = []
+      jcount = len(entityList)
+      j = 0
+      for driveId in entityList:
+        j +=1
+        try:
+          feed.append(callGAPI(drive.drives(), 'get',
+                               throwReasons=GAPI.DRIVE_USER_THROW_REASONS+[GAPI.NOT_FOUND],
+                               useDomainAdminAccess=useDomainAdminAccess,
+                               driveId=driveId, fields='id,name,createdTime,orgUnitId'))
+        except (GAPI.fileNotFound, GAPI.notFound) as e:
+          entityActionNotPerformedWarning([Ent.USER, user, Ent.SHAREDDRIVE_ID, driveId], str(e), j, jcount)
+          continue
+        except (GAPI.serviceNotAvailable, GAPI.authError, GAPI.domainPolicy) as e:
+          userDriveServiceNotEnabledWarning(user, str(e), i, count)
+          break
    matchFeed = []
    jcount = len(feed)
    j = 0
@@ -66168,7 +66295,7 @@ def printSharedDriveOrganizers(users, useDomainAdminAccess=False):
                                    useDomainAdminAccess=useDomainAdminAccess,
                                    fileId=shareddrive['id'], fields=fields, supportsAllDrives=True)
        for permission in permissions:
-          if permission['type'] in includeTypes and permission['role'] in roles:
+          if permission['type'] in includeTypes and permission['role'] in roles and permission.get('emailAddress', ''):
            if domainList:
              _, domain = permission['emailAddress'].lower().split('@', 1)
              if domain not in domainList:
@@ -76035,7 +76162,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
      Cmd.ARG_CHROMENEEDSATTN:	doPrintShowChromeNeedsAttn,
      Cmd.ARG_CHROMEPOLICY:	doPrintShowChromePolicies,
      Cmd.ARG_CHROMEPROFILE:	doPrintShowChromeProfiles,
-      Cmd.ARG_CHROMESCHEMA:	doPrintShowChromeSchemas,
+      Cmd.ARG_CHROMESCHEMA:	doPrintShowChromePolicySchemas,
      Cmd.ARG_CHROMESNVALIDITY:	doPrintChromeSnValidity,
      Cmd.ARG_CHROMEVERSIONS:	doPrintShowChromeVersions,
      Cmd.ARG_CIGROUP:		doPrintCIGroups,
@@ -76167,7 +76294,7 @@ MAIN_COMMANDS_WITH_OBJECTS = {
      Cmd.ARG_CHROMENEEDSATTN:	doPrintShowChromeNeedsAttn,
      Cmd.ARG_CHROMEPOLICY:	doPrintShowChromePolicies,
      Cmd.ARG_CHROMEPROFILE:	doPrintShowChromeProfiles,
-      Cmd.ARG_CHROMESCHEMA:	doPrintShowChromeSchemas,
+      Cmd.ARG_CHROMESCHEMA:	doPrintShowChromePolicySchemas,
      Cmd.ARG_CHROMEVERSIONS:	doPrintShowChromeVersions,
      Cmd.ARG_CIGROUPMEMBERS:	doShowCIGroupMembers,
      Cmd.ARG_CIPOLICY:		doPrintShowCIPolicies,
--- a/src/gam/gamlib/glapi.py
+++ b/src/gam/gamlib/glapi.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-

-# Copyright (C) 2024 Ross Scroggs All Rights Reserved.
+# Copyright (C) 2025 Ross Scroggs All Rights Reserved.
 #
 # All Rights Reserved.
 #
@@ -118,6 +118,7 @@ JWT_APIS = {
  ACCESSCONTEXTMANAGER: [CLOUD_PLATFORM_SCOPE],
  CHAT: ['https://www.googleapis.com/auth/chat.bot'],
  CLOUDRESOURCEMANAGER: [CLOUD_PLATFORM_SCOPE],
+  IAM: [IAM_SCOPE],
  ORGPOLICY: [CLOUD_PLATFORM_SCOPE],
  }
 #
@@ -131,6 +132,12 @@ APIS_NEEDING_ACCESS_TOKEN = {
  CBCM: ['https://www.googleapis.com/auth/admin.directory.device.chromebrowsers']
  }
 #
+DEPRECATED_SCOPES = {
+  'https://www.googleapis.com/auth/cloud-identity',
+  'https://www.googleapis.com/auth/cloud-platform',
+  'https://www.googleapis.com/auth/iam',
+  }
+#
 REFRESH_PERM_ERRORS = [
  'invalid_grant: reauth related error (rapt_required)', # no way to reauth today
  'invalid_grant: Token has been expired or revoked',
@@ -596,7 +603,7 @@ _SVCACCT_SCOPES = [
  {'name': 'Cloud Identity Devices API',
   'api': CLOUDIDENTITY_DEVICES,
   'subscopes': READONLY,
-   'scope': 'https://www.googleapis.com/auth/cloud-identity'},
+   'scope': 'https://www.googleapis.com/auth/cloud-identity.devices'},
 #  {'name': 'Cloud Identity User Invitations API',
 #   'api': CLOUDIDENTITY_USERINVITATIONS,
 #   'subscopes': READONLY,
@@ -645,10 +652,11 @@ _SVCACCT_SCOPES = [
   'api': GMAIL,
   'subscopes': [],
   'scope': 'https://www.googleapis.com/auth/gmail.settings.sharing'},
-  {'name': 'Identity and Access Management API',
-   'api': IAM,
-   'subscopes': [],
-   'scope': CLOUD_PLATFORM_SCOPE},
+#  {'name': 'Identity and Access Management API',
+#   'api': IAM,
+#   'offByDefault': True,
+#   'subscopes': [],
+#   'scope': CLOUD_PLATFORM_SCOPE},
  {'name': 'Keep API',
   'api': KEEP,
   'subscopes': READONLY,
--- a/src/gam/gamlib/glcfg.py
+++ b/src/gam/gamlib/glcfg.py
@@ -163,6 +163,8 @@ EMAIL_BATCH_SIZE = 'email_batch_size'
 ENABLE_DASA = 'enable_dasa'
 # Enable Cloud Session Reauthentication by borrowing a RAPT token from gcloud command
 ENABLE_GCLOUD_REAUTH = 'enable_gcloud_reauth'
+# Value for enforceExpansiveAccess for commands that delete or update drive file ACLs/permissions.
+ENFORCE_EXPANSIVE_ACCESS = 'enforce_expansive_access'
 # When retrieving lists of calendar events from API, how many should be retrieved in each chunk
 EVENT_MAX_RESULTS = 'event_max_results'
 # Path to extra_args.txt
@@ -377,6 +379,7 @@ Defaults = {
  DEVICE_MAX_RESULTS: '200',
  DOMAIN: '',
  DRIVE_DIR: '',
+  ENFORCE_EXPANSIVE_ACCESS: FALSE,
  DRIVE_MAX_RESULTS: '1000',
  DRIVE_V3_BETA: FALSE,
  DRIVE_V3_NATIVE_NAMES: TRUE,
@@ -545,6 +548,7 @@ VAR_INFO = {
  DEVICE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 200)},
  DOMAIN: {VAR_TYPE: TYPE_STRING, VAR_ENVVAR: 'GA_DOMAIN', VAR_LIMITS: (0, None)},
  DRIVE_DIR: {VAR_TYPE: TYPE_DIRECTORY, VAR_ENVVAR: 'GAMDRIVEDIR'},
+  ENFORCE_EXPANSIVE_ACCESS: {VAR_TYPE: TYPE_BOOLEAN},
  DRIVE_MAX_RESULTS: {VAR_TYPE: TYPE_INTEGER, VAR_LIMITS: (1, 1000)},
  DRIVE_V3_BETA: {VAR_TYPE: TYPE_BOOLEAN},
  DRIVE_V3_NATIVE_NAMES: {VAR_TYPE: TYPE_BOOLEAN},
--- a/src/gam/gamlib/glmsgs.py
+++ b/src/gam/gamlib/glmsgs.py
@@ -140,12 +140,13 @@ SERVICE_ACCOUNT_PRIVATE_KEY_AGE = 'Service Account Private Key age: {0} days'
 SERVICE_ACCOUNT_SKIPPING_KEY_AGE_CHECK = 'Skipping Private Key age check: {0} rotation not necessary'
 UPDATE_PROJECT_TO_VIEW_MANAGE_SAKEYS = 'Please run "gam update project" to view/manage service account keys'
 DOMAIN_WIDE_DELEGATION_AUTHENTICATION = 'Domain-wide Delegation authentication'
+DEPRECATED_SCOPES = 'Deprecated scopes that GAM should NEVER have DwD access to'
 SCOPE_AUTHORIZATION_PASSED = '''All scopes PASSED!

 Service Account Client name: {0} is fully authorized.
 '''
 SCOPE_AUTHORIZATION_UPDATE_PASSED = '''All scopes PASSED!
-To authorize them (in case some scopes were unselected), please go to the following link in your browser:
+To update authorization (in case some scopes were unselected), please go to the following link in your browser:
 {0}
    {1}

@@ -156,8 +157,8 @@ Click AUTHORIZE
 When the box closes you're done
 After authorizing it may take some time for this test to pass so wait a few moments and then try this command again.
 '''
-SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED!
-To authorize them, please go to the following link in your browser:
+SCOPE_AUTHORIZATION_FAILED = '''Some scopes FAILED or should be DISABLED!
+To update authorization, please go to the following link in your browser:
 {0}
    {1}

--- a/wiki/Chrome-Policies.md
+++ b/wiki/Chrome-Policies.md
@@ -551,7 +551,7 @@ chrome.devices.AutoUpdateSettings: Auto-update settings.
    SUNDAY:
  hours: TYPE_INT32
  minutes: TYPE_INT32
-  displayName: TYPE_STRING
+  selectedVersion: TYPE_STRING
  chromeosVersion: TYPE_STRING
  aueWarningPeriodDays: TYPE_INT64
  warningPeriodDays: TYPE_INT64
@@ -577,7 +577,7 @@ chrome.devices.DeviceAllowEnterpriseRemoteAccessConnections: Enterprise remote a
    false: Prevent remote access connections from enterprise admins.

 chrome.devices.DeviceAuthenticationFlowAutoReloadInterval: Automatic online sign-in / lock screen refresh.
-  duration: TYPE_INT64
+  deviceAuthenticationFlowAutoReloadInterval: TYPE_INT64

 chrome.devices.DeviceAuthenticationUrlAllowlist: Blocked URL exceptions on the sign-in / lock screens.
  deviceAuthenticationUrlAllowlist: TYPE_LIST
@@ -799,7 +799,7 @@ chrome.devices.DeviceScreensaverLoginScreenEnabled: Screen saver.
    false: Don't display screen saver when idle.
  deviceScreensaverLoginScreenImages: TYPE_LIST
    Screen saver image URLs. Enter one URL per line. Images must be in JPG format(.jpg or .jpeg files.
-  duration: TYPE_INT64
+  deviceScreensaverLoginScreenImageDisplayIntervalSeconds: TYPE_INT64

 chrome.devices.DeviceScreenSettings: Screen settings.
  allowUserDisplayChanges: TYPE_BOOL
@@ -907,7 +907,7 @@ chrome.devices.DeviceWilcoDtc: Dell SupportAssist.
  installSupportAssistApp: TYPE_BOOL
    true: Force-install the Dell SupportAssist app for Dell devices.
    false: Do not automatically install the Dell SupportAssist app.
-  downloadUri: TYPE_STRING
+  deviceWilcoDtcConfiguration: TYPE_STRING

 chrome.devices.DisabledDeviceReturnInstructions: Disabled device return instructions.
  deviceDisabledMessage: TYPE_STRING
@@ -964,13 +964,13 @@ chrome.devices.EnableReportDeviceUsers: Report device user tracking.
    false: Disable tracking recent users.

 chrome.devices.EnableReportUploadFrequency: Device status report upload frequency.
-  duration: TYPE_STRING
+  reportDeviceUploadFrequency: TYPE_STRING

 chrome.devices.EnableReportUploadFrequencyV2: Device status report upload frequency.
-  duration: TYPE_INT64
+  reportDeviceUploadFrequency: TYPE_INT64

 chrome.devices.ExtensionCacheSize: Apps and extensions cache size.
-  value: TYPE_INT64
+  extensionCacheSize: TYPE_INT64

 chrome.devices.ForcedReenrollment: Forced re-enrollment.
  reenrollmentMode: TYPE_ENUM
@@ -998,7 +998,7 @@ chrome.devices.Imprivata: Imprivata login screen integration.
    IMPRIVATA_EXTENSION_VERSION_M86: Pinned to v2 (Compatible with Chrome 86+).
    IMPRIVATA_EXTENSION_VERSION_3: Pinned to v3 (Compatible with Chrome 97+).
    IMPRIVATA_EXTENSION_VERSION_4: Pinned to v4 (Compatible with Chrome 118+).
-  downloadUri: TYPE_STRING
+  imprivataExtensionConfiguration: TYPE_STRING

 chrome.devices.InactiveDeviceNotifications: Inactive device notifications.
  notificationEnabled: TYPE_BOOL
@@ -1023,7 +1023,7 @@ chrome.devices.kiosk.AcPowerSettings: AC Kiosk power settings.
    IDLE_ACTION_LOGOUT: Logout.
    IDLE_ACTION_SHUTDOWN: Shutdown.
    IDLE_ACTION_DO_NOTHING: Do nothing.
-  duration: TYPE_STRING
+  acScreenOffTimeout: TYPE_STRING

 chrome.devices.kiosk.AcPowerSettingsV2: AC Kiosk power settings.
  acIdleAction: TYPE_ENUM
@@ -1031,7 +1031,7 @@ chrome.devices.kiosk.AcPowerSettingsV2: AC Kiosk power settings.
    IDLE_ACTION_LOGOUT: Logout.
    IDLE_ACTION_SHUTDOWN: Shutdown.
    IDLE_ACTION_DO_NOTHING: Do nothing.
-  duration: TYPE_INT64
+  acScreenOffTimeout: TYPE_INT64

 chrome.devices.kiosk.Alerting: Kiosk device status alerting delivery.
  deviceStatusAlertDeliveryModes: TYPE_LIST
@@ -1113,7 +1113,7 @@ chrome.devices.kiosk.BatteryPowerSettings: Battery Kiosk power settings.
    IDLE_ACTION_LOGOUT: Logout.
    IDLE_ACTION_SHUTDOWN: Shutdown.
    IDLE_ACTION_DO_NOTHING: Do nothing.
-  duration: TYPE_STRING
+  batteryScreenOffTimeout: TYPE_STRING

 chrome.devices.kiosk.BatteryPowerSettingsV2: Battery Kiosk power settings.
  batteryIdleAction: TYPE_ENUM
@@ -1121,7 +1121,7 @@ chrome.devices.kiosk.BatteryPowerSettingsV2: Battery Kiosk power settings.
    IDLE_ACTION_LOGOUT: Logout.
    IDLE_ACTION_SHUTDOWN: Shutdown.
    IDLE_ACTION_DO_NOTHING: Do nothing.
-  duration: TYPE_INT64
+  batteryScreenOffTimeout: TYPE_INT64

 chrome.devices.kiosk.CaretHighlightEnabled: Kiosk caret highlight.
  caretHighlightEnabled: TYPE_ENUM
@@ -1486,6 +1486,7 @@ chrome.devices.managedguest.apps.EnterpriseChallenge: Allows setting of whether

 chrome.devices.managedguest.apps.IncludeInChromeWebStoreCollection: Specifies whether the Chrome Application should appear in the Chrome Web Store collection.
  includeInCollection: TYPE_BOOL
+  spotlightRecommended: TYPE_BOOL

 chrome.devices.managedguest.apps.InstallationUrl: Specifies the url from which to install a self hosted Chrome Extension.
  installationUrl: TYPE_STRING
@@ -1580,7 +1581,7 @@ chrome.devices.managedguest.AutoplayAllowlist: Autoplay video.
    Allowed URLs. URL patterns allowed to autoplay. Prefix domain with [*.] to include all subdomains. Use * to allow all domains.

 chrome.devices.managedguest.Avatar: Custom avatar.
-  downloadUri: TYPE_STRING
+  userAvatarImage: TYPE_STRING

 chrome.devices.managedguest.BeforeunloadEventCancelByPreventDefaultEnabled: Behavior of event.preventDefault() for beforeunload event.
  beforeunloadEventCancelByPreventDefaultEnabled: TYPE_ENUM
@@ -1603,10 +1604,10 @@ chrome.devices.managedguest.BrowserHistory: Browser history.
    false: Always save browser history.

 chrome.devices.managedguest.BrowsingDataLifetime: Browsing Data Lifetime.
-  duration: TYPE_STRING
+  hostedAppDataTtl: TYPE_STRING

 chrome.devices.managedguest.BrowsingDataLifetimeV2: Browsing Data Lifetime.
-  duration: TYPE_INT64
+  hostedAppDataTtl: TYPE_INT64

 chrome.devices.managedguest.BuiltInDnsClientEnabled: Built-in DNS client.
  builtInDnsClientEnabled: TYPE_ENUM
@@ -1689,7 +1690,7 @@ chrome.devices.managedguest.CursorHighlightEnabled: Cursor highlight.
    TRUE: Enable cursor highlight.

 chrome.devices.managedguest.CustomTermsOfService: Custom terms of service.
-  downloadUri: TYPE_STRING
+  termsOfServiceUrl: TYPE_STRING

 chrome.devices.managedguest.DataLeakPreventionReportingEnabled: Data controls reporting.
  dataLeakPreventionReportingEnabled: TYPE_BOOL
@@ -1900,6 +1901,8 @@ chrome.devices.managedguest.ExternalStorage: External storage devices.
    READ_WRITE: Allow read and write access to all external storage devices.
    READ_ONLY: Allow read only access to all external storage devices.
    DISALLOW: Do not allow read and write access to external storage devices.
+  externalStorageAllowlist: TYPE_LIST
+    Specify devices to always have read and write access. USB devices which are allowlisted for read and write access. To identify a specific device, enter colon separated hexadecimal pairs of USB Vendor Identifier and Product Identifier.

 chrome.devices.managedguest.FastPairEnabled: Fast Pair (fast Bluetooth pairing).
  fastPairEnabled: TYPE_ENUM
@@ -2108,7 +2111,7 @@ chrome.devices.managedguest.IdleSettingsExtended: Idle settings.
    UNSET: Allow user to configure.
    FALSE: Don't lock screen.
    TRUE: Lock screen.
-  duration: TYPE_INT64
+  screenLockDelayBattery: TYPE_INT64

 chrome.devices.managedguest.IncognitoMode: Incognito mode.
  incognitoModeAvailability: TYPE_ENUM
@@ -2298,10 +2301,10 @@ chrome.devices.managedguest.ManagedGuestSessionV2: Managed guest session.
    ROTATE_270: 270 degrees.

 chrome.devices.managedguest.MaxInvalidationFetchDelay: Policy fetch delay.
-  duration: TYPE_STRING
+  maxInvalidationFetchDelay: TYPE_STRING

 chrome.devices.managedguest.MaxInvalidationFetchDelayV2: Policy fetch delay.
-  duration: TYPE_INT64
+  maxInvalidationFetchDelay: TYPE_INT64

 chrome.devices.managedguest.MemorySaverModeSavings: Memory saver.
  memorySaverModeSavings: TYPE_ENUM
@@ -2503,7 +2506,7 @@ chrome.devices.managedguest.PrintingBackgroundGraphicsDefault: Background graphi
    ENABLED: Enable background graphics printing mode by default.

 chrome.devices.managedguest.PrintingMaxSheetsAllowed: Maximum sheets.
-  value: TYPE_INT64
+  printingMaxSheetsAllowedNullable: TYPE_INT64

 chrome.devices.managedguest.PrintingPaperSizeDefault: Default printing page size.
  printingPaperSizeEnum: TYPE_ENUM
@@ -2525,10 +2528,10 @@ chrome.devices.managedguest.PrintingPinDefault: Default PIN printing mode.
    DEFAULT_TO_NOT_PIN_PRINTING: Without PIN.

 chrome.devices.managedguest.PrintJobHistoryExpirationPeriodNew: Print job history retention period.
-  duration: TYPE_STRING
+  printJobHistoryExpirationPeriodDaysNew: TYPE_STRING

 chrome.devices.managedguest.PrintJobHistoryExpirationPeriodNewV2: Print job history retention period.
-  duration: TYPE_INT64
+  printJobHistoryExpirationPeriodDaysNew: TYPE_INT64

 chrome.devices.managedguest.PrintPdfAsImage: Print PDF as image.
  printPdfAsImageAvailability: TYPE_BOOL
@@ -2537,7 +2540,7 @@ chrome.devices.managedguest.PrintPdfAsImage: Print PDF as image.
  printPdfAsImageDefault: TYPE_BOOL
    true: Default to printing PDFs as images when available.
    false: Default to printing PDFs without being rasterized.
-  value: TYPE_INT64
+  printRasterizePdfDpi: TYPE_INT64

 chrome.devices.managedguest.PrivacyScreenEnabled: Privacy screen.
  privacyScreenEnabled: TYPE_ENUM
@@ -2595,7 +2598,7 @@ chrome.devices.managedguest.RemoteAccessHostClientDomainList: Remote access clie
    Remote access client domain. Configure the required domain names for remote access clients.

 chrome.devices.managedguest.RemoteAccessHostClipboardSizeBytes: Clipboard sync max size.
-  value: TYPE_INT64
+  remoteAccessHostClipboardSizeBytes: TYPE_INT64

 chrome.devices.managedguest.RemoteAccessHostDomainList: Remote access hosts.
  remoteAccessHostDomainList: TYPE_LIST
@@ -2707,7 +2710,7 @@ chrome.devices.managedguest.ScreensaverLockScreenEnabled: Screen saver.
    false: Don't display screen saver on lock screen when idle.
  screensaverLockScreenImages: TYPE_LIST
    Screen saver image URLs. Enter one URL per line. Images must be in JPG format(.jpg or .jpeg files.
-  duration: TYPE_INT64
+  screensaverLockScreenImageDisplayIntervalSeconds: TYPE_INT64

 chrome.devices.managedguest.Screenshot: Screenshot.
  disableScreenshots: TYPE_BOOL
@@ -2733,14 +2736,14 @@ chrome.devices.managedguest.SecurityTokenSessionSettings: Security token removal
    IGNORE: Nothing.
    LOGOUT: Log the user out.
    LOCK: Lock the current session.
-  duration: TYPE_STRING
+  securityTokenSessionNotificationSeconds: TYPE_STRING

 chrome.devices.managedguest.SecurityTokenSessionSettingsV2: Security token removal.
  securityTokenSessionBehavior: TYPE_ENUM
    IGNORE: Nothing.
    LOGOUT: Log the user out.
    LOCK: Lock the current session.
-  duration: TYPE_INT64
+  securityTokenSessionNotificationSeconds: TYPE_INT64

 chrome.devices.managedguest.SelectToSpeakEnabled: Select to speak.
  selectToSpeakEnabled: TYPE_ENUM
@@ -2763,10 +2766,10 @@ chrome.devices.managedguest.ServiceWorkerToControlSrcdocIframeEnabled: Service w
    false: Block service workers from controlling srcdoc iframes.

 chrome.devices.managedguest.SessionLength: Maximum user session length.
-  duration: TYPE_STRING
+  sessionDurationLimit: TYPE_STRING

 chrome.devices.managedguest.SessionLengthV2: Maximum user session length.
-  duration: TYPE_INT64
+  sessionDurationLimit: TYPE_INT64

 chrome.devices.managedguest.SessionLocale: Session locale.
  sessionLocalesRepeatedString: TYPE_LIST
@@ -3096,7 +3099,7 @@ chrome.devices.managedguest.WaitForInitialUserActivity: Wait for initial user ac
    false: Start power management delays and session length limits at session start.

 chrome.devices.managedguest.Wallpaper: Custom wallpaper.
-  downloadUri: TYPE_STRING
+  wallpaperImage: TYPE_STRING

 chrome.devices.managedguest.WebBluetoothAccess: Web Bluetooth API.
  defaultWebBluetoothGuardSetting: TYPE_ENUM
@@ -3215,10 +3218,10 @@ chrome.devices.RestrictedManagedGuestSessionExtensionCleanupExemptList: Shared a
    Extension IDs. Enter a list of extension IDs. Each extension ID must be exactly 32 characters.

 chrome.devices.ScheduledRebootDuration: Reboot after uptime limit.
-  duration: TYPE_STRING
+  uptimeLimitDuration: TYPE_STRING

 chrome.devices.ScheduledRebootDurationV2: Reboot after uptime limit.
-  duration: TYPE_INT64
+  uptimeLimitDuration: TYPE_INT64

 chrome.devices.ShowLowDiskSpaceNotification: Low disk space notification.
  showLowDiskSpaceNotification: TYPE_BOOL
@@ -3226,7 +3229,7 @@ chrome.devices.ShowLowDiskSpaceNotification: Low disk space notification.
    false: Do not show notification when disk space is low.

 chrome.devices.SignInKeyboard: Login screen keyboard.
-  keyboardIds: TYPE_LIST
+  selections: TYPE_LIST

 chrome.devices.SignInLanguage: Sign-in language.
  signInLanguageString: TYPE_STRING
@@ -3254,7 +3257,7 @@ chrome.devices.SignInRestrictionsOffHours: Device off hours.
  minutes: TYPE_INT32

 chrome.devices.SignInWallpaperImage: Device wallpaper image.
-  downloadUri: TYPE_STRING
+  deviceWallpaperImage: TYPE_STRING

 chrome.devices.SsoCameraPermissions: Single sign-on camera permissions.
  loginVideoCaptureAllowedUrls: TYPE_LIST
@@ -3301,7 +3304,7 @@ chrome.devices.Timezone: Timezone.
    IP_ONLY: Always use coarse timezone detection.
    SEND_WIFI_ACCESS_POINTS: Always send wifi access points to server while resolving timezone.
    SEND_ALL_LOCATION_INFO: Send all location information.
-  value: TYPE_STRING
+  systemTimezone: TYPE_STRING

 chrome.devices.TpmFirmwareUpdate: TPM firmware update.
  tpmFirmwareUpdateEnabled: TYPE_BOOL
@@ -3796,6 +3799,7 @@ chrome.users.apps.EnterpriseChallenge: Allows setting of whether the app can cha

 chrome.users.apps.IncludeInChromeWebStoreCollection: Specifies whether the Chrome Application should appear in the Chrome Web Store collection.
  includeInCollection: TYPE_BOOL
+  spotlightRecommended: TYPE_BOOL

 chrome.users.apps.InstallationUrl: Specifies the url from which to install a self hosted Chrome Extension.
  installationUrl: TYPE_STRING
@@ -3808,6 +3812,9 @@ chrome.users.apps.InstallType: Specifies the manner in which the app is to be in
    ALLOWED: Allow installation of the app.
    FORCED: Force install the app.
    FORCED_AND_PIN_TO_TOOLBAR: Force install and pin the app to the toolbar.
+    NORMAL: Force install the app, but allow the user to disable it. This option is only available for Chrome extensions.
+    NORMAL_AND_PIN_TO_TOOLBAR: Force install and pin the app to the toolbar, but allow the user to disable it. This option is only available for Chrome extensions.
+    REMOVE: Block installation of the app and remove it from the device. This option is only available for Chrome extensions.

 chrome.users.apps.ManagedConfiguration: Allows setting of the managed configuration.
  managedConfiguration: TYPE_STRING
@@ -3905,7 +3912,7 @@ chrome.users.appsconfig.ChromeWebStoreBranding: Org name & logo.
    false: Don't customize org name and logo.
  cwsBrandingOrgName: TYPE_STRING
    Organization name displayed. Name to be displayed on your users' custom Web Store.
-  downloadUri: TYPE_STRING
+  cwsBrandingOrgLogo: TYPE_STRING

 chrome.users.appsconfig.ChromeWebStoreHomepage: Chrome Web Store homepage.
  cwsHomePage: TYPE_ENUM
@@ -3933,7 +3940,7 @@ chrome.users.appsconfig.ChromeWebStoreHomepageBanner: Homepage banner.
    Headline text. The headline text to display on the banner.
  cwsExtensionHomepageBannerDescriptionText: TYPE_STRING
    Description text. The description text to display on the banner.
-  downloadUri: TYPE_STRING
+  cwsExtensionHomepageBannerImage: TYPE_STRING

 chrome.users.appsconfig.ChromeWebStorePagesAndContent: Pages & content.
  cwsPagesContentCustomizationEnabled: TYPE_BOOL
@@ -4081,6 +4088,13 @@ chrome.users.AutofillCreditCardEnabled: Credit card form autofill.
    true: Allow user to configure.
    false: Never Autofill credit card forms.

+chrome.users.AutofillPredictionSettings: Autofill with AI.
+  autofillPredictionSettings: TYPE_ENUM
+    ALLOWED: Allow autofill prediction and improve AI models.
+    ALLOWED_WITHOUT_LOGGING: Allow autofill prediction without improving AI models.
+    DISABLED: Do not allow autofill prediction.
+    UNSET: Use the value specified in the Generative AI policy defaults setting.
+
 chrome.users.AutomaticFullscreen: Automatic fullscreen.
  automaticFullscreenAllowedForUrls: TYPE_LIST
    Allow automatic fullscreen on these sites. Supersedes users' personal settings and allows matching origins to call the API without a prior user gesture.
@@ -4098,13 +4112,13 @@ chrome.users.AutoplayAllowlist: Autoplay video.
    Allowed URLs. URL patterns allowed to autoplay. Prefix domain with [*.] to include all subdomains. Use * to allow all domains.

 chrome.users.AutoUpdateCheckPeriodNew: Auto-update check period.
-  duration: TYPE_STRING
+  autoUpdateCheckPeriodMinutesNew: TYPE_STRING

 chrome.users.AutoUpdateCheckPeriodNewV2: Auto-update check period.
-  duration: TYPE_INT64
+  autoUpdateCheckPeriodMinutesNew: TYPE_INT64

 chrome.users.Avatar: Custom avatar.
-  downloadUri: TYPE_STRING
+  userAvatarImage: TYPE_STRING

 chrome.users.BackForwardCacheEnabled: Back-forward cache.
  backForwardCacheEnabled: TYPE_BOOL
@@ -4187,7 +4201,7 @@ chrome.users.BrowserHistory: Browser history.
 chrome.users.BrowserIdleTimeout: Browser idle timeout.
  idleTimeoutActions: TYPE_LIST
    {'value': 'close_browsers', 'description': 'Close Browsers.'}
-  duration: TYPE_INT64
+  idleTimeout: TYPE_INT64

 chrome.users.BrowserLabsEnabled: Browser experiments icon in toolbar.
  browserLabsEnabled: TYPE_BOOL
@@ -4224,10 +4238,10 @@ chrome.users.BrowserSwitcherChromePath: Chrome path.
    Path to the Chrome executable. Windows-only. Path to the Chrome executable to launch when switching from the alternative browser to Chrome. If unset, the alternative browser will auto-detect the path to Chrome.

 chrome.users.BrowserSwitcherDelayDuration: Delay before launching alternative browser.
-  duration: TYPE_STRING
+  browserSwitcherDelayDuration: TYPE_STRING

 chrome.users.BrowserSwitcherDelayDurationV2: Delay before launching alternative browser.
-  duration: TYPE_INT64
+  browserSwitcherDelayDuration: TYPE_INT64

 chrome.users.BrowserSwitcherExternalGreylistUrl: URL to list of websites to open in either browser.
  browserSwitcherExternalGreylistUrl: TYPE_STRING
@@ -4265,10 +4279,10 @@ chrome.users.BrowserThemeColor: Custom theme color.
    Hex color. Enter a valid hex color, for instance #FFFFFF.

 chrome.users.BrowsingDataLifetime: Browsing Data Lifetime.
-  duration: TYPE_STRING
+  hostedAppDataTtl: TYPE_STRING

 chrome.users.BrowsingDataLifetimeV2: Browsing Data Lifetime.
-  duration: TYPE_INT64
+  hostedAppDataTtl: TYPE_INT64

 chrome.users.BuiltInDnsClientEnabled: Built-in DNS client.
  builtInDnsClientEnabled: TYPE_ENUM
@@ -4418,11 +4432,16 @@ chrome.users.CloudProfileReportingEnabled: Managed profile reporting.
    true: Enable managed profile reporting for managed users.
    false: Disable managed profile reporting for managed users.

+chrome.users.CloudReporting: Managed browser reporting.
+  cloudReportingEnabled: TYPE_BOOL
+    true: Enable managed browser cloud reporting.
+    false: Disable managed browser cloud reporting.
+
 chrome.users.CloudReportingUploadFrequency: Managed browser reporting upload frequency.
-  duration: TYPE_STRING
+  cloudReportingUploadFrequency: TYPE_STRING

 chrome.users.CloudReportingUploadFrequencyV2: Managed browser reporting upload frequency.
-  duration: TYPE_INT64
+  cloudReportingUploadFrequency: TYPE_INT64

 chrome.users.CloudUserPolicyMerge: User cloud policy merge.
  cloudUserPolicyMerge: TYPE_BOOL
@@ -4542,7 +4561,7 @@ chrome.users.CursorHighlightEnabled: Cursor highlight.
    TRUE: Enable cursor highlight.

 chrome.users.CustomTermsOfService: Custom terms of service.
-  downloadUri: TYPE_STRING
+  termsOfServiceUrl: TYPE_STRING

 chrome.users.DataCompressionProxy: Data compression proxy.
  dataCompressionProxyEnabled: TYPE_ENUM
@@ -4843,6 +4862,10 @@ chrome.users.ExplicitlyAllowedNetworkPorts: Allowed network ports.
  explicitlyAllowedNetworkPorts: TYPE_LIST
    {'value': '554', 'description': 'port 554 (expires 2021/10/15).'}

+chrome.users.ExtensibleEnterpriseSsoBlocklist: Extensible Enterprise SSO blocking.
+  extensibleEnterpriseSsoBlocklist: TYPE_LIST
+    {'value': 'all', 'description': 'All identity providers.'}
+
 chrome.users.ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls: Extended background lifetime.
  extensionExtendedBackgroundLifetimeForPortConnectionsToUrls: TYPE_LIST
    Origins that grant extended background lifetime to connecting extensions. Enter a list of origins. Extensions that connect to one of these origins will be be kept running as long as the port is connected. One URL per line.
@@ -4864,6 +4887,8 @@ chrome.users.ExternalStorage: External storage devices.
    READ_WRITE: Allow read and write access to all external storage devices.
    READ_ONLY: Allow read only access to all external storage devices.
    DISALLOW: Do not allow read and write access to external storage devices.
+  externalStorageAllowlist: TYPE_LIST
+    Specify devices to always have read and write access. USB devices which are allowlisted for read and write access. To identify a specific device, enter colon separated hexadecimal pairs of USB Vendor Identifier and Product Identifier.

 chrome.users.FastPairEnabled: Fast Pair (fast Bluetooth pairing).
  fastPairEnabled: TYPE_ENUM
@@ -4887,10 +4912,10 @@ chrome.users.FElevenKeyModifier: Control the shortcut used to trigger F11.
    RECOMMENDED: Allow users to override.

 chrome.users.FetchKeepaliveDurationSecondsOnShutdown: Keepalive duration.
-  duration: TYPE_STRING
+  fetchKeepaliveDurationSecondsOnShutdown: TYPE_STRING

 chrome.users.FetchKeepaliveDurationSecondsOnShutdownV2: Keepalive duration.
-  duration: TYPE_INT64
+  fetchKeepaliveDurationSecondsOnShutdown: TYPE_INT64

 chrome.users.FileOrDirectoryPickerWithoutGestureAllowedForOrigins: File/directory picker without user gesture.
  fileOrDirectoryPickerWithoutGestureAllowedForOrigins: TYPE_LIST
@@ -4989,10 +5014,16 @@ chrome.users.FullscreenAllowed: Fullscreen mode.
    false: Do not allow fullscreen mode.

 chrome.users.GaiaLockScreenOfflineSigninTimeLimitDays: Google online unlock frequency.
-  value: TYPE_INT64
+  gaiaLockScreenOfflineSigninTimeLimitDays: TYPE_INT64

 chrome.users.GaiaOfflineSigninTimeLimitDays: Google online login frequency.
-  value: TYPE_INT64
+  gaiaOfflineSigninTimeLimitDays: TYPE_INT64
+
+chrome.users.GeminiSettings: Gemini integration.
+  geminiSettings: TYPE_ENUM
+    ENABLED: Allow Gemini integrations.
+    DISABLED: Do not allow Gemini integrations.
+    UNSET: Use the value specified in the Generative AI policy defaults setting.

 chrome.users.GenAiDefaultSettings: Generative AI policy defaults.
  genAiDefaultSettings: TYPE_ENUM
@@ -5168,7 +5199,7 @@ chrome.users.IdleSettingsExtended: Idle settings.
    UNSET: Allow user to configure.
    FALSE: Don't lock screen.
    TRUE: Lock screen.
-  duration: TYPE_INT64
+  screenLockDelayBattery: TYPE_INT64

 chrome.users.Images: Images.
  defaultImagesSettings: TYPE_ENUM
@@ -5235,6 +5266,10 @@ chrome.users.InactiveBrowserDeletion: Inactive period for browser deletion.
  inactiveBrowserTtlDays: TYPE_INT64
    Number of days. Shortening this period can cause more enrolled browsers to be considered inactive and, therefore, be irreversibly deleted. Before lowering the value of this policy, make sure you understand the impact. The allowable range is 28-730 days.

+chrome.users.InactivePeriodForProfileDeletion: Inactive period for profile deletion.
+  inactiveProfileTtlDays: TYPE_INT64
+    Inactive period for profile deletion. Shortening this period can cause more managed profiles to be considered inactive and, therefore, be deleted. Before lowering the value of this policy, make sure you understand the impact. The allowable range is 28-730 days.
+
 chrome.users.IncognitoMode: Incognito mode.
  incognitoModeAvailability: TYPE_ENUM
    AVAILABLE: Allow incognito mode.
@@ -5512,10 +5547,10 @@ chrome.users.MaxConnectionsPerProxy: Max connections per proxy.
    Maximum number of concurrent connections to the proxy server. Specifies the maximal number of simultaneous connections to the proxy server. The value of this policy should be lower than 100 and higher than 6 and the default value is 32.

 chrome.users.MaxInvalidationFetchDelay: Policy fetch delay.
-  duration: TYPE_STRING
+  maxInvalidationFetchDelay: TYPE_STRING

 chrome.users.MaxInvalidationFetchDelayV2: Policy fetch delay.
-  duration: TYPE_INT64
+  maxInvalidationFetchDelay: TYPE_INT64

 chrome.users.MediaRecommendationsEnabled: Media Recommendations.
  mediaRecommendationsEnabled: TYPE_BOOL
@@ -5692,6 +5727,16 @@ chrome.users.NtpMiddleSlotAnnouncementVisible: Middle slot announcement on the N
    true: Show the middle slot announcement on the New Tab Page if it is available.
    false: Do not show the middle slot announcement on the New Tab Page even if it is available.

+chrome.users.NtpOutlookCardVisible: New Tab page Outlook card.
+  ntpOutlookCardVisible: TYPE_BOOL
+    true: Enable New Tab page Outlook calendar card.
+    false: Disable New Tab page Outlook calendar card.
+
+chrome.users.NtpSharepointCardVisible: New Tab page Sharepoint and OneDrive card.
+  ntpSharepointCardVisible: TYPE_BOOL
+    true: Enable New Tab page Sharepoint and OneDrive files card.
+    false: Disable New Tab page Sharepoint and OneDrive files card.
+
 chrome.users.OffsetParentNewSpecBehaviorEnabled: Enable legacy HTMLElement offset behavior.
  offsetParentNewSpecBehaviorEnabled: TYPE_BOOL
    true: Use new offset behavior.
@@ -5972,7 +6017,7 @@ chrome.users.PrintingLpacSandboxEnabled: Printing LPAC Sandbox.
    false: Run printing services in a less secure sandbox.

 chrome.users.PrintingMaxSheetsAllowed: Maximum sheets.
-  value: TYPE_INT64
+  printingMaxSheetsAllowedNullable: TYPE_INT64

 chrome.users.PrintingPaperSizeDefault: Default printing page size.
  printingPaperSizeEnum: TYPE_ENUM
@@ -5999,10 +6044,10 @@ chrome.users.PrintingSendUsernameAndFilenameEnabled: CUPS Print job information.
    false: Do not include user account and filename in print job.

 chrome.users.PrintJobHistoryExpirationPeriodNew: Print job history retention period.
-  duration: TYPE_STRING
+  printJobHistoryExpirationPeriodDaysNew: TYPE_STRING

 chrome.users.PrintJobHistoryExpirationPeriodNewV2: Print job history retention period.
-  duration: TYPE_INT64
+  printJobHistoryExpirationPeriodDaysNew: TYPE_INT64

 chrome.users.PrintPdfAsImage: Print PDF as image.
  printPdfAsImageAvailability: TYPE_BOOL
@@ -6011,7 +6056,7 @@ chrome.users.PrintPdfAsImage: Print PDF as image.
  printPdfAsImageDefault: TYPE_BOOL
    true: Default to printing PDFs as images when available.
    false: Default to printing PDFs without being rasterized.
-  value: TYPE_INT64
+  printRasterizePdfDpi: TYPE_INT64

 chrome.users.PrintPostScriptMode: PostScript printer mode.
  printPostScriptMode: TYPE_ENUM
@@ -6148,7 +6193,7 @@ chrome.users.RelaunchNotificationWithDuration: Relaunch notification.
    NO_NOTIFICATION: No relaunch notification.
    RECOMMENDED: Show notification recommending relaunch.
    REQUIRED: Force relaunch after a period.
-  duration: TYPE_STRING
+  relaunchWindowDurationMin: TYPE_STRING
  hours: TYPE_INT32
  minutes: TYPE_INT32
  seconds: TYPE_INT32
@@ -6159,7 +6204,7 @@ chrome.users.RelaunchNotificationWithDurationV2: Relaunch notification.
    NO_NOTIFICATION: No relaunch notification.
    RECOMMENDED: Show notification recommending relaunch.
    REQUIRED: Force relaunch after a period.
-  duration: TYPE_INT64
+  relaunchWindowDurationMin: TYPE_INT64
  hours: TYPE_INT32
  minutes: TYPE_INT32
  seconds: TYPE_INT32
@@ -6180,7 +6225,7 @@ chrome.users.RemoteAccessHostClientDomainList: Remote access clients.
    Remote access client domain. Configure the required domain names for remote access clients.

 chrome.users.RemoteAccessHostClipboardSizeBytes: Clipboard sync max size.
-  value: TYPE_INT64
+  remoteAccessHostClipboardSizeBytes: TYPE_INT64

 chrome.users.RemoteAccessHostDomainList: Remote access hosts.
  remoteAccessHostDomainList: TYPE_LIST
@@ -6299,7 +6344,7 @@ chrome.users.SafeSitesFilterBehavior: SafeSites URL filter.
    SAFE_SITES_FILTER_ENABLED: Filter sites for adult content.

 chrome.users.SamlLockScreenOfflineSigninTimeLimitDays: SAML single sign-on unlock frequency.
-  value: TYPE_INT64
+  samlLockScreenOfflineSigninTimeLimitDays: TYPE_INT64

 chrome.users.SamlLockScreenReauthenticationEnabled: SAML single sign-on password synchronization flows.
  samlLockScreenReauthenticationEnabled: TYPE_BOOL
@@ -6380,14 +6425,14 @@ chrome.users.SecurityTokenSessionSettings: Security token removal.
    IGNORE: Nothing.
    LOGOUT: Log the user out.
    LOCK: Lock the current session.
-  duration: TYPE_STRING
+  securityTokenSessionNotificationSeconds: TYPE_STRING

 chrome.users.SecurityTokenSessionSettingsV2: Security token removal.
  securityTokenSessionBehavior: TYPE_ENUM
    IGNORE: Nothing.
    LOGOUT: Log the user out.
    LOCK: Lock the current session.
-  duration: TYPE_INT64
+  securityTokenSessionNotificationSeconds: TYPE_INT64

 chrome.users.SelectToSpeakEnabled: Select to speak.
  selectToSpeakEnabled: TYPE_ENUM
@@ -6410,10 +6455,10 @@ chrome.users.ServiceWorkerToControlSrcdocIframeEnabled: Service worker control o
    false: Block service workers from controlling srcdoc iframes.

 chrome.users.SessionLength: Maximum user session length.
-  duration: TYPE_STRING
+  sessionDurationLimit: TYPE_STRING

 chrome.users.SessionLengthV2: Maximum user session length.
-  duration: TYPE_INT64
+  sessionDurationLimit: TYPE_INT64

 chrome.users.SetTimeoutWithoutOneMsClampEnabled: Javascript setTimeout() minimum.
  setTimeoutWithoutOneMsClampEnabled: TYPE_ENUM
@@ -6768,6 +6813,11 @@ chrome.users.ThirdPartyCookieBlocking: Third-party cookie blocking.
    FALSE: Allow third-party cookies.
    TRUE: Disallow third-party cookies.

+chrome.users.ThirdPartyPasswordManagersAllowed: Third-party password managers allowed.
+  thirdPartyPasswordManagersAllowed: TYPE_BOOL
+    true: Allow using third-party password managers in Chrome.
+    false: Block using third-party password managers in Chrome.
+
 chrome.users.ThirdPartyStoragePartitioningSettings: Third-party storage partitioning.
  defaultThirdPartyStoragePartitioningSetting: TYPE_ENUM
    ALLOW_PARTITIONING: Allow third-party storage partitioning to be enabled.
@@ -7004,7 +7054,7 @@ chrome.users.WaitForInitialUserActivity: Wait for initial user activity.
    false: Start power management delays and session length limits at session start.

 chrome.users.Wallpaper: Custom wallpaper.
-  downloadUri: TYPE_STRING
+  wallpaperImage: TYPE_STRING

 chrome.users.WallpaperGooglePhotosIntegrationEnabled: Wallpaper selection from Google Photos.
  wallpaperGooglePhotosIntegrationEnabled: TYPE_BOOL
@@ -7019,6 +7069,11 @@ chrome.users.WarnBeforeQuittingEnabled: Warn before quitting.
    MANDATORY: Do not allow users to override.
    RECOMMENDED: Allow users to override.

+chrome.users.WebAudioOutputBufferingEnabled: Adaptive buffering for Web Audio.
+  webAudioOutputBufferingEnabled: TYPE_BOOL
+    true: Enable web audio adaptive buffering.
+    false: Disable web audio adaptive buffering.
+
 chrome.users.WebAuthnFactors: WebAuthn.
  webAuthnFactors: TYPE_LIST
    {'value': 'PIN', 'description': 'PIN.'}
@@ -7132,4 +7187,4 @@ chrome.users.ZstdContentEncodingEnabled: Zstd compression.
    true: Allow zstd-compressed web content.
    false: Do not allow zstd-compressed web content.

-```
+```
--- a/wiki/GamUpdates.md
+++ b/wiki/GamUpdates.md
@@ -10,6 +10,97 @@ Add the `-s` option to the end of the above commands to suppress creating the `g

 See [Downloads-Installs-GAM7](https://github.com/GAM-team/GAM/wiki/Downloads-Installs) for Windows or other options, including manual installation

+### 7.09.01
+
+Fixed bug in `gam <UserTypeEntity> print diskusage` where the `ownedByMe` column was
+blank for the top folder.
+
+Fixed bug in `gam update chromepolicy` where the following error was generated
+when updating policies with simple numerical values.
+```
+ERROR: Missing argument: Expected <value>"
+```
+
+### 7.09.00
+
+Removed the overly broad service account `IAM and Access Management API` scope `https://www.googleapis.com/auth/cloud-platform`
+from DWD. The `gam <UserTypeEntity> check|Update serviceaccount` commands issue an error message if this scope
+is enabled prompting you to update your service account authorization so that the scope can be removed.
+
+GAM commands that need IAM access now use the more limited scope `https://www.googleapis.com/auth/iam` in a non-DWD manner.
+
+Added `enforce_expansive_access` Boolean variable to `gam.cfg` that provides the default value
+for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+It's default value is False.
+```
+gam <UserTypeEntity> delete permissions
+gam <UserTypeEntity> delete drivefileacl
+gam <UserTypeEntity> update drivefileacl
+gam <UserTypeEntity> copy drivefile
+gam <UserTypeEntity> move drivefile
+gam <UserTypeEntity> transfer ownership
+gam <UserTypeEntity> claim ownership
+gam <UserTypeEntity> transfer drive
+```
+
+Fixed bug in `gam print shareddriveorganizers` that caused a trap when an organizer was a deleted user.
+
+Updated to Python 3.13.4
+
+### 7.08.02
+
+Updated the defaults in `gam print shareddriveorganizers` to match the most common use case, not the script.
+
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+These commands produce the same result.
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
+### 7.08.01
+
+Added option `shareddrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>))` to
+`gam print shareddriveorganizers` that displays organizers for a specific list of Shared Drive IDs.
+
+See: https://github.com/GAM-team/GAM/wiki/Shared-Drives#display-shared-drive-organizers
+
+### 7.08.00
+
+Added the following command that can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccessasadmin] [shareddriveadminquery|query <QuerySharedDrive>]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+See: https://github.com/GAM-team/GAM/wiki/Shared-Drives#display-shared-drive-organizers
+
+The command defaults match the script defaults:
+* `domainlist` - All domains
+* `includetypes` - user,group
+* `oneorganizer` - False
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives
+```
+
 ### 7.07.17

 Added option `oneuserperrow` to `gam print devices` to have each of a
--- a/wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md
+++ b/wiki/How-to-Upgrade-Legacy-GAM-to-GAM7.md
@@ -251,9 +251,9 @@ writes the credentials into the file oauth2.txt.
 admin@server:/Users/admin$ rm -f /Users/admin/GAMConfig/oauth2.txt
 admin@server:/Users/admin$ gam version
 WARNING: Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: /Users/admin/GAMConfig/oauth2.txt, Not Found
-GAM 7.07.17 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.01 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -989,9 +989,9 @@ writes the credentials into the file oauth2.txt.
 C:\>del C:\GAMConfig\oauth2.txt
 C:\>gam version
 WARNING: Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, Item: oauth2_txt, Value: C:\GAMConfig\oauth2.txt, Not Found
-GAM 7.07.17 - https://github.com/GAM-team/GAM - pythonsource
+GAM 7.09.01 - https://github.com/GAM-team/GAM - pythonsource
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 Windows-10-10.0.17134 AMD64
 Path: C:\GAM7
 Config File: C:\GAMConfig\gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
--- a/wiki/Shared-Drives.md
+++ b/wiki/Shared-Drives.md
@@ -15,6 +15,7 @@
 - [Display Shared Drive Counts](#display-shared-drive-counts)
 - [Display List of Shared Drives in an Organizational Unit](#display-list-of-shared-drives-in-an-organizational-unit)
 - [Display Count of Shared Drives in an Organizational Unit](#display-count-of-shared-drives-in-an-organizational-unit)
+- [Display Shared Drive Organizers](#display-shared-drive-organizers)
 - [Display all Shared Drives with no members](#display-all-shared-drives-with-no-members)
 - [Display all Shared Drives with no organizers](#display-all-shared-drives-with-no-organizers)
 - [Display all Shared Drives with a specific organizer](#display-all-shared-drives-with-a-specific-organizer)
@@ -78,6 +79,9 @@
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |

+<OrganizerType> ::= user|group
+<OrganizerTypeList> ::= "<OrganizerType>(,<OrganizerType>)*"
+
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
@@ -228,14 +232,14 @@ Three forms of the commands are available:

 ## Display Shared Drive themes
 ```
-gam show teamdrivethemes
+gam show shareddrivethemes
 ```
 ## Manage Shared Drives

 ## Create a Shared Drive
 The user that creates a Shared Drive is given the permission role organizer for the Shared Drive,
 ```
-gam [<UserTypeEntity>] create teamdrive <Name>
+gam [<UserTypeEntity>] create shareddrive <Name>
        [(theme|themeid <String>)|
         ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
@@ -244,7 +248,7 @@ gam [<UserTypeEntity>] create teamdrive <Name>
        [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
        [adminaccess|asadmin]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
  * `<Float>` - X coordinate, typically 0.0
  * `<Float>` - Y coordinate, typically 0.0
@@ -277,9 +281,9 @@ When either of these options is chosen, no infomation about Shared Drive restric
 To retrieve the Shared Drive ID with `returnidonly`:
 ```
 Linux/MacOS
-teamDriveId=$(gam create teamdrive ... returnidonly)
+teamDriveId=$(gam create shareddrive ... returnidonly)
 Windows PowerShell
-$teamDriveId = & gam create teamdrive ... returnidonly
+$teamDriveId = & gam create shareddrive ... returnidonly
 ```

 ## Bulk Create Shared Drives
@@ -289,7 +293,7 @@ As a newly created Drive can't be updated for 30+ seconds; split the operation i

 Make a CSV file SharedDriveNames.csv with at least one column, name.
 ```
-gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam create teamdrive "~name" csv
+gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam create shareddrive "~name" csv
 ```
 This will create a three column CSV file SharedDrivesCreated.csv with columns: User,name,id
 * There will be a row for each Shared Drive.
@@ -320,14 +324,14 @@ gam redirect stdout ./StudentSharedDrivesAccess.txt multiprocess redirect stderr

 These commands are used to set basic Shared Drive settings.
 ```
-gam [<UserTypeEntity>] update teamdrive <SharedDriveEntity> [name <Name>]
+gam [<UserTypeEntity>] update shareddrive <SharedDriveEntity> [name <Name>]
        [adminaccess|asadmin]
        [(theme|themeid <String>)|
         ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
 * `color` - set the Shared Drive color
 * `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
@@ -339,7 +343,7 @@ This option is only available when the command is run as an administrator.

 ## Delete a Shared Drive
 ```
-gam [<UserTypeEntity>] delete teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] delete shareddrive <SharedDriveEntity>
        [adminaccess|asadmin] [allowitemdeletion]
 ```
 By default, deleting a Shared Drive that contains any files/folders will fail.
@@ -348,24 +352,24 @@ This is not reversible, proceed with caution.

 ## Change Shared Drive visibility
 ```
-gam [<UserTypeEntity>] hide teamdrive <SharedDriveEntity>
-gam [<UserTypeEntity>] unhide teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] hide shareddrive <SharedDriveEntity>
+gam [<UserTypeEntity>] unhide shareddrive <SharedDriveEntity>
 ```

 ## Display Shared Drives
 These commands are used to get information about Shared Drives themselves, not the files/folders on the Shared Drives.
 ```
-gam [<UserTypeEntity>] info teamdrive <SharedDriveEntity>
+gam [<UserTypeEntity>] info shareddrive <SharedDriveEntity>
        [adminaccess|asadmin]
        [fields <SharedDriveFieldNameList>] [formatjson]
-gam [<UserTypeEntity>] show teamdriveinfo <SharedDriveEntity>
+gam [<UserTypeEntity>] show shareddriveinfo <SharedDriveEntity>
        [adminaccess|asadmin]
        [fields <SharedDriveFieldNameList>] [formatjson]
 ```
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam [<UserTypeEntity>] show teamdrives
+gam [<UserTypeEntity>] show shareddrives
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [fields <SharedDriveFieldNameList>] [formatjson]
@@ -378,7 +382,7 @@ By default, all Shared Drives are displayed; use the following options to select
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam [<UserTypeEntity>] print teamdrives [todrive <ToDriveAttribute>*]
+gam [<UserTypeEntity>] print shareddrives [todrive <ToDriveAttribute>*]
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
@@ -400,22 +404,67 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Examples
 Print information about all Shared Drives in the organization.
 ```
-gam print teamdrives
-gam user admin@domain.com print teamdrives adminaccess
+gam print shareddrives
+gam user admin@domain.com print shareddrives adminaccess
 ```
 Print information about Shared Drives that have admin@domain.com as a member.
 ```
-gam user admin@domain.com print teamdrives
+gam user admin@domain.com print shareddrives
+```
+
+## Display Shared Drive Organizers
+The following command can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+```
+gam [<UserTypeEntity>] print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+Options `shareddriveadminquery|query` and `shareddrives|teamdrives` are mutually exclusive.
+
+Options `shareddriveadminquery|query` and `orgunit|org|ou` require `adminaccess|asadmin`.
+
+By default, organizers for all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
+* `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
+* `shareddrives|teamdrives <SharedDriveIDList>` - Select the Shared Drive IDs specified in `<SharedDriveIDList>`
+* `shareddrives|teamdrives select <FileSelector>|<CSVFileSelector>` - Select the Shared Drive IDs specified in `<FileSelector>|<CSVFileSelector>`
+* `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
+* `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
+
+For multiple organizers:
+* `delimiter <Character>` - Separate `organizers` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
+
+The command defaults do not match the script defaults, they are set for the most common use case:
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
 ```

 ## Display all Shared Drives with no members
 ```
-gam print teamdrives query "memberCount = 0"
+gam print shareddrives query "memberCount = 0"
 ```

 ## Display all Shared Drives with no organizers
 ```
-gam print teamdrives query "organizerCount = 0"
+gam print shareddrives query "organizerCount = 0"
 ```

 ## Display Shared Drive Counts
@@ -451,20 +500,20 @@ count = & gam print shareddrives showitemcountonly
 ## Display all Shared Drives with a specific organizer
 Substitute actual email address for `organizer@domain.com`.
 ```
-gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
+gam config csv_output_header_filter "id,name" print shareddriveacls pm emailaddress organizer@domain.com role organizer em pma process pmselect
 ```

 ## Display all Shared Drives without a specific organizer
 Substitute actual email address for `organizer@domain.com`.
 ```
-gam config csv_output_header_filter "id,name" print teamdriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
+gam config csv_output_header_filter "id,name" print shareddriveacls pm emailaddress organizer@domain.com role organizer em pma skip pmselect
 ```

 ## Display List of Shared Drives in an Organizational Unit
 Get the orgUnitID of the desired OU and use it (without the id:) in the print|show command. Adjust fields as desired.
 ```
-gam show teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
-gam print teamdrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam show shareddrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
+gam print shareddrives query "orgUnitId='03ph8a2z21rexy'" fields id,name,orgunit,createdtime
 ```
 Alternative method; `<OrgUnitPath>` defaults to `/`.
 ```
@@ -552,12 +601,12 @@ These commands are used to transfer ACLs from one Shared Drive to another.
 * `copy` - Copy all ACLs from the source Shared Drive to the target Shared Drive. The role of an existing ACL in the target Shared Drive will never be reduced.
 * `sync` - Add/delete/update ACLs in the target Shared Drive to match those in the source Shared Drive.
 ```
-gam [<UserTypeEntity>] copy teamdriveacls <SharedDriveEntity> to <SharedDriveEntity>
+gam [<UserTypeEntity>] copy shareddriveacls <SharedDriveEntity> to <SharedDriveEntity>
        [showpermissionsmessages [<Boolean>]]
        [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
        (mappermissionsdomain <DomainName> <DomainName>)*
        [adminaccess|asadmin]
-gam [<UserTypeEntity>] sync teamdriveacls <SharedDriveEntity> with <SharedDriveEntity>
+gam [<UserTypeEntity>] sync shareddriveacls <SharedDriveEntity> with <SharedDriveEntity>
        [showpermissionsmessages [<Boolean>]]
        [excludepermissionsfromdomains|includepermissionsfromdomains <DomainNameList>]
        (mappermissionsdomain <DomainName> <DomainName>)*
@@ -595,7 +644,7 @@ gam [<UserTypeEntity>] print drivefileacls <SharedDriveEntityAdmin> [todrive <To
 ### Examples:
 Find all the organizers and file organizers on the Golgafrincham shared drive in CSV form.
 ```
- gam print drivefileacls teamdrive "Golgafrincham" pm role organizer em pm role fileorganizer em oneitemperrow
+ gam print drivefileacls shareddrive "Golgafrincham" pm role organizer em pm role fileorganizer em oneitemperrow
 ```

 By default, all Shared Drives specified are displayed; use the following option to select a subset of those Shared Drives.
@@ -626,7 +675,7 @@ gam config csv_output_header_drop_filter "User,createdTime,permission.photoLink,

 ## Display Shared Drive access for selected Shared Drives
 ```
-gam [<UserTypeEntity>] show teamdriveacls
+gam [<UserTypeEntity>] show shareddriveacls
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -635,7 +684,7 @@ gam [<UserTypeEntity>] show teamdriveacls
        [shownopermissionsdrives false|true|only]
        [formatjson]

-gam [<UserTypeEntity>] print teamdriveacls [todrive <ToDriveAttribute>*]
+gam [<UserTypeEntity>] print shareddriveacls [todrive <ToDriveAttribute>*]
        [adminaccess|asadmin] [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -662,7 +711,7 @@ By default, all ACLS are displayed; use the following options to select a subset
 * `role|roles <SharedDriveACLRoleList>` - Display ACLs for the specified roles only.
 * `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified

-With `print teamdriveacls` or `show teamdrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
+With `print shareddriveacls` or `show shareddrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
 When `oneitemperrow` is specified, each ACL is output on a separate row/line with the matching Shared Drive id and name. This simplifies processing the CSV file with subsequent Gam commands.

 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
@@ -674,35 +723,35 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara
 ### Examples
 Find all organizers and viewers on the shared drive Heart of Gold in CSV form.
 ```
- gam print teamdriveacls matchname "Heart of Gold" role organizer,reader oneitemperrow
+ gam print shareddriveacls matchname "Heart of Gold" role organizer,reader oneitemperrow
 ```

 Print ACLs for all Shared Drives in the organization created after November 1, 2017.
 ```
-gam print teamdriveacls teamdriveadminquery "createdTime > '2017-11-01T00:00:00'"
+gam print shareddriveacls shareddriveadminquery "createdTime > '2017-11-01T00:00:00'"
 ```

 Print ACLs for all Shared Drives in the organization with foo@bar.com as an organizer.
 ```
-gam print teamdriveacls user foo@bar.com role organizer
+gam print shareddriveacls user foo@bar.com role organizer
 ```

 Print ACLs for all Shared Drives in the organization with foo@bar.com or groups that contain foo@bar.com as a reader.
 ```
-gam print teamdriveacls user foo@bar.com role reader checkgroups
+gam print shareddriveacls user foo@bar.com role reader checkgroups
 ```

 ## Display ACLs for Shared Drives with no organizers
 ### For all Shared Drives
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsNoOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0"
+gam redirect csv ./SharedDriveACLsNoOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0"

 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsNoOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0" oneitemperrow
+gam redirect csv ./SharedDriveACLsNoOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted query "organizerCount = 0" oneitemperrow
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.
 ```
 One row per Shared Drive, all ACLs on the same row
 gam redirect csv ./SharedDriveACLsNoOrganizers.csv multiprocess csv ./SharedDrives.csv gam print drivefileacls "~id" addtitle "~name" fields id,domain,emailaddress,role,type,deleted pm role organizer em pma skip pmselect
@@ -715,13 +764,13 @@ gam redirect csv ./SharedDriveACLsNoOrganizersOIPR.csv multiprocess csv ./Shared
 ### For all Shared Drives
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect

 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted role organizer pm role organizer domainlist domain.com,... em pma skip pmselect
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.
 ```
 One row per Shared Drive, all ACLs on the same row
 gam redirect csv ./SharedDriveACLsAllExternalOrganizers.csv multiprocess csv ./SharedDrives.csv gam print drivefileacls "~id" addtitle "~name" fields id,domain,emailaddress,role,type,deleted pm role organizer domainlist domain.com,... em pma skip pmselect
@@ -735,13 +784,13 @@ gam redirect csv ./SharedDriveACLsAllExternalOrganizersOIPR.csv multiprocess csv
 Include a permission match `pm domainlist domain.com,... em` that lists your internal domain(s).
 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternal.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternal.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect

 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
+gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
 ```
 ### For selected Shared Drives
-Create a CSV file TeamDrives.csv with at least two columns (id, name) for the selected Shared Drives.
+Create a CSV file shareddrives.csv with at least two columns (id, name) for the selected Shared Drives.

 Include a permission match `pm domainlist domain.com,... em` that lists your internal domain(s).
 ```
@@ -764,16 +813,16 @@ to get the Shared Drive ACLs for the scammed Shared Drives.

 ```
 One row per Shared Drive, all ACLs on the same row
-gam redirect csv ./SharedDriveACLsAllExternal.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect
+gam redirect csv ./SharedDriveACLsAllExternal.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect

 A row per Shared Drive/ACL combination
-gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print teamdriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
+gam redirect csv ./SharedDriveACLsAllExternalOIPR.csv print shareddriveacls fields id,domain,emailaddress,role,type,deleted pm domainlist domain.com,... em pma skip pmselect oneitemperrow
 ```

 ### Add an organizer from your domain
 Sustitute an appropriate value for `admin@domain.com`.
 ```
-gam redirect stdout ./AddOrganizer.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam add drivefileacl teamdriveid "~id" user admin@domain.com role organizer
+gam redirect stdout ./AddOrganizer.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam add drivefileacl shareddriveid "~id" user admin@domain.com role organizer
 ```

 ### Delete non domain ACLs
@@ -782,7 +831,7 @@ you must delete all rows in `SharedDriveACLsAllExternalOIPR.csv` that have the s

 This will disable all non-domain users access to the Shared Drive.
 ```
-gam redirect stdout ./DeleteExternalACLs.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternalOIPR.csv gam delete drivefileacl teamdriveid "~id" "id:~~permission.id~~"
+gam redirect stdout ./DeleteExternalACLs.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternalOIPR.csv gam delete drivefileacl shareddriveid "~id" "id:~~permission.id~~"
 ```

 ### Delete the Shared Drives
@@ -790,36 +839,18 @@ The `allowitemdeletion` option allows deletion of non-empty Shared Drives. This

 This is not reversible, proceed with caution.
 ```
-gam redirect stdout ./DeleteSharedDrives.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam delete teamdrive "~id" allowitemdeletion
+gam redirect stdout ./DeleteSharedDrives.txt multiprocess redirect stderr stdout csv ./SharedDriveACLsAllExternal.csv gam delete shareddrive "~id" allowitemdeletion
 ```

 ## Delete old empty Shared Drives
 ```
-# Get a list of Shared Drives created before one year ago; alter date<-1y as required
-gam config csv_output_row_filter "createdTime:date<-1y" redirect csv ./TeamDrives.csv print teamdrives fields id,name,createdtime
+# Get a list of Shared Drives organizers for Shared Drives created before one year ago; alter date<-1y as required.
+gam config csv_output_row_filter "createdTime:date<-1y" redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers domainlist mydomain.com includetypes user oneorganizer shownoorganizerdrives

-# You'll need a list of Shared Drive IDs and organizers; get ACLs for Shared Drives from above
-gam redirect csv ./TeamDriveACLs.csv multiprocess csv ./TeamDrives.csv gam print drivefileacls "~id" fields id,emailaddress,role,type,deleted
-
-# Customize script: https://github.com/taers232c/GAM-Scripts3/blob/master/GetTeamDriveOrganizers.py
-DOMAIN_LIST = ['yourdomain.org']
-
-INCLUDE_TYPES = {
-  'user': True,
-  'group': False,
-  }
-
-ONE_ORGANIZER = True
-SHOW_NO_ORGANIZER_DRIVES = True
-INCLUDE_FILE_ORGANIZERS = False
-
-# Run script
-python GetTeamDriveOrganizers.py TeamDriveACLs.csv TeamDrives.csv TeamDriveOrganizers.csv
-
-# Inspect TeamDriveOrganizers.csv, you'll have to deal with Shared Drives with no organizer/manager
+# Inspect shareddriveOrganizers.csv, you'll have to deal with Shared Drives with no organizer/manager

 # Get old empty Shared Drives
-gam config num_threads 10 csv_input_row_filter "organizers:regex:^.+$" csv_output_row_filter "Total:count=0" redirect csv ./OldEmptySharedDrives.csv multiprocess redirect stderr - multiprocess csv ./TeamDriveOrganizers.csv gam user "~organizers" print filecounts select teamdriveid "~id" showsize
+gam config num_threads 10 csv_input_row_filter "organizers:regex:^.+$" csv_output_row_filter "Total:count=0" redirect csv ./OldEmptySharedDrives.csv multiprocess redirect stderr - multiprocess csv ./TeamDriveOrganizers.csv gam user "~organizers" print filecounts select shareddriveid "~id" showsize

 # Inspect OldEmptySharedDrives.csv, if you're confident of the results, proceed

--- a/wiki/Users-Shared-Drives.md
+++ b/wiki/Users-Shared-Drives.md
@@ -12,6 +12,7 @@
  - [Change Shared Drive visibility](#change-shared-drive-visibility)
 - [Display Shared Drives](#display-shared-drives)
 - [Display Shared Drive Counts](#display-shared-drive-counts)
+- [Display Shared Drive Organizers](#display-shared-drive-organizers)
 - [Manage Shared Drive access](#manage-shared-drive-access)
 - [Display Shared Drive access](#display-shared-drive-access)
  - [Display Shared Drive access for specific Shared Drives](#display-shared-drive-access-for-specific-shared-drives)
@@ -72,6 +73,9 @@
 ```
 <JSONData> ::= (json [charset <Charset>] <String>) | (json file <FileName> [charset <Charset>]) |

+<OrganizerType> ::= user|group
+<OrganizerTypeList> ::= "<OrganizerType>(,<OrganizerType>)*"
+
 <OrgUnitID> ::= id:<String>
 <OrgUnitPath> ::= /|(/<String>)+
 <OrgUnitItem> ::= <OrgUnitID>|<OrgUnitPath>
@@ -200,14 +204,14 @@ sharingfoldersrequiresorganizerpermission true

 ## Display Shared Drive themes
 ```
-gam <UserTypeEntity> show teamdrivethemes
+gam <UserTypeEntity> show shareddrivethemes
 ```
 ## Manage Shared Drives

 ## Create a Shared Drive
 The user that creates a Shared Drive is given the permission role organizer for the Shared Drive,
 ```
-gam <UserTypeEntity> create teamdrive <Name>
+gam <UserTypeEntity> create shareddrive <Name>
        [(theme|themeid <String>)|
         ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
@@ -215,7 +219,7 @@ gam <UserTypeEntity> create teamdrive <Name>
        [errorretries <Integer>] [updateinitialdelay <Integer>] [updateretrydelay <Integer>]
        [(csv [todrive <ToDriveAttribute>*] (addcsvdata <FieldName> <String>)*) | returnidonly]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
  * `<Float>` - X coordinate, typically 0.0
  * `<Float>` - Y coordinate, typically 0.0
@@ -248,9 +252,9 @@ When either of these options is chosen, no infomation about Shared Drive restric
 To retrieve the Shared Drive ID with `returnidonly`:
 ```
 Linux/MacOS
-teamDriveId=$(gam user user@domain.com create teamdrive ... returnidonly)
+teamDriveId=$(gam user user@domain.com create shareddrive ... returnidonly)
 Windows PowerShell
-$teamDriveId = & gam user user@domain.com create teamdrive ... returnidonly
+$teamDriveId = & gam user user@domain.com create shareddrive ... returnidonly
 ```

 ## Bulk Create Shared Drives
@@ -260,7 +264,7 @@ As a newly created Drive can't be updated for 30+ seconds; split the operation i

 Make a CSV file SharedDriveNames.csv with at least two columns, User and name.
 ```
-gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam user "~User" create teamdrive "~name" csv
+gam redirect csv ./SharedDrivesCreated.csv multiprocess csv SharedDriveNames.csv gam user "~User" create shareddrive "~name" csv
 ```
 This will create a three column CSV file SharedDriveNamesIDs.csv with columns: User,name,id
 * There will be a row for each Shared Drive.
@@ -274,13 +278,13 @@ gam redirect stdout ./SharedDrivesUpdated.txt multiprocess redirect stderr stdou

 This command is used to set basic Shared Drive settings.
 ```
-gam <UserTypeEntity> update teamdrive <SharedDriveEntity> [adminaccess|asadmin] [name <Name>]
+gam <UserTypeEntity> update shareddrive <SharedDriveEntity> [adminaccess|asadmin] [name <Name>]
        [(theme|themeid <String>)|
         ([customtheme <DriveFileID> <Float> <Float> <Float>] [color <ColorValue>])]
        (<SharedDriveRestrictionsSubfieldName> <Boolean>)*
        [hide|hidden <Boolean>] [ou|org|orgunit <OrgUnitItem>]
 ```
-* `themeid` - a Shared Drive themeId obtained from `show teamdrivethemes`
+* `themeid` - a Shared Drive themeId obtained from `show shareddrivethemes`
 * `customtheme` - set the backgroundImageFile property described here:  https://developers.google.com/drive/v3/reference/teamdrives
 * `color` - set the Shared Drive color
 * `<SharedDriveRestrictionsSubfieldName> <Boolean>` - Set Shared Drive Restrictions
@@ -291,7 +295,7 @@ This option is only available when the command is run as an administrator.

 ## Delete a Shared Drive
 ```
-gam <UserTypeEntity> delete teamdrive <SharedDriveEntity> [allowitemdeletion] [adminaccess|asadmin]
+gam <UserTypeEntity> delete shareddrive <SharedDriveEntity> [allowitemdeletion] [adminaccess|asadmin]
 ```
 By default, deleting a Shared Drive that contains any files/folders will fail.
 The `allowitemdeletion` option allows a Super Admin to delete a non-empty Shared Drive.
@@ -299,19 +303,19 @@ This is not reversible, proceed with caution.

 ## Change Shared Drive visibility
 ```
-gam <UserTypeEntity> hide teamdrive <SharedDriveEntity>
-gam <UserTypeEntity> unhide teamdrive <SharedDriveEntity>
+gam <UserTypeEntity> hide shareddrive <SharedDriveEntity>
+gam <UserTypeEntity> unhide shareddrive <SharedDriveEntity>
 ```
 ## Display Shared Drives
 ```
-gam <UserTypeEntity> show teamdriveinfo <SharedDriveEntity>
-gam <UserTypeEntity> info teamdrive <SharedDriveEntity>
+gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
+gam <UserTypeEntity> info shareddrive <SharedDriveEntity>
        [fields <SharedDriveFieldNameList>]
        [guiroles [<Boolean>] [formatjson]
-gam <UserTypeEntity> show teamdriveinfo <SharedDriveEntity>
+gam <UserTypeEntity> show shareddriveinfo <SharedDriveEntity>
        [fields <SharedDriveFieldNameList>]
        [guiroles [<Boolean>] [formatjson]
-gam <UserTypeEntity> show teamdrives
+gam <UserTypeEntity> show shareddrives
        [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
        [fields <SharedDriveFieldNameList>]
        [guiroles [<Boolean>] [formatjson]
@@ -323,7 +327,7 @@ By default, Gam displays all Teams Drives accessible by the user.
 By default, Gam displays the information as an indented list of keys and values.
 * `formatjson` - Display the fields in JSON format.
 ```
-gam <UserTypeEntity> print teamdrives [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> print shareddrives [todrive <ToDriveAttribute>*]
        [matchname <REMatchPattern>] (role|roles <SharedDriveACLRoleList>)*
        [fields <SharedDriveFieldNameList>] [formatjson [quotechar <Character>]]
 ```
@@ -386,6 +390,51 @@ count=$(gam user user@domain.com print shareddrives showitemcountonly)
 Windows PowerShell
 count = & gam user user@domain.com print shareddrives showitemcountonly
 ```
+## Display Shared Drive Organizers
+The following command can be used instead of the `GetTeamDriveOrganizers.py` script.
+
+```
+gam <UserTypeEntity> print shareddriveorganizers [todrive <ToDriveAttribute>*]
+        [adminaccess|asadmin]
+        [(shareddriveadminquery|query <QuerySharedDrive>) |
+         (shareddrives|teamdrives (<SharedDriveIDList>|(select <FileSelector>|<CSVFileSelector>)))]
+        [orgunit|org|ou <OrgUnitPath>]
+        [matchname <REMatchPattern>]
+        [domainlist <DomainList>]
+        [includetypes <OrganizerTypeList>]
+        [oneorganizer [<Boolean>]]
+        [shownorganizerdrives [false|true|only]]
+        [includefileorganizers [<Boolean>]]
+        [delimiter <Character>]
+```
+Options `shareddriveadminquery|query` and `shareddrives|teamdrives` are mutually exclusive.
+
+Options `shareddriveadminquery|query` and `orgunit|org|ou` require `adminaccess|asadmin`.
+
+By default, organizers for all Shared Drives are displayed; use the following options to select a subset of Shared Drives:
+* `teamdriveadminquery|query <QueryTeamDrive>` - Use a query to select Shared Drives
+* `shareddrives|teamdrives <SharedDriveIDList>` - Select the Shared Drive IDs specified in `<SharedDriveIDList>`
+* `shareddrives|teamdrives select <FileSelector>|<CSVFileSelector>` - Select the Shared Drive IDs specified in `<FileSelector>|<CSVFileSelector>`
+* `orgunit|org|ou <OrgUnitPath>` - Only Shared Drives in the specified Org Unit are selected
+* `matchname <REMatchPattern>` - Retrieve Shared Drives with names that match a pattern.
+
+For multiple organizers:
+* `delimiter <Character>` - Separate `organizers` entries with `<Character>`; the default value is `csv_output_field_delimiter` from `gam.cfg`.
+
+The command defaults do not match the script defaults, they are set for the most common use case:
+* `domainlist` - The workspace primary domain
+* `includetypes` - user
+* `oneorganizer` - True
+* `shownoorganizerdrives` - True
+* `includefileorganizers` - False
+
+To select organizers from any domain, use: `domainlist ""`
+
+For example, to get a single user organizer from your domain for all Shared Drives including no organizer drives:
+```
+gam redirect csv ./TeamDriveOrganizers.csv print shareddriveorganizers
+```
+
 ## Manage Shared Drive access
 These commands must be issued by a user with Shared Drive permission role organizer.
 ### Process single ACLs.
@@ -458,14 +507,14 @@ The `quotechar <Character>` option allows you to choose an alternate quote chara

 ## Display Shared Drive access for selected Shared Drives
 ```
-gam <UserTypeEntity> show teamdriveacls
+gam <UserTypeEntity> show shareddriveacls
        adminaccess [teamdriveadminquery|query <QueryTeamDrive>]
        [matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
        <PermissionMatch>* [<PermissionMatchAction>] [pmselect]
        [oneitemperrow] [<DrivePermissionsFieldName>*|(fields <DrivePermissionsFieldNameList>)]
        [formatjson [quotechar <Character>]]
-gam <UserTypeEntity> print teamdriveacls [todrive <ToDriveAttribute>*]
+gam <UserTypeEntity> print shareddriveacls [todrive <ToDriveAttribute>*]
        adminaccess [teamdriveadminquery|query <QueryTeamDrive>]
 	[matchname <REMatchPattern>] [orgunit|org|ou <OrgUnitPath>]
        [user|group <EmailAddress> [checkgroups]] (role|roles <SharedDriveACLRoleList>)*
@@ -488,7 +537,7 @@ By default, all ACLS are displayed; use the following options to select a subset
 * `role|roles <SharedDriveACLRoleList>` - Display ACLs for the specified roles only.
 * `<PermissionMatch>* [<PermissionMatchAction>]` - Use permission matching to display a subset of the ACLs for each Shared Drive; this only applies when `pmselect` is not specified

-With `print teamdriveacls` or `show teamdrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
+With `print shareddriveacls` or `show shareddrivecls formatjson`, the ACLs selected for display are all output on one row/line as a repeating item with the matching Shared Drive id.
 When `oneitemperrow` is specified, each ACL is output on a separate row/line with the matching Shared Drive id and name. This simplifies processing the CSV file with subsequent Gam commands.

 By default, when writing CSV files, Gam uses a quote character of double quote `"`. The quote character is used to enclose columns that contain
--- a/wiki/Version-and-Help.md
+++ b/wiki/Version-and-Help.md
@@ -3,9 +3,9 @@
 Print the current version of Gam with details
 ```
 gam version
-GAM 7.07.17 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.01 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -15,9 +15,9 @@ Time: 2023-06-02T21:10:00-07:00
 Print the current version of Gam with details and time offset information
 ```
 gam version timeoffset
-GAM 7.07.17 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.01 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -27,9 +27,9 @@ Your system time differs from www.googleapis.com by less than 1 second
 Print the current version of Gam with extended details and SSL information
 ```
 gam version extended
-GAM 7.07.17 - https://github.com/GAM-team/GAM - pyinstaller
+GAM 7.09.01 - https://github.com/GAM-team/GAM - pyinstaller
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
@@ -64,7 +64,7 @@ MacOS High Sierra 10.13.6 x86_64
 Path: /Users/Admin/bin/gam7
 Version Check:
  Current: 5.35.08
-   Latest: 7.07.17
+   Latest: 7.09.01
 echo $?
 1
 ```
@@ -72,7 +72,7 @@ echo $?
 Print the current version number without details
 ```
 gam version simple
-7.07.17
+7.09.01
 ```
 In Linux/MacOS you can do:
 ```
@@ -82,9 +82,9 @@ echo $VER
 Print the current version of Gam and address of this Wiki
 ```
 gam help
-GAM 7.07.17 - https://github.com/GAM-team/GAM
+GAM 7.09.01 - https://github.com/GAM-team/GAM
 GAM Team <google-apps-manager@googlegroups.com>
-Python 3.13.3 64-bit final
+Python 3.13.4 64-bit final
 MacOS Sequoia 15.5 x86_64
 Path: /Users/Admin/bin/gam7
 Config File: /Users/admin/GAMConfig/gam.cfg, Section: DEFAULT, customer_id: my_customer, domain: domain.com
--- a/wiki/gam.cfg.md
+++ b/wiki/gam.cfg.md
@@ -328,6 +328,16 @@ enable_dasa
        admin_email, customer_id and domain must be set when enable_dasa is True,
        customer_id may not be set to my_customer
        Signal file: OldGamPath/enabledasa.txt
+enforce_expansive_access
+        The default value for option `enforceexpansiveaccess` in all commands that delete or update drive file ACLs/permissions.
+        gam <UserTypeEntity> delete permissions
+        gam <UserTypeEntity> delete drivefileacl
+        gam <UserTypeEntity> update drivefileacl
+        gam <UserTypeEntity> copy drivefile
+        gam <UserTypeEntity> move drivefile
+        gam <UserTypeEntity> transfer ownership
+        gam <UserTypeEntity> claim ownership
+        Default: False
 event_max_results
        When retrieving lists of Calendar events from API,
        how many should be retrieved in each API call