Duet AI is now Gemini for Google Workspace. Learn more

Use a third-party tool for quick mass provisioning

This article is for IT administrators who have limited time to provision 50,000+ user accounts.  

For quick, large-scale account provisioning, you can use third-party solutions. For example, the free, downloadable, open-source Google Apps Manager (GAM) uses the Admin SDK Directory API to create and manage Google Workspace users and groups.

GAM interacts with many Google APIs, which you can use to also manage other account features and resources. For more information about integrations with third parties, visit the tutorials page at Solve with Google Cloud.

Important: Google Cloud Support doesn’t support GAM or other third-party solutions. We support the Admin SDK Directory API those tools use. GAM is subject to the Apache 2.0 license, which provides the terms and conditions for your use, reproduction, and distribution of GAM.

Before you begin

Provisioning accounts on a large scale requires: 

  • Facility with command-line prompts
  • A paid Google Workspace account that is: 

Step 1: Avoid account conflicts

Some of your users might have a personal Google Account, such as a Gmail address, which could generate conflicts when you provision their new, managed Google Workspace or Cloud Identity account. To avoid such issues:

  1. Read About conflicting accounts.
  2. Learn how to Find and manage existing accounts.

Step 2: Create a simple, flat organizational structure

Avoid creating a complex organizational unit hierarchy with many levels. You can modify the hierarchy and move users later. Here are some tips on setting up a simplified organizational structure:

  • Focus on the services and features the users you manage need to access.
  • Restrict service and feature availability at the top-level organizational unit, granting access to child organizational units.

Read more about How the organizational structure works.

Education example

In the table below, the structure on the left shows the actual structure of the organization. Initially, this structure might be difficult to manage, for example, if you must repeatedly grant teachers access to advanced Google Meet features for numerous organizational units in the school. 

The proposed structure focuses on functionality. As an admin, you can easily turn off services and features for all students in the /Students organizational unit. For example, you might turn off self-service password recovery and apply YouTube restrictions. You might also enable advanced functionality for teachers and other staff members, such as Meet streaming and recording and 2-Step Verification.

Example organizational structure Recommended organizational structure

/School 1/Staff/Teachers

/School 1/Students/Year 2020/Class A

/School 1/Students/Year 2020/...

/School 2/Staff/Teachers

/School 2/Students/Year 2020/Class C

/School 2/Students/Year 2020/...

/ (root OrgUnit)




Large organization example

First, determine what services and features your users need. Then:

  1. Apply these settings at the top-level organizational unit.
    Unless you override those settings, child organizational units will inherit them. Examples:
  2. For added security, require departments to use 2-Step Verification.
Example organizational structure Recommended organizational structure





/ (root organizational unit)

/2SV-Enforced (IT and Legal)

/2SV (and allow external sharing)

Step 3: Prepare a data source

Create a comma-separated value (CSV) file with the necessary data to proceed with user account creation. Required fields: 

  • FirstName
  • LastName
  • PrimaryEmail—The email the user will sign in with
  • Password—Must be at least 8 characters
  • OrgUnit—To create users in their respective organizational units, taking into account the recommendations above

    Note: Enter a / (forward slash) to place users in your top-level (root) organizational unit. Separate child organizational units with a forward slash—for example /Staff/Teachers.

Education example




Large organization example




Step 4: Set up GAM

If you decide to GAM, follow these recommended steps:

  1. With GAM version 5.10 and above, before executing GAM for the first time, create a file named noshorturls.txt in the same folder as GAM.
    This turns off short URLs.
  2. From the GAM website, download GAM.
  3. Configure the tool.
  4. During setup, when asked if you’re “ready to authorize GAM to manage Google Workspace user data and settings,” answer N (no) to skip Domain-Wide Delegation.

This command helps you confirm that GAM is associated with the right Google Workspace account:

gam info domain

Step 5: Create multiple users with GAM

To create the users, GAM reads from a comma-separated value (CSV) file and issues the relevant requests to the Admin SDK Directory API.

If you created a comma-separated value (CSV) file with the fields specified in Step 3 above, this command creates the users in the CSV: 

gam csv users.csv gam create user ~PrimaryEmail firstname ~FirstName lastname ~LastName password ~Password org ~OrgUnit changepassword on

Make sure to:

  1. Create a unique password for each user. 
  2. Use the optional parameter changepassword on to force the user to change their password after their first sign-in.

Alternative: What if your data source is missing some fields?

If your data source only has the first and last names and one password for each user, you can create usernames in the format For a user named Charlie Smith, use

The command is:

gam csv users.csv gam create user password ~Password changepassword on

This approach assumes that no users have: 

  • The same name 
  • First and last names with: 
    • Spaces
    • Other disallowed characters 

Go to the Name guidelines for users and groups.


Open all   |   Close all

How can I contact Google Cloud Support?

Go to Contact ​Google Workspace​ support

If you have questions about the content of this article, include that information in the support case and link the article. To share logs or other details that could help us assist you, contact us by sending an email.

Where can I find information about Google Workspace for Education application and approval?

For details about the Google Workspace for Education process, go to: 

Where can I find information about G Suite for Nonprofits?
For program benefits, eligibility guidelines, and more, visit the Google for Nonprofits help center.
I can’t access the Admin console or my admin account. What should I do?
Go to the sign-in page, enter your username, and click Forgot password? 
If you follow the prompts but still can't recover access, you’re offered the option to contact Google Cloud Support. You'll need proof of domain ownership and answers to a few security questions.
How can I confirm whether my domain has been verified?

After creating your Google Workspace account, you’re prompted to verify ownership of your domain. If you don’t remember doing so, sign in to your Admin console, go to the domains section, and click Manage domains

The first domain listed is your primary domain. The status column shows whether or not the domain requires verification.

Can Google Cloud Support help me with GAM questions?

Google Cloud Support doesn’t support these or other third-party solutions, only the Admin SDK Directory API those tools use. Although we can’t help with the GAM tool itself, we can help if the underlying APIs return errors, specifically Admin SDK Directory API. Learn more GAM commands and techniques at the GAM Wiki

Need help with GAM? Reach out to a community of Google Workspace admins willing to offer support, at the GAM discussion group.

If you think there's an issue with the Admin SDK Directory API, provide Google Cloud Support these details:

  • The HTTP method and endpoint that the third-party solution is calling (for example, POST /admin/directory/v1/users?fields=primaryEmail)
  • Response code and message (for example, 403: Not Authorized to access this resource/api - forbidden)

  • Response HTTP header date (for example, Date: Wed, 22 Jun 2020 17:48:48 GMT)
  • Entity making the call: username, service account, or Google Cloud project ID

Remove information such as names, passwords, authentication request headers, IP addresses, values of custom schemas, or any other information you deem sensitive.

My project is running out of quota. What should I do?

The default quotas should be sufficient for most customers. For additional information about API limits, go to Directory API: Limits and Quotas.

If you still want more quota for your project, consult the requirements in the quota section of the Google Cloud console:

  1. Open the Google Cloud console
  2. Select the project GAM created at the top. 
  3. On the left, click Navigation menu  > IAM & Admin > Quotas
  4. Under Service, filter by Admin SDK (relevant for user provisioning). 
  5. Select the items you wish to request more quota for. 
  6. At the top, click Edit Quotas

To enable billing on the Google Cloud project created by GAM, go to How do I enable billing on my current project(s).

Related topics

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center