Use a third-party tool for quick mass provisioning

This article is for IT administrators who have limited time to provision 50,000+ user accounts.  

For quick, large-scale account provisioning, you can use third-party solutions. For example, the free, downloadable, open-source Google Apps Manager (GAM) uses the Admin SDK Directory API to create and manage G Suite users and groups.

GAM interacts with many Google APIs, which you can use to also manage other account features and resources. For more information about integrations with third parties, visit the tutorials page at Solve with Google Cloud.

Important: Google Cloud Support doesn’t support GAM or other third-party solutions. We support the Admin SDK Directory API those tools use. GAM is subject to the Apache 2.0 license, which provides the terms and conditions for your use, reproduction, and distribution of GAM.

Before you begin

Provisioning accounts on a large scale requires: 

  • Facility with command-line prompts
  • A paid G Suite account that is: 

Step 1: Avoid account conflicts

Some of your users might have a personal Google Account, such as a Gmail address, which could generate conflicts when you provision their new, managed G Suite or Cloud Identity account. To avoid such issues:

  1. Read About conflicting accounts.
  2. Learn how to Find and manage existing accounts.

Step 2: Create a simple, flat organizational structure

Avoid creating a complex organizational unit hierarchy with many levels. You can modify the hierarchy and move users later. Here are some tips on setting up a simplified organizational structure:

  • Focus on the services and features the users you manage need to access.
  • Restrict service and feature availability at the top-level organizational unit, granting access to child organizational units.

Read more about How the organizational structure works.

Education example

In the table below, the structure on the left shows the actual structure of the organization. Initially, this structure might be difficult to manage, for example, if you must repeatedly grant teachers access to advanced Google Meet features for numerous organizational units in the school. 

The proposed structure focuses on functionality. As an admin, you can easily turn off services and features for all students in the /Students organizational unit. For example, you might turn off self-service password recovery and apply YouTube restrictions. You might also enable advanced functionality for teachers and other staff members, such as Meet streaming and recording and 2-Step Verification.

Example organizational structure Recommended organizational structure

/School 1/Staff/Teachers

/School 1/Students/Year 2020/Class A

/School 1/Students/Year 2020/...

/School 2/Staff/Teachers

/School 2/Students/Year 2020/Class C

/School 2/Students/Year 2020/...

/ (root OrgUnit)

/Students

/Staff/IT

/Staff/Teachers

Large organization example

First, determine what services and features your users need. Then:

  1. Apply these settings at the top-level organizational unit.
    Unless you override those settings, child organizational units will inherit them. Examples:
  2. For added security, require departments to use 2-Step Verification.
Example organizational structure Recommended organizational structure

/

/Sales

/IT

/Legal

/ (root organizational unit)

/2SV-Enforced (IT and Legal)

/2SV (and allow external sharing)

Step 3: Prepare a data source

Create a comma-separated value (CSV) file with the necessary data to proceed with user account creation. Required fields: 

  • FirstName
  • LastName
  • PrimaryEmail—The email the user will sign in with
  • Password—Must be at least 8 characters
  • OrgUnit—To create users in their respective organizational units, taking into account the recommendations above

    Note: Enter a / (forward slash) to place users in your top-level (root) organizational unit. Separate child organizational units with a forward slash—for example /Staff/Teachers.

Education example

FirstName,LastName,PrimaryEmail,Password,OrgUnit

Jane,Doe,id12345678@students.example.com,Zee+HWdt,/Students

John,Smith,john.smith@example.com,X2Ae+pME,/Staff

Large organization example

FirstName,LastName,PrimaryEmail,Password,OrgUnit

Jane,Doe,jane.doe@example.co.uk,V8hmj/QE,/

John,Smith,john.smith@example.com,9/t0UHQ6,/Sales

Step 4: Set up GAM

If you decide to GAM, follow these recommended steps:

  1. With GAM version 5.10 and above, before executing GAM for the first time, create a file named noshorturls.txt in the same folder as GAM.
    This turns off gam-shortn.appspot.com short URLs.
  2. From the GAM website, download GAM.
  3. Configure the tool.
  4. During setup, when asked if you’re “ready to authorize GAM to manage G Suite user data and settings,” answer N (no) to skip Domain-Wide Delegation.

This command helps you confirm that GAM is associated with the right G Suite account:

gam info domain

Step 5: Create multiple users with GAM

To create the users, GAM reads from a comma-separated value (CSV) file and issues the relevant requests to the Admin SDK Directory API.

If you created a comma-separated value (CSV) file with the fields specified in Step 3 above, this command creates the users in the CSV: 

gam csv users.csv gam create user ~PrimaryEmail firstname ~FirstName lastname ~LastName password ~Password org ~OrgUnit changepassword on

Make sure to:

  1. Create a unique password for each user. 
  2. Use the optional parameter changepassword on to force the user to change their password after their first sign-in.

Alternative: What if your data source is missing some fields?

If your data source only has the first and last names and one password for each user, you can create usernames in the format first.last@example.com. For a user named Charlie Smith, use Charlie.Smith@example.com

The command is:

gam csv users.csv gam create user ~~FirstName~~.~~LastName~~@example.com password ~Password changepassword on

This approach assumes that no users have: 

  • The same name 
  • First and last names with: 
    • Spaces
    • Other disallowed characters 

Go to the Name guidelines for users and groups.

Questions

Open all   |   Close all

How can I contact Google Cloud Support?

Go to Contact G Suite support

If you have questions about the content of this article, include that information in the support case and link the article. To share logs or other details that could help us assist you, contact us by sending an email.

Where can I find information about G Suite for Nonprofits?
For program benefits, eligibility guidelines, and more, visit the Google for Nonprofits help center.
I can’t access the Admin console or my admin account. What should I do?
Go to the sign-in page, enter your username, and click Forgot password? 
If you follow the prompts but still can't recover access, you’re offered the option to contact Google Cloud Support. You'll need proof of domain ownership and answers to a few security questions.
How can I confirm whether my domain has been verified?

After creating your G Suite account, you’re prompted to verify ownership of your domain. If you don’t remember doing so, sign in to your Admin console, go to the domains section, and click Manage domains

The first domain listed is your primary domain. The status column shows whether or not the domain requires verification.

Can Google Cloud Support help me with GAM questions?

Google Cloud Support doesn’t support these or other third-party solutions, only the Admin SDK Directory API those tools use. Although we can’t help with the GAM tool itself, we can help if the underlying APIs return errors, specifically Admin SDK Directory API. Learn more GAM commands and techniques at the GAM Wiki

Need help with GAM? Reach out to a community of G Suite admins willing to offer support, at the GAM discussion group.

If you think there's an issue with the Admin SDK Directory API, provide Google Cloud Support these details:

  • The HTTP method and endpoint that the third-party solution is calling (for example, POST /admin/directory/v1/users?fields=primaryEmail)
  • Response code and message (for example, 403: Not Authorized to access this resource/api - forbidden)

  • Response HTTP header date (for example, Date: Wed, 22 Jun 2020 17:48:48 GMT)
  • Entity making the call: username, service account, or GCP project ID

Remove information such as names, passwords, authentication request headers, IP addresses, values of custom schemas, or any other information you deem sensitive.

My project is running out of quota. What should I do?

The default quotas should be sufficient for most customers. For additional information about API limits, go to Directory API: Limits and Quotas.

If you still want more quota for your project, consult the requirements in the quota section of the Google Cloud Console:

  1. Open the Cloud Console
  2. Select the project GAM created at the top. 
  3. On the left, click Navigation menu "" > IAM & Admin > Quotas
  4. Under Service, filter by Admin SDK (relevant for user provisioning). 
  5. Select the items you wish to request more quota for. 
  6. At the top, click Edit Quotas

To enable billing on the GCP project created by GAM, go to How do I enable billing on my current project(s).

Related topics

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue