| run_gam_commandA | Escape hatch for GAM commands not covered by a dedicated tool.
Prefer the specific semantic tools when available. |
| validate_gam_commandA | Validates the structure of a proposed GAM command before execution.
Checks executable availability, known top-level verbs, and bulk command
structural rules. Does NOT execute the command.
Returns 'VALID' or a descriptive error/warning message. |
| build_bulk_gam_commandA | Constructs a GAM bulk processing command from structured inputs without executing it.
Returns the full command string for review. Pass the args to validate_gam_command,
then run_gam_command if valid.
gam_command_template uses ~ColumnName for standalone column values and
~~ColumnName~~ when embedded within a larger string argument.
Example: ["update", "user", "~primaryEmail", "ou", "/Staff/~~Department~~"]
Use processing_mode 'loop' for rate-sensitive or ordered operations.
Use 'csv' for parallelized operations. Use 'tbatch' when nesting 'gam csv' inside a batch file.
|
| configure_todrive_noemailA | Step 1 of the MyDrive → Shared Drive migration workflow.
Sets the GAM configuration flag `todrive_noemail` to true so that
emails are NOT sent to impersonated users when GAM writes output
to Google Sheets via todrive.
Run this ONCE before starting any audit steps.
GAM command:
gam config todrive_noemail true
|
| audit_file_inventoryA | Step 2 — Master file/folder inventory.
Prints every file and folder under the source folder with full
metadata and resolved file paths, then writes the results to the
specified Google Sheet tab.
Fields returned: id, name, mimeType, owners, parents, size,
modifiedTime, createdTime, trashed. `filepath` resolves the full
path from root. `excludetrashed` omits deleted content.
NOTE: If the user has not yet created a Google Sheet, instruct them
to create one named "Migration Audit" with tabs: file_audit,
all_permissions, file_count, own, not_owner, external_owner,
public_files, shortcuts, shared_drive_members, migration_log,
post_migration_permissions.
Args:
user_email: The email of the user who owns the source folder.
folder_id: The ID of the source folder to audit.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name to write to (default: "file_audit").
GAM command:
gam user <user_email> print filelist select <folder_id>
fields "id,name,mimeType,owners,parents,size,modifiedTime,
createdTime,trashed" filepath excludetrashed
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| audit_file_countsA | Step 3 — File count and storage summary.
Produces a per-MIME-type breakdown of file counts and storage used
inside the source folder. Useful for capacity planning on the
destination Shared Drive.
Args:
user_email: The email of the user who owns the source folder.
folder_id: The ID of the source folder.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name (default: "file_count").
GAM command:
gam user <user_email> print filecounts query "'<folder_id>' in parents"
showsize showmimetypesize excludetrashed
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| audit_owned_filesA | Step 4 — Files owned by the migrating user.
Only files owned by the user can be *moved* (not just copied) to a
Shared Drive. This audit isolates those items.
Args:
user_email: The email of the user who owns the source folder.
folder_id: The ID of the source folder.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name (default: "own").
GAM command:
gam user <user_email> print filelist select <folder_id>
showownedby me
fields "id,name,mimeType,owners,modifiedTime"
filepath excludetrashed
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| audit_not_owned_filesA | Step 5 — Files owned by others.
Files owned by other users inside this folder structure will NOT
transfer with a standard move to a Shared Drive. The host should
inform the requesting user which folders/files are affected and
that those items cannot be migrated.
Args:
user_email: The email of the user who owns the source folder.
folder_id: The ID of the source folder.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name (default: "not_owner").
GAM command:
gam user <user_email> print filelist select <folder_id>
showownedby others
fields "id,name,mimeType,owners,sharingUser,modifiedTime"
filepath excludetrashed
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| audit_all_permissionsA | Step 6 — Full Access Control List audit.
Lists every permission entry (one row per ACL) for every file and
folder under the source. This sheet is the master reference used
by the permission-reapplication steps (12–14) after migration.
basicpermissions returns: allowFileDiscovery, deleted, domain,
emailAddress, expirationTime, id, role, type.
Args:
user_email: The email of the user who owns the source folder.
folder_id: The ID of the source folder.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name (default: "all_permissions").
GAM command:
gam user <user_email> print filelist select <folder_id>
fields "id,name,mimeType,basicpermissions,owners"
filepath excludetrashed oneitemperrow pmfilter
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| audit_external_permissionsA | Step 7 — Files shared with users outside your organisation.
Flags files that have at least one permission entry for a user NOT
in the specified domain. These may require cleanup or
re-evaluation before migrating to a Shared Drive with different
sharing policies.
Args:
user_email: The email of the user who owns the source folder.
folder_id: The ID of the source folder.
sheet_id: The ID of the Google Sheet for output.
domain: Your organisation's domain (e.g. "company.com").
sheet_name: The tab name (default: "external_owner").
GAM command:
gam user <user_email> print filelist select <folder_id>
fields "id,name,mimeType,basicpermissions,owners"
filepath excludetrashed
permissionmatch type user notdomainlist <domain> endmatch
pmfilter oneitemperrow
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| audit_public_filesA | Step 8 — Files accessible to "anyone with the link" or publicly.
These are the highest-risk files from a security stand-point.
Shared Drives can restrict this behaviour at the drive level, so
you need to know what you are inheriting.
Args:
user_email: The email of the user who owns the source folder.
folder_id: The ID of the source folder.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name (default: "public_files").
GAM command:
gam user <user_email> print filelist select <folder_id>
fields "id,name,mimeType,basicpermissions,owners"
filepath excludetrashed
permissionmatch type anyone endmatch
pmfilter oneitemperrow
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| audit_shortcutsA | Step 9 — Identify Google Drive shortcuts.
Shortcuts pointing to files outside the migration scope will break
after the move since they reference the original file's location.
shortcutDetails returns the targetId and targetMimeType so you can
determine whether the target will also be in the Shared Drive
post-migration.
Args:
user_email: The email of the user who owns the source folder.
folder_id: The ID of the source folder.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name (default: "shortcuts").
GAM command:
gam user <user_email> print filelist select <folder_id>
showmimetype gshortcut
fields "id,name,shortcutDetails,parents,owners"
filepath excludetrashed
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| audit_shared_drive_membersA | Step 10 — List existing Shared Drives and their members.
Confirms the destination Shared Drive exists and who has what level
of access. The migrating user must be a Manager on the Shared
Drive to move files into it.
Args:
user_email: The email of the admin user running the query.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name (default: "shared_drive_members").
GAM command:
gam user <user_email> print teamdriveacls
fields "id,name,role,type,emailAddress"
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| execute_migration_moveA | Step 11 — Move the source folder tree to the Shared Drive.
DESTRUCTIVE — requires confirmed=True to execute.
Recursively moves the folder tree into the destination Shared Drive,
merging duplicate folders and overwriting older duplicate files.
Folder permissions are copied for both merged and newly created folders.
NOTE: Run ALL audit steps (1–10) before executing this step.
NOTE: CSV/todrive logging is not supported by `move drivefile`. To retain
a record of the move, redirect stdout/stderr to a log file at the shell
level, or run a `print filelist` audit step before and after migration.
Args:
user_email: The email of the folder owner (must be a Shared Drive
Manager/Organizer of the destination).
folder_id: The ID of the source folder.
shared_drive_id: The ID of the destination Shared Drive.
confirmed: Must be True to execute. False returns a preview.
GAM command:
gam user <user_email> move drivefile <folder_id>
teamdriveparentid <shared_drive_id>
duplicatefiles overwriteolder
duplicatefolders merge
copymergedtopfolderpermissions true
copymergedsubfolderpermissions true
summary
|
| reapply_user_group_permissionsA | Step 12 — Reapply user and group permissions from the audit sheet.
DESTRUCTIVE — requires confirmed=True to execute.
Reads the all_permissions sheet and re-creates every user/group ACL
on the corresponding file in the Shared Drive. Processes only
rows where permission.type is "user" or "group".
INFO: Ownership cannot be transferred via ACL on a Shared Drive.
In Shared Drives the drive itself is the owner — owner-role rows
from the audit sheet will be silently ignored.
Args:
user_email: The admin email executing the command.
sheet_id: The ID of the Google Sheet containing the audit.
sheet_name: The tab containing ACL data (default: "all_permissions").
confirmed: Must be True to execute. False returns a preview.
GAM command:
gam config csv_input_row_filter "permission.type:regex:user|group"
redirect stdout ./reapply_user_group_perms.txt multiprocess
redirect stderr stdout
csv gsheet <user_email> <sheet_id> <sheet_name>
gam user <user_email> create drivefileacl "~id"
"~permission.type" "~permission.emailAddress"
role "~permission.role" nodetails
|
| reapply_domain_permissionsA | Step 13 — Reapply domain-wide permissions from the audit sheet.
DESTRUCTIVE — requires confirmed=True to execute.
Reads the all_permissions sheet and re-creates every domain ACL on
the corresponding file in the Shared Drive. Includes the
allowFileDiscovery setting so domain-wide visibility is preserved.
Args:
user_email: The admin email executing the command.
sheet_id: The ID of the Google Sheet containing the audit.
sheet_name: The tab containing ACL data (default: "all_permissions").
confirmed: Must be True to execute. False returns a preview.
GAM command:
gam config csv_input_row_filter "permission.type:regex:domain"
redirect stdout ./reapply_domain_perms.txt multiprocess
redirect stderr stdout
csv gsheet <user_email> <sheet_id> <sheet_name>
gam user <user_email> create drivefileacl "~id"
"~permission.type" "~permission.domain"
role "~permission.role"
allowfilediscovery "~permission.allowFileDiscovery"
nodetails
|
| reapply_anyone_permissionsA | Step 14 — Reapply "anyone" (public) permissions from the audit sheet.
DESTRUCTIVE — requires confirmed=True to execute.
If the audit captured any "anyone with the link" ACLs, this step
reapplies them. Consider whether public access is appropriate on
the destination Shared Drive before confirming.
Args:
user_email: The admin email executing the command.
sheet_id: The ID of the Google Sheet containing the audit.
sheet_name: The tab containing ACL data (default: "all_permissions").
confirmed: Must be True to execute. False returns a preview.
GAM command:
gam config csv_input_row_filter "permission.type:regex:anyone"
redirect stdout ./reapply_anyone_perms.txt multiprocess
redirect stderr stdout
csv gsheet <user_email> <sheet_id> <sheet_name>
gam user <user_email> create drivefileacl "~id"
anyone role "~permission.role"
allowfilediscovery "~permission.allowFileDiscovery"
nodetails
|
| audit_post_migration_permissionsA | Step 15 — Post-migration permissions audit on the Shared Drive.
After reapplying permissions (steps 12–14), run this final audit
against the Shared Drive to confirm the ACLs match what was
recorded pre-migration. Compare this tab against the
all_permissions tab to verify correctness.
Args:
user_email: The admin email executing the command.
shared_drive_id: The ID of the destination Shared Drive.
sheet_id: The ID of the Google Sheet for output.
sheet_name: The tab name (default: "post_migration_permissions").
GAM command:
gam user <user_email> print filelist select <shared_drive_id>
fields "id,name,mimeType,basicpermissions,owners"
filepath excludetrashed oneitemperrow pmfilter
todrive tdfileid <sheet_id> tdsheet "<sheet_name>"
tdupdatesheet tdretaintitle
|
| transfer_calendar_eventA | Transfers a calendar event from one user to another.
Note: GAM7 v7.31.03+ removed the direct calendar transfer command
due to Calendar API changes. This tool will update the event's organizer field
and add the destination user as an organizer-level attendee.
WARNING: The Meet link may break if the original organizer leaves the org.
Args:
source_user_email: The original organizer of the event.
destination_user_email: The new organizer for the event.
event_id: The ID of the calendar event.
confirmed: Must be True to execute. If False, returns a preview.
GAM pattern:
gam calendar <source_user_email> update event id <event_id>
organizer <destination_user_email>
|
| create_collaborative_inbox_groupA | Creates a new Google Group configured as a Collaborative Inbox.
Args:
group_email: The email address for the new group.
group_name: The display name for the new group.
initial_member_emails: List of email addresses to add as members.
who_can_post: Posting permission setting. Defaults to "ALL_MEMBERS_CAN_POST".
confirmed: Must be True to execute. If False, returns a preview.
GAM pattern:
1. gam create group <group_email> name <group_name>
2. gam update group <group_email> setting isArchived false whoCanPostMessage <who_can_post> enableCollaborativeInbox true
3. for each member: gam update group <group_email> add member <member_email>
|
| get_group_permissions_to_sheetA | Retrieves group members and their roles, outputting to a Google Sheet.
Uses multiprocess redirect to quickly gather many groups.
Args:
group_emails: List of group email addresses to query.
output_sheet_id: ID of the Google Sheet for output.
output_sheet_name: Tab name for the output sheet.
GAM pattern:
gam redirect csv - multiprocess todrive tdfileid <id> tdsheet <name> tdupdatesheet
print group-members group <email1> <email2> ...
|
| create_gws_userA | Creates a new Google Workspace user.
Args:
first_name: The first name of the user.
last_name: The last name of the user.
primary_email: The primary email address for the new user.
org_unit_path: The organizational unit path (e.g., '/Staff/Engineering').
password: The initial password for the user.
change_password_at_next_login: Whether to force password change on first login.
confirmed: Must be True to execute. If False, returns a preview.
GAM pattern:
gam create user <primary_email> firstname <first_name> lastname <last_name>
org <org_unit_path> password <password> changepassword <true/false>
|
| identify_workspace_entityA | Identifies a Workspace entity (user, group, alias, etc.) by its email or ID.
Args:
identifier: The email address or resource identifier to query.
GAM pattern:
gam whatis <identifier>
|
| get_gmail_log_eventsB | Retrieves Gmail log events and optionally writes them to a Google Sheet.
Args:
actor_email: Optional email to filter logs for a specific actor.
start_date: Optional start date (YYYY-MM-DD).
end_date: Optional end date (YYYY-MM-DD).
event_name: Optional event name to filter.
output_sheet_id: Optional Sheet ID for output. Strongly recommended.
output_sheet_name: Tab name for sheet output.
GAM pattern:
gam report gmail [actor <actor_email>] [start <start_date>]
[end <end_date>] [event <event_name>] [todrive ...]
|
| get_user_email_count_to_sheetA | Retrieves email counts for specific labels across multiple users.
Uses multiprocess redirect if outputting to a sheet.
Args:
user_emails: List of user emails to query.
label: The Gmail label to count (e.g., 'INBOX', 'TRASH').
output_sheet_id: Optional Sheet ID for output.
output_sheet_name: Tab name for sheet output.
GAM pattern:
gam [redirect csv - multiprocess todrive ...]
user <email1>,<email2> show messages label <label> countsonly
|
| bulk_process_from_sheetA | Executes a GAM bulk command using a Google Sheet as the data source.
Args:
operator_email: The email of the admin running the command (needs access to the sheets).
sheet_file_id: The ID of the source Google Sheet.
sheet_name: The tab name containing the source data.
gam_command_template: List of command template fragments using ~ColumnName syntax.
match_field: Optional column name to filter on.
match_pattern: Optional regex pattern to match against match_field.
redirect_to_sheet_id: Optional Sheet ID to write results to.
redirect_to_sheet_name: Tab name for results.
confirmed: Must be True to execute. If False, returns a preview.
GAM pattern:
[redirect csv - multiprocess todrive tdfileid <id> tdsheet "<name>" tdupdatesheet]
csv gsheet <operator_email> <sheet_file_id> "<sheet_name>"
[matchfield <match_field> <match_pattern>]
gam <gam_command_template...>
|