Intro

When organizations migrate to G Suite, they expect many of their old processes and systems to migrate as well. This includes the password life-cycle process! Even if an organization is starting up with G Suite, having a password life-cycle option is a good security practice and it will help securing the user accounts.

Out of the box, there is no password reset cycle or life-cycle in G Suite, but it is not hard to implement using the API or GAM.

In this article, I’ll explain how it can be done using GAM, then in another article, I’ll demonstrate how to do it with the APIs (using App Maker and maybe some other tool as well).

Advertisements

Requirements

I’m going to demonstrate this using Windows environment, through a scheduled task. The concept is the same for Linux OS though, except instead of using Task Scheduler, you will need to use cron jobs.

You also must have GAM installed and you need to configure it as well. Without GAM being ready you will not be able to do the rest of the steps.

Now how to do stuff!

Building the script

To start off, you need to have GAM configured in a known location in your Windows machine (be it a server or a client computer).

Once that is confirmed, the next step is to open ‘notepad.exe‘ and have the following command in it:

The above script will do the following two actions:

  1. It will retrieve all users from your Admin Console and store them in a file named ‘allUsers.txt
  2. Then it will change the option ‘Require password change‘ to ON for each user in the Admin Console…

Once you are done, save the file as a *.bat file. To do that you need to open the save dialog of your Notepad, then select the file type to ‘All files’, then type the full name of the script file such as ‘”passwordCycle.bat”‘

Make sure you type those double-quotation marks at the start and end of the file name!

You need also to save the file in the same folder where GAM is configured and located on your computer/workstation.

Once that is done, the script is ready. Now it is time to setup the scheduled task.

Setup the scheduled task

Setting up a scheduled task in Windows is a straight forward task.

All you need to do is to follow these steps:

  • Open the start menu/charm/whatever it is now called in Windows now… :/
  • Type ‘Task Scheduler‘ then click on the actual tool once it shows in the search results…
  • In the right side menu, click ‘Create Task…
  • Type whatever name you want for the new task in the ‘Name’ field, then make sure you enter credentials for a user account who is authorized to run tasks and login as a batch job in the ‘Security options‘ section.
  • Make sure you select ‘Run whether user is logged in or not‘. This is an important option that will cause the task not to work properly and the password reset schedules to be missed in case the server/computer/workstation was idle and not being used or no user is logged in to that Windows…
  • Then in the ‘Triggers‘ tab, click ‘New‘ to define a new trigger and schedule for the task.
  • In the New Trigger window, define your own preferences for how to start the task and when, the save/click Ok…
  • Now go to ‘Actions‘ tab, and click ‘New‘ as well.
  • Fill in the information of the new action as follows:
    • Action: Start a program
    • Program/script: cmd.exe
    • Add arguments: /c “FULL_PATH_TO_BAT_FILE” (in my case it is /c “C:\gam\passwordCycle.bat”)
    • Start in: FULL_PATH_TO_GAM_FOLDER (which should also contain the batch file. In my case it is C:\gam)
  • Once done, click OK, and then click OK again to create the task.
  • You will be prompted to enter the credentials of the user that will be used to run this task. Even if you are using the same user that is logged in now, you will still need to enter the credentials for it.

Testing

Now that the scheduled task is created, you can either wait for it to run on its own, or right-click it and choose ‘Run’. This will run the task for you and you can monitor its status. After it is completed, you can go to Admin Console and check the option ‘Required password change’ and verify it is now ON.

Finally

So this is it! Please let me know if this worked for you or if you have any issues. This is a straight process though and is relatively common in Windows to create scheduled tasks.


Checkout my other blog posts here.

Check out my channel on Youtube and subscribe :-):


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: