0 votes

Hi all,

Having issues creating a GSuite (Apps for Education) account for my users during a new user creation process.

I set up GAM and the user passes all API tests successfully

However, I receive the following error in the Adaxes web GUI when creating the user:

"An error occurred while creating a Google account. Error: ERROR: 403: Not Authorized to access this resource/api - forbidden"

As stated, no user is created. Any idea how I can go about troubleshooting this?

by (90 points)


We recommend you to re-authorize the user. Make sure that the account used is the Adaxes service account (specified during Adaxes installation). The following forum post should be helpful: https://github.com/jay0lee/GAM/issues/461.

1 Answer

0 votes
by (90 points)
selected by
Best answer

I have located the problem, posting in case it helps anyone else who is in a unique situation.

Because we are education, we split our domain for staff (O365: site.com) and students (GAFE: student.site.com); these cannot use the same domain and retain mail functionality. The non-descriptive error was referring to the domain presented with the %userPrincipalName% variable.

By using %saMAccountName% in lieu of %userPrincipalName%, I was able to pass the data through.

For testing only, a quick/dirty/insecure way to test without error checking was (in case someone needs to troubleshoot GAM):

$firstName = "%firstname%"
$lastName = "%lastname%"
$unicodePwd = %unicodePwd%"
$userName = "%saMAccountName%"

C:\Gam\gam.exe create user $userName firstname $firstName lastname $lastName password $unicodePwd

For production, I suggest modifying line 16 of the Adaxes-provided script to reflect %saMAccountName% instead of %userPrincipalName%

For reference, the account that establishes OAuth does not need to be tied to Adaxes in any way. It just needs to be a service account on GAFE with Super Admin permissions to grant API access.

Related questions

0 votes
1 answer

Is it possible to transliterate the specified first and last name before creating an account so that the correct username, upn etc are formed based on the transliteration?

asked Nov 18 by Alvares (80 points)
0 votes
1 answer

We have a business need for automating and controlling the creation of service accounts in our AD. For example, we want all new service accounts to start with "svc_" for ... customize the "New User" form to create a "New Service Account" workflow in Adaxes?

asked Sep 10, 2021 by joshua.lapchuk (60 points)
0 votes
1 answer

As part of our HR onboarding process, they need to specify non-AD integrated software requirements. Is there a way to have a customised field on the form that when ticked or ... say the name of the software and have it linked to a particular field in AD.

asked Apr 15, 2020 by russmerriman (40 points)
0 votes
1 answer

Hi, I'm trying to create a new user using SPML request and it is returning with an error message as below, I appreciate your help. ErrorReponse: < ... /requestElement> </ProcessRequest> </soap:Body> </soap:Envelope> Thanks, Aravindh

asked Nov 14, 2018 by Aravindh (100 points)
0 votes
1 answer

I need a group created based on %ipPhone% when ever a new user is provisioned. The group name has to match %ipPhone% and have email enabled and to be hidden from the address list. We are on Version 3.8.314823.0

asked Nov 6, 2018 by hgletifer (1.3k points)
2,880 questions
2,600 answers
114,603 users