Can't remove permission from a Google Drive File
370 views
Skip to first unread message
Lauryn Thomas
Jul 18, 2025, 8:06:18 PM7/18/25
to GAM for Google Workspace
Hello,
I am trying to remove external users from certain drive files in the domain. I used gam user file...@example.com show drivefileacls <fileId>
Then I copied the file ID from that, and then did gam user <owner> delete drivefileacl <fileId> <permissionId> and get the following error "Delete Failed: The authenticated user does not have the required access to delete the permission."
So then I tried to delete myself as I have the correct scopes to do the deletion so I tried gam user < admin email> delete drivefileacl <fileId> <permissionId> . I got the following error "Permission ID: 10017327038573619951i, Does not exist", which this permission id that was listed is different from the actual permission id I did when I typed gam user < admin email> delete drivefileacl <fileId> <permissionId>.
Can someone help I am on GAM 7
Ross Scroggs
Jul 18, 2025, 9:27:27 PM7/18/25
to google-ap...@googlegroups.com
You need id:, witjout that GAM thinks that you're entering an email address.
gam user <owner> delete drivefileacl <fileId> id:<permissionId>
Ross
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/fdf00f15-6ed7-4656-b82f-59f92e1d3a09n%40googlegroups.com.
Lauryn Thomas
Jul 18, 2025, 10:06:23 PM7/18/25
to google-ap...@googlegroups.com
Hello Ross,
In my original message I mentioned I used gam user <owner> delete drivefileacl <fileId> id:<permissionId> and get the following error "Delete Failed: The authenticated user does not have the required access to delete the permission."
So any ideas why I saw that error and how to fix it?
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/FDw5AaUyDyY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/8EBC3EE7-6644-4965-9E60-95C377FAD126%40gmail.com.
Lauryn Thomas
Jul 18, 2025, 10:10:22 PM7/18/25
to google-ap...@googlegroups.com
Oh wait I see the difference. However, I did it without the id and half of the 1,000+ files worked and the other half i saw the error. I'll try with id to see if this will work with the rest and report back. Thanks.
Ross Scroggs
Jul 18, 2025, 10:48:49 PM7/18/25
to google-ap...@googlegroups.com
Lauren,
It's 7:47 here in California, I can ZoomMeet if you 'd like and we can research,
Ross
Ross Scroggs
Jul 18, 2025, 10:58:41 PM7/18/25
to google-ap...@googlegroups.com
For one of the files where: gam user <owner> delete drivefileacl <fileId> id:<permissionId>
generates this: Delete Failed: The authenticated user does not have the required access to delete the permission.
Do: gam user <owner> show fileinfo <fileId>
Send me the results privately.
Ross
Lauryn Thomas
Jul 19, 2025, 9:00:57 AM7/19/25
to google-ap...@googlegroups.com
Sent you the results, as requested.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/6A28ADF8-9A02-473E-88ED-7DCD29B86918%40gmail.com.
William Lopes
Jul 21, 2025, 4:10:27 PM7/21/25
to GAM for Google Workspace
Hello, I'm experiencing the same issue -> GAM 7.14.03. If I can contribute in any way, I'm available.
Ross Scroggs
Jul 21, 2025, 4:16:38 PM7/21/25
to google-ap...@googlegroups.com
You are probably tru=ying to delete an inherited ACL.
Send me a private Meet/Zoom invitation.
gam user <owner> delete drivefileacl <fileId> id:<permissionId> enforceexpansizeaccess false
Ross
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/a5b04831-8853-4eb0-a955-b96072973f2en%40googlegroups.com.
William Lopes
Jul 22, 2025, 12:42:45 PM7/22/25
to GAM for Google Workspace
It worked, thank you very much. I just corrected the parameter to "enforceexpansiveaccess".
Derrek Beeck
May 11, 2026, 4:03:25 PM (7 days ago) May 11
to GAM for Google Workspace
Hello, I'm having a similar issue. What was your final gam line? This is what I'm running: gam csv permissions.csv gam user ~Owner delete drivefileacl ~id ad...@domain.com
enforceexpansiveaccess false. and I'm still having issues
Ross Scroggs
May 11, 2026, 4:11:28 PM (7 days ago) May 11
to google-ap...@googlegroups.com
enforceexpansiveaccess is no longer supported by the API, you can't delete inherited ACLs.
Ross
This e-mail and any files or data transmitted with it are confidential and intended solely for the use of the individual named above. If you have received this email in error and are not the intended recipient, please notify the sender by e-mail and immediately delete the message and all materials without reading them. If you are not the intended recipient, copying, forwarding or otherwise disseminating or distributing this information is prohibited.
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/730337f0-5f90-4581-92c6-6ff51881e29fn%40googlegroups.com.
Derrek Beeck
May 11, 2026, 4:14:30 PM (7 days ago) May 11
to GAM for Google Workspace
Hi Ross, Thank you. So if I need a way to change all documents that are shared domain wide to just be restricted, that's no longer possible?
Ross Scroggs
May 11, 2026, 5:19:57 PM (7 days ago) May 11
to google-ap...@googlegroups.com
You have to find the files/folders that have an explict ACL sharing them to the domain and delete them.
gam config auto_batch_min 1 num_threads 20 redirect csv ./DomainSharedFiles.csv multiprocess redirect stderr - multiprocess all users print filelist query "visibility = 'domainCanFind' or visibility = 'domainWithLink'" fields id,name,mimetype,basicpermissions filepath pm type domain inherited false em pmfilter oneitemperrow
gam config num_threads 20 redirect stdout ./DeleteDomainShares.txt multiprocess redirect stderr stdout csv DomainSharedFiles.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/026e38db-435d-44d3-b957-88eebf3578f8n%40googlegroups.com.
Ross Scroggs
May 11, 2026, 5:41:18 PM (7 days ago) May 11
to google-ap...@googlegroups.com
Update, change the first command to specify your domain in the permissionsmatch. This will preserve any domain shares to external domains.
Replace yourdomain.com in the pm with your actual domain name.
Ross
gam config auto_batch_min 1 num_threads 20 redirect csv ./DomainSharedFiles.csv multiprocess redirect stderr - multiprocess all users print filelist query "visibility = 'domainCanFind' or visibility = 'domainWithLink'" fields id,name,mimetype,basicpermissions filepath pm type domain domainyourdomain.com inherited false em pmfilter oneitemperrow
gam config num_threads 20 redirect stdout ./DeleteDomainShares.txt multiprocess redirect stderr stdout csv DomainSharedFiles.csv gam user "~Owner" delete drivefileacl "~id" "id:~~permission.id~~"
Message has been deleted
Derrek Beeck
May 12, 2026, 11:14:59 AM (6 days ago) May 12
to GAM for Google Workspace
Thank you. I tried this just one myself: "gam config auto_batch_min 1 num_threads 20 redirect csv ./DomainSharedFiles.csv multiprocess redirect stderr - multiprocess user dbeeck print filelist query "visibility = 'domainCanFind' or visibility = 'domainWithLink'" fields id,name,mimetype,basicpermissions filepath pm type domain domain mydomain.com inherited false em pmfilter oneitemperrow"
However, as it runs I get this message: "Got 7 Drive Files/Folders that matched query ('me' in owners and (visibility = 'domainCanFind' or visibility = 'domainWithLink')) for m...@domain.com...". I then check the csv and it's blank except the column headers which doesn't make sense since I do have some files set to domain wide access.
Ross Scroggs
May 12, 2026, 11:15:06 AM (6 days ago) May 12
to google-ap...@googlegroups.com
Send me a private Meet/Zoom invitation and we'll investigate.
Ross
On May 12, 2026, at 8:10 AM, 'Derrek Beeck' via GAM for Google Workspace <google-ap...@googlegroups.com> wrote:Thank you. So I ran the first command against just one user, myself, and I get some odd results. I see this results: "Got 7 Drive Files/Folders that matched query ('me' in owners and (visibility = 'domainCanFind' or visibility = 'domainWithLink')) for m...@domain.com". However when I open the file it is blank except the column headers. I know that I have some files that are set to domain wide.Command I ran: "gam config auto_batch_min 1 num_threads 20 redirect csv ./DomainSharedFiles.csv multiprocess redirect stderr - multiprocess user dbeeck print filelist query "visibility = 'domainCanFind' or visibility = 'domainWithLink'" fields id,name,mimetype,basicpermissions filepath pm type domain inherited false em pmfilter oneitemperrow"
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/7454f6f1-9f67-42e5-8e09-9c8c85403834n%40googlegroups.com.
Ross Scroggs
May 12, 2026, 11:20:04 AM (6 days ago) May 12
to google-ap...@googlegroups.com
Send me a private Meet/Zoom invitation and we'll investigate.
Ross
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/6d7b5247-82e5-452e-acc8-2c1edeea9b86n%40googlegroups.com.
Derrek Beeck
May 12, 2026, 2:30:10 PM (6 days ago) May 12
to GAM for Google Workspace
Hi Ross
https://meet.google.com/myc-vdzs-npz I am available the rest of the day until 5PM EST. Just send me a message with a couple minutes heads up and I'll be there.
Ross Scroggs
May 12, 2026, 2:34:23 PM (6 days ago) May 12
to google-ap...@googlegroups.com
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/2353612b-dbf4-46cb-96e3-57cff9a30da4n%40googlegroups.com.
Marshall Giguere
May 12, 2026, 8:04:14 PM (6 days ago) May 12
to google-ap...@googlegroups.com
Try this since you're only talking about one user
> gam config auto_batch_min 1 num_threads 20 redirect csv ./DomainSharedFiles.csv redirect stderr - user dbeeck print filelist query "visibility='domainCanFind' or visibility='domainWithLink'" fields id,name,mimetype,basicpermissions filepath pm type domain inherited false em pmfilter oneitemperrow
On Tue, May 12, 2026 at 9:10 AM 'Derrek Beeck' via GAM for Google Workspace <google-ap...@googlegroups.com> wrote:
Thank you. So I ran the first command against just one user, myself, and I get some odd results. I see this results: "Got 7 Drive Files/Folders that matched query ('me' in owners and (visibility = 'domainCanFind' or visibility = 'domainWithLink')) for m...@domain.com". However when I open the file it is blank except the column headers. I know that I have some files that are set to domain wide.
Command I ran: "gam config auto_batch_min 1 num_threads 20 redirect csv ./DomainSharedFiles.csv multiprocess redirect stderr - multiprocess user dbeeck print filelist query "visibility = 'domainCanFind' or visibility = 'domainWithLink'" fields id,name,mimetype,basicpermissions filepath pm type domain inherited false em pmfilter oneitemperrow"
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/7454f6f1-9f67-42e5-8e09-9c8c85403834n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages