Remove Users from All Shared Drives
1,696 views
Skip to first unread message
James SEYMOUR
Nov 24, 2022, 8:03:00 PM11/24/22
to GAM for Google Workspace
Hi,
Is there a way to remove users from all the Team drives they have access to?
Ideally I would like to run this command against an OU. We place all our leavers in an OU so it would be good to periodically run a command to remove these users from all the Shared Drives they have access to.
Thanks in advance
James
Ross Scroggs
Nov 24, 2022, 10:33:12 PM11/24/22
to google-ap...@googlegroups.com
James,
Using Advanced GAM:
gam redirect csv ./OUSharedDriveAccess.csv ou /Test print shareddrives fields id,name
gam redirect stdout ./DeleteOUSharedDriveAccess.txt multiprocess redirect stderr stdout csv ./OUSharedDriveAccess.csv gam delete drivefileacl ~id ~User
Ross
--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/47f8611b-0a0e-41cc-90d3-80488c6fd9f6n%40googlegroups.com.
Ross Scroggs
James SEYMOUR
Nov 25, 2022, 12:50:27 AM11/25/22
to GAM for Google Workspace
Perfect Ross, many thanks.
Josh McKenna
Feb 9, 2024, 2:02:48 PM2/9/24
to GAM for Google Workspace
Apologies for resurrecting this, but I'm struggling to adapt the above from Ross to find a single user and remove them from all shared drives. Any advice for efficiently accomplishing this?
Brian Kim
Feb 9, 2024, 4:03:13 PM2/9/24
to GAM for Google Workspace
Using Advanced GAM:
gam redirect csv ./UserSharedDriveAccess.csv user $username print shareddrives fields id,name
gam redirect stdout ./DeleteUserSharedDriveAccess.txt multiprocess redirect stderr stdout csv ./UserSharedDriveAccess.csv gam delete drivefileacl ~id ~User
Josh McKenna
Feb 9, 2024, 4:17:14 PM2/9/24
to GAM for Google Workspace, Brian Kim
After running with verbose output, I tried fully enclosed csv variables with double ~~ ...and it worked. Thanks Brian!
| Joshua McKenna |
| Technical Operations Executive Manager |
| Grace Bible Church | 979.353.2570 |
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/8TOj_pPqtGQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/99ad42c7-fb52-400a-abee-da102f9a7946n%40googlegroups.com.
Temple Rodgers
Feb 12, 2024, 3:44:21 AM2/12/24
to GAM for Google Workspace
I love to avoid csv's if I can. I have a daily scheduled job that runs automatically to get me all the acls into a spreadsheet, which @ross helped me to formulate a couple (few?) years ago ...
gam print teamdriveacls oneitemperrow todrive tdfileid <spreadsheet id> tdupdatesheet tdsheet "SharedDrive ACLs" tdclearfilter true tdtitle "All SharedDrive ACLs"
This generates a single sheet with everything I want. Then I can filter that output or create pivot tables to change/remove acls as I need to by creating a new tab and running the GAMADV command on that sheet, I can copy the SharedDriveID and User to a new tab and use that to modify or delete permissions:
gam csv gsheet username <spreadsheet id> "DeletePermissions" gam delete drivefileacl ~SharedDriveID ~User
"DeletePermissions" is the name of the tab.
That way I don't have to worry about the quotes around the various fields and everything's kept in Google Drive rather than in a folder on the computer. The spreadsheet's a great reference point where I can find out up to date information quickly.
Temple
Josh McKenna
Feb 13, 2024, 10:47:44 AM2/13/24
to 'Temple Rodgers' via GAM for Google Workspace
This is immensely helpful, thank you for sharing. I'll have to work on iterating toward this with my next script version!
| Joshua McKenna |
| Technical Operations Executive Manager |
| Grace Bible Church | 979.353.2570 |
Disclaimers apply, for full details see: https://hackney.gov.uk/email-disclaimer
--
You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/8TOj_pPqtGQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/cfa19784-3839-488b-a137-652d97630d94n%40googlegroups.com.
Alexander Hampel
May 21, 2024, 8:46:38 PM5/21/24
to GAM for Google Workspace
Here is my (clunky-but-working) shell script based solution to remove a user from ALL (local Domain managed) Team Drive ACLs using "Standard" GAM on Linux. Set the "superadmin" variable to a local Google Domain Super Admin account name, and feel free to adapt to your OS platform of choice.
#!/bin/bash
# Removes user from TeamDrive ACLs - 5-21-2024
# Removes user from TeamDrive ACLs - 5-21-2024
superadmin="Your_Google_Domain_SuperAdmin_account_name"
if [ -f /tmp/rmteamdriveaclsdriveidsuseracls.txt ] ; then rm /tmp/rmteamdriveaclsdriveidsuseracls.txt ; fi
vars=$#
if [ ${vars} -lt 1 ] ; then
echo "Please enter a Username to remove from Team Drives:"
read separateduid
if [ ${#separateduid} -eq 0 ] ; then
echo "The Username must NOT be blank. Please try again."
exit 1
fi
else
separateduid=$1
fi
# Build email alias list
gam user ${separateduid} show sendas | grep \@ | cut -d "<" -f 2 | cut -d ">" -f 1 > /tmp/rmteamdriveaclsaliases.txt
# Build Team Drive ACL list
gam user ${separateduid} print teamdrives | cut -d "," -f 1 | grep -v ^id$ > /tmp/rmteamdriveaclsdriveids.txt
# Build list of Team Drive ACL User ACL IDs
echo "Depending on the amount of Team Drives, this can take a bit..."
echo "Step 1: Gathering information"
while read aclsdriveids ; do
while read aclsaliases ; do
echo "${aclsdriveids},`gam user ${separateduid} show drivefileacl ${aclsdriveids} | grep -B 6 "${aclsaliases}" | head -n 1`" >> /tmp/rmteamdriveaclsdriveidsuseracls.txt
done < /tmp/rmteamdriveaclsaliases.txt
echo -n "."
done < /tmp/rmteamdriveaclsdriveids.txt
echo ""
grep -v \,$ /tmp/rmteamdriveaclsdriveidsuseracls.txt | sort | uniq > /tmp/rmteamdriveaclsdriveidsuseraclsunique.txt
echo "Step 2: Removing Team Drive ACLs"
while read rmteamdriveaclsdataset ; do
aclsdriveid=`echo ${rmteamdriveaclsdataset} | cut -d "," -f 1`
aclsdriveuserid=`echo ${rmteamdriveaclsdataset} | cut -d "," -f 2`
gam user ${superadmin} delete drivefileacl ${aclsdriveid} id:${aclsdriveuserid} asadmin
echo -n "."
done < /tmp/rmteamdriveaclsdriveidsuseraclsunique.txt
echo ""
vars=$#
if [ ${vars} -lt 1 ] ; then
echo "Please enter a Username to remove from Team Drives:"
read separateduid
if [ ${#separateduid} -eq 0 ] ; then
echo "The Username must NOT be blank. Please try again."
exit 1
fi
else
separateduid=$1
fi
# Build email alias list
gam user ${separateduid} show sendas | grep \@ | cut -d "<" -f 2 | cut -d ">" -f 1 > /tmp/rmteamdriveaclsaliases.txt
# Build Team Drive ACL list
gam user ${separateduid} print teamdrives | cut -d "," -f 1 | grep -v ^id$ > /tmp/rmteamdriveaclsdriveids.txt
# Build list of Team Drive ACL User ACL IDs
echo "Depending on the amount of Team Drives, this can take a bit..."
echo "Step 1: Gathering information"
while read aclsdriveids ; do
while read aclsaliases ; do
echo "${aclsdriveids},`gam user ${separateduid} show drivefileacl ${aclsdriveids} | grep -B 6 "${aclsaliases}" | head -n 1`" >> /tmp/rmteamdriveaclsdriveidsuseracls.txt
done < /tmp/rmteamdriveaclsaliases.txt
echo -n "."
done < /tmp/rmteamdriveaclsdriveids.txt
echo ""
grep -v \,$ /tmp/rmteamdriveaclsdriveidsuseracls.txt | sort | uniq > /tmp/rmteamdriveaclsdriveidsuseraclsunique.txt
echo "Step 2: Removing Team Drive ACLs"
while read rmteamdriveaclsdataset ; do
aclsdriveid=`echo ${rmteamdriveaclsdataset} | cut -d "," -f 1`
aclsdriveuserid=`echo ${rmteamdriveaclsdataset} | cut -d "," -f 2`
gam user ${superadmin} delete drivefileacl ${aclsdriveid} id:${aclsdriveuserid} asadmin
echo -n "."
done < /tmp/rmteamdriveaclsdriveidsuseraclsunique.txt
echo ""
Ross Scroggs
May 21, 2024, 10:32:52 PM5/21/24
to google-ap...@googlegroups.com
Alexander,
Don't these two commands replace everything from Build email alias list on down?
gam user ${separateduid} print teamdrives > /tmp/rmteamdriveaclsdriveids.txt
gam csv /tmp/rmteamdriveaclsdriveids.txt gam user ${superadmin} delete drivefileacl "~id" ${separateduid} asadmin
Ross
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/d0d07c6d-a8a3-4dd6-9d18-78e7222ab685n%40googlegroups.com.
Alexander Hampel
May 21, 2024, 10:52:00 PM5/21/24
to google-ap...@googlegroups.com
Ross,
You are of course right. I am not fluent on the GAM syntax and command options, hence my mentioning of "clunky" for the code I posted.
Best regards, and thank you for the simplification,
Alex
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/206AE1BB-0465-4C4A-A5E9-A4FD60C53515%40gmail.com.
Roman Gordienko
Dec 2, 2024, 6:15:37 AM12/2/24
to GAM for Google Workspace
Hello,
I would like to raise the issue and explain a little bit about removing access. I manage file permissions on a shared drive using GAM. I have a script that exports all permissions for a specific shared drive (e.g. "Backups") and identifies users who should not have access to certain files or folders.
To remove unnecessary permissions, I plan to:
I would like to raise the issue and explain a little bit about removing access. I manage file permissions on a shared drive using GAM. I have a script that exports all permissions for a specific shared drive (e.g. "Backups") and identifies users who should not have access to certain files or folders.
To remove unnecessary permissions, I plan to:
- Edit the exported CSV file to include only the permissions I need to revoke.
- Use the command: gam csv <exported_csv_file>.csv gam user <file_owner_email> delete drivefileacl ~id <email> , like real example gam csv results.csv gam user ma...@domain.com delete drivefileacl ~id jh...@domain.com. It's correct?
As I understand it:
- <exported_csv_file>: This is a CSV file that contains a list of files and permissions that need to be removed. Usually this file is created by the print filelist command or something similar.
- <file_owner_email>: This is the email of the file owner, which is in the owners column in the CSV file, but if I had run the GAM command, here it is: gam redirect csv ./ExternallySharedDriveFiles.csv user us...@mydomain.net print filelist select teamdrive 'Backups' fields id,name,mimetype,basicpermissions pmfilter oneitemperrow filepath. Then the owner is the one I specified, namely this one, as an example ma...@domain.com
- <email> is the email of the user whose access I want to remove
Could you confirm if this approach is correct, or suggest a more efficient way to achieve this? My goal is to ensure no "unnecessary" users retain access to files they shouldn't have.
Thank you in advance!
Thank you in advance!
--
Best regards,
Roman Gordienko
DevOps Engineer
Itera Research | www.itera-research.com
Roman Gordienko
Mar 18, 2025, 5:18:32 AMMar 18
to GAM for Google Workspace
Good day, Ross and your command,
I still have the priority of removing access to files and folders on SharedDrive. Could you help me specify a command that would allow me to do the following:
Remove access to files and folders for people listed in the .csv file.
In other words, I would like the GAM command (I'm using the extended version) to take the .csv file and revoke all the access permissions listed in it. Is there something like this? I couldn't find it.
I'll try to explain what I'm doing. I wrote a Python script that processes a .csv file and generates a more formatted output that suits my needs. I use this GAMADV command: gam redirect csv ./ExternallySharedDriveFiles.csv user us...@mydomain.net print filelist select teamdrive 'Backups' fields id,name,mimetype,basicpermissions pmfilter oneitemperrow filepath to output the result to a file.
After filtering, I have access permissions that I don't need.
So, I need to revoke all these unnecessary accesses. What command can I use for this?
Thank you for your answer and time.
I still have the priority of removing access to files and folders on SharedDrive. Could you help me specify a command that would allow me to do the following:
Remove access to files and folders for people listed in the .csv file.
In other words, I would like the GAM command (I'm using the extended version) to take the .csv file and revoke all the access permissions listed in it. Is there something like this? I couldn't find it.
I'll try to explain what I'm doing. I wrote a Python script that processes a .csv file and generates a more formatted output that suits my needs. I use this GAMADV command: gam redirect csv ./ExternallySharedDriveFiles.csv user us...@mydomain.net print filelist select teamdrive 'Backups' fields id,name,mimetype,basicpermissions pmfilter oneitemperrow filepath to output the result to a file.
After filtering, I have access permissions that I don't need.
So, I need to revoke all these unnecessary accesses. What command can I use for this?
Thank you for your answer and time.
On Wednesday, May 22, 2024 at 5:32:52 AM UTC+3 Ross Scroggs wrote:
Roman Gordienko
Mar 18, 2025, 6:33:57 AMMar 18
to GAM for Google Workspace
I believe i have found the command: gam csv <Filename>.csv gam user ~Owner delete drivefileacl ~id ~permission.emailAddress - could you please confirm if this is the one i need? I've tested it with a few users so far, but im hesitant to try it on a larger group yet. I want to make sure it doesnt result in the removal of permissions for files/folders on other Shared drives etc.
Ross Scroggs
Mar 18, 2025, 12:23:20 PMMar 18
to google-ap...@googlegroups.com
If you delete an ACL from a folder, the same ACL is deleted from files within that folder.
When you delete an ACL from a file, only that file is affecte.
Ross
JOSHUA MCKENNA
Technical Operations Executive Manager Grace Bible Church | 979.353.2570
On Feb 12, 2024 at 2:44 AM -0600, 'Temple Rodgers' via GAM for Google Workspace <google-ap...@googlegroups.com>, wrote:
I love to avoid csv's if I can. I have a daily scheduled job that runs automatically to get me all the acls into a spreadsheet, which @ross helped me to formulate a couple (few?) years ago ...gam print teamdriveacls oneitemperrow todrive tdfileid <spreadsheet id> tdupdatesheet tdsheet "SharedDrive ACLs" tdclearfilter true tdtitle "All SharedDrive ACLs"This generates a single sheet with everything I want. Then I can filter that output or create pivot tables to change/remove acls as I need to by creating a new tab and running the GAMADV command on that sheet, I can copy the SharedDriveID and User to a new tab and use that to modify or delete permissions:gam csv gsheet username <spreadsheet id> "DeletePermissions" gam delete drivefileacl ~SharedDriveID ~User"DeletePermissions" is the name of the tab.That way I don't have to worry about the quotes around the various fields and everything's kept in Google Drive rather than in a folder on the computer. The spreadsheet's a great reference point where I can find out up to date information quickly.Temple
On Friday 9 February 2024 at 21:17:14 UTC Josh McKenna wrote:
After running with verbose output, I tried fully enclosed csv variables with double ~~ ...and it worked. Thanks Brian!
JOSHUA MCKENNA
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/540e375e-1a1b-4abb-8313-e905602d36e8n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages