Remove external user from all files that were shared to them from our Google Drive

[John Plut]

We had a contractor that was using an external account and many files were shared with them. I want to globally remove the person from all files they were shared with. 

It looks like you can do this with some of the pay management tools, I am hoping I can do this with GAM.

Any help would be appreciated, thanks.

[NicholasT]

Hi John, 

I recently needed to do a similar thing for all users on a small domain.  I ended up using the General Audit Tool (GAT) for Google Apps on the free 28 day trial period and I would use this again even for the cost. Its cheap, simple and did the job with little time on my part.  Although, it does take some time to enumerate through all users/docs and capture the data for reporting and updating.  

I don't believe there is a single remove drivefileacl on all files in my domain for user X command so you're going to have to write a script that essentially iterates through all docs (loop gam show filelist per user), grabs permissions per doc (gam show drivefileacl) and run delete drivefileacl for any docs that share to user x.  If you have a lot of users / docs then that might be interesting and a lot of API calls.  Perhaps a Google Apps Script straight to the API would be a better performing option but then that's what the GAT tool probably does ;-)

Nicholas

[Jay Lee]

You could achieve the same results with a GAM command like:

gam all users show filelist query "'exte...@vendor.com' in writers or 'exte...@vendor.com' in readers" id | gam csv - gam user ~Owner delete drivefileacl ~id exte...@vendor.com

The first command will generate a CSV list of all files shared with the vendor email address (read or write access) for all users in your domain. If you have lots of users in your domain it's going to take awhile to generate this list. The 2nd command after the | pipe reads in this CSV list and performs the delete ACL operation for each and every file that is shared with the vendor.

Perfect for a cron job...

Do notice the double quotes around the whole query and the single quotes around the email addresses...

More details about how to use the Drive file list query syntax are at:

https://developers.google.com/drive/web/search-parameters

Jay Lee

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/89aad189-db34-49e0-83d6-4707a5deec59%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[GRC]

I tried what Jay Lee suggested with GAM 3.61 but got the error:

Unknown user: Owner

I also tried first saving the output of the first command to csv file, then issue the second command separately (specifying that csv file) but got same error.  The first fieldname of the CSV file is clearly "Owner".

Any solutions?  Thanks.

On Monday, July 28, 2014 at 10:26:06 AM UTC-4, Jay Lee wrote:

You could achieve the same results with a GAM command like:

gam all users show filelist query "'exte...@vendor.com' in writers or 'exte...@vendor.com' in readers" id | gam csv - gam user ~Owner delete drivefileacl ~id exte...@vendor.com

The first command will generate a CSV list of all files shared with the vendor email address (read or write access) for all users in your domain. If you have lots of users in your domain it's going to take awhile to generate this list. The 2nd command after the | pipe reads in this CSV list and performs the delete ACL operation for each and every file that is shared with the vendor.

Perfect for a cron job...

Do notice the double quotes around the whole query and the single quotes around the email addresses...

More details about how to use the Drive file list query syntax are at:

https://developers.google.com/drive/web/search-parameters

Jay Lee

On Thu, Jul 24, 2014 at 7:35 PM, NicholasT <nich...@nstek.com.au> wrote:

Hi John, 

I recently needed to do a similar thing for all users on a small domain.  I ended up using the General Audit Tool (GAT) for Google Apps on the free 28 day trial period and I would use this again even for the cost. Its cheap, simple and did the job with little time on my part.  Although, it does take some time to enumerate through all users/docs and capture the data for reporting and updating.  

I don't believe there is a single remove drivefileacl on all files in my domain for user X command so you're going to have to write a script that essentially iterates through all docs (loop gam show filelist per user), grabs permissions per doc (gam show drivefileacl) and run delete drivefileacl for any docs that share to user x.  If you have a lot of users / docs then that might be interesting and a lot of API calls.  Perhaps a Google Apps Script straight to the API would be a better performing option but then that's what the GAT tool probably does ;-)

Nicholas

On Thursday, July 24, 2014 9:40:13 AM UTC+10, John Plut wrote:

We had a contractor that was using an external account and many files were shared with them. I want to globally remove the person from all files they were shared with. 

It looks like you can do this with some of the pay management tools, I am hoping I can do this with GAM.

Any help would be appreciated, thanks.

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

[GRC]

And yes, I did have "~" in front of Owner.  Thanks in advance for your help.

[Ross Scroggs]

There is no error message 'Unknown user:' in GAM; so where is it coming from? Maybe your shell.

Try: gam all users show filelist query "'exte...@vendor.com' in writers or 'exte...@vendor.com' in readers" id | gam csv - gam user "~Owner" delete drivefileacl ~id exte...@vendor.com

Add quotes around ~Owner.

Ross

--

ross.s...@gmail.com

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/88692822-e8e8-41cb-b00e-358997606164%40googlegroups.com.

[GRC]

That did it.  Thank you again Ross!  I appreciate it.

Add quotes around ~Owner.

Ross

--

ross.s...@gmail.com

[Ross Scroggs]

Windows users: nothing of interest here, just enjoy your day.

Linux/Mac users: On a command line, depending on your shell, arguments like ~Owner will be replaced with the path to Owner's home folder if Owner is a valid user name.

When using gam csv, enclose ~xxx in quotes "~xxx" is there is any chance that xxx is a valid user.

Ross

--

ross.s...@gmail.com

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/88b0d43c-4160-413f-86de-cc5918db5ebe%40googlegroups.com.

[Iain Macleod]

Is this still the best way to do this? We recently had someone from our company that shared a lot of sensitive files with their personal account.

[+KimNilsson]

@Ian,

Ross has created a bunch of helper scipts to find such files with GAM.

This is one example.

https://github.com/taers232c/GAM-Scripts3/blob/master/GetSharedWithNonAccountUsersDriveACLs.py

[Iain I. Macleod]

Thank you Kim,

Hopefully this is not a stuipd questions, but to run the script would I need to install Python and run it from there? Sorry I've never used GAM beyond the command console in Windows. 

--
You received this message because you are subscribed to a topic in the Google Groups "GAM for G Suite" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/c5XOGA6o_qM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/97af4147-5e4c-47ca-a6af-edd75a02e6cb%40googlegroups.com.

---

_{Notice to recipient: This e-mail is only meant for the intended recipient of the transmission, and may be a confidential communication or a communication privileged by law. If you received this e-mail in error, any review, use, dissemination, distribution, or copying of this e-mail is strictly prohibited. Please notify us immediately of the error by return e-mail and please delete this message from your system. Thank you in advance for your cooperation.}

[Ross Scroggs]

Iain,

Yes you have to install Python to run the scripts; see https://www.python.org/downloads/

Ross

--

ross.s...@gmail.com

You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGMFYt4%2BSpxG48F-TrxJWFg551ocWft0A2r0e6cSB8DjyjVY3g%40mail.gmail.com.

[Kim Nilsson]

Ian,

I can definitely recommend installing WSL on your Windows 10 computer. 

That will give you the magic of Linux and Bash, right there in a simple window, without breaking your brain. 😁

WSL, Windows Subsystem for Linux, very easy to install from the Windows Store. Pick Ubuntu, easiest of them all. 

/Kim 

[Iain I. Macleod]

Thank you Ross for your work on GAMADV-XTD3 and support, you are a lifesaver.

And thank you Kim, you are always a help to many of us on this form!

--

You received this message because you are subscribed to a topic in the Google Groups "GAM for G Suite" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/c5XOGA6o_qM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFuS0mpu69XLOurSAmHnJwatZdH_Lp08ESKZ_QL0sNLrZA%40mail.gmail.com.

[Ludo vic]

Hello, 

When I do this commande : 

gam all users show filelist query "'compt...@vendor.com' in writers or ' compt...@vendor.com  ' in readers" id  | gam csv - gam user "~Owner" delete drivefileacl ~id compt...@vendor.com

Getting all Users, 

Got 300 Users...

Got 300 Users

Getting all Drive Files/Folders that match query ('me' in owners and ('compt...@vendor.com' in writers or 'compt...@vendor.com' in readers)) for 10...@vendor.com (1/300)

I have this result : 

ERROR: 400: badRequest - Bad Request

I can't figure out where the error came from.

I get the same message if I do 

gam test...@vendor.com show filelist query "'compt...@vendor.com' in writers or ' compt...@vendor.com  ' in readers" id  

Thanks in advance

Ludo

[Ross Scroggs]

Ludo,

Try this:

gam all users show filelist fullquery "'me' in owners and ('compt...@vendor.com' in writers or ' compt...@vendor.com  ' in readers)" id  | gam csv - gam user "~Owner" delete drivefileacl ~id compt...@vendor.com

Ross

--

ross.s...@gmail.com

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/45f6d64e-57fd-4328-98e6-e210d3601287n%40googlegroups.com.

[Ludo vic]

Thank you very much for your help ! It's works :)

[Carlos A Gómez Brizuela]

Dear all, 

I tried with gam all users show filelist query "'exte...@vendor.com' in writers or 'exte...@vendor.com' in readers" id | gam csv - gam user ~Owner delete drivefileacl ~id exte...@vendor.com and it worked fine. 

BUT, according to my tests, the command gam all users show filelist only get files in the users' Drives. I need to get all files shared with the "vendor email" in users' drives and in Shared Drives too. Is that possible?

Thank you very much!

[Ross Scroggs]

Carlos,

See: https://github.com/taers232c/GAM-Scripts3/blob/master/GetSharedWithUserDriveACLs.py

See: https://github.com/taers232c/GAM-Scripts3/blob/master/GetSharedWithUserTeamDriveACLs.py

The first script works with Standard and Advanced GAM; the second script requires Advanced GAM.

Ross

--

ross.s...@gmail.com

You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/385540d3-2013-4178-a3fb-3b86ada4ffe6n%40googlegroups.com.

[Carlos A Gómez Brizuela]

Ross, 

thank you for your quick reply!

Since I have installed Standard GAM, I tried with the first one and I got the same result. 

I only got the ACLs for all files within the users' drive, not in the shared drives.

For example, I ran: gam user us...@mydomain.com print filelist id title permissions owners > filelistperms.csv at the first step And I only got the list of files in the user1's Drive.

In addition, users1 is a member of some Shared Drives that were not listed in the command above. 

Please, could you advise?

Thanks, 

[Ross Scroggs]

Carlos,

The first script is for files on My Drives, the second script is for files on Shared Drives.

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/8c912f48-7263-4fa2-a5c4-f84c51784bd5n%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[PeterA]

Hey,

Hoping it's okay to post on this thread after a couple of months - I almost have what I need but I can't wildcard the domain in my query. I need it to output something like:

gam all users show filelist query "'*@vendor.com' in writers or '*@vendor.com' in readers" id,name,fileextension > something.csv

Could I get a steer please?

[Ross Scroggs]

Peter,

The Drive API has no wildcard capability.

With Advanced gam you would say:

gam redirect csv ./something.csv all users print filelist fields id,name,fileextension pm domain vendor.com em

You can speed it up by turning on parallelism.

gam config auto_batch_min 1 redirect csv ./something.csv multiprocess all users print filelist fields id,name,fileextension pm domain vendor.com em

See: https://github.com/taers232c/GAMADV-XTD3/wiki/Permission-Matches

Ross

--

ross.s...@gmail.com

_{The contents of this message and any attachments to it are private, confidential and may be the subject of legal privilege. Telegraph Media Group Limited is registered in England and Wales (company number 451593) at 111 Buckingham Palace Road, London, SW1W 0DT. If you are not the intended recipient of this email please inform us and the sender immediately. You must not take any action based upon the contents of this email, nor copy it or show it to anyone. Any unauthorised disclosure, use or dissemination of the whole or part of the message contained in such email is prohibited. Any views or opinions expressed do not necessarily represent those of Telegraph Media Group Limited. It is the recipient’s responsibility to carry out any virus checking.}

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/e5bbbce8-0b05-4fb7-9986-2829e47506b1n%40googlegroups.com.

[Matt Burns]

Hello,

I am new to GAM and this is actually my first command I am trying to run. I tried running the following command with the appropriate email included:

gam all users show filelist query "'exte...@vendor.com' in writers or 'exte...@vendor.com' in readers" id | gam csv - gam user "~Owner" delete drivefileacl ~id exte...@vendor.com

When running this it seems to run the first half successfully, but the second half after the pipe gives me the following error:

Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'> as well as PipeError

Any suggestions to help would be amazing, thanks!

[Kim Nilsson]

What is your operating system?

Also, what version of GAM? 

gam version

That command should give the necessary information. 

[Matt Burns]

macOS Monterey 12.2

GAM 6.17

[Kim Nilsson]

Ok. Usually when Ross suggests an advanced command to do some tricky filtering, or other complex operation, you need to use his GAMADV-XTD3, and not regular GAM. 

[PeterA]

Thanks very much for this Ross. For whatever reason, maybe GAM version or otherwise, what ended up working was:

gam config auto_batch_min 1 redirect csv ./Shares.csv multiprocess allusers print filelist fields id,name,permissions.emailaddress pm domain vendor.com em pm emailaddress ".*@vendor.com" em

[Braden Vawdrey]

I have the same issue as OP, but instead of a specific vendor domain, it is just one personal @gmail.com account. Any idea how I would adapt the script to fit that? I'm using GAM advanced, version 6.31.02 on macOS Ventura 13.4.1

[Braden Vawdrey]

I'm running the python script. How long is it supposed to take? We have 1500 users and many many TB of Drive data.

On Tuesday, March 22, 2022 at 9:49:12 AM UTC-6 PeterA wrote:

[Ross Scroggs]

Get the current version: 6.60.14 and then do:

gam config auto_batch_min 1 redirect csv ./Shares.csv multiprocess all users print filelist fields id,name,permissions.emailaddress pm type user emailaddress pers...@gmail.com em pmfilter

Time is dependent on number of files.

Send me a Meet/Zoom invitation.

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/c774e749-c60c-49f4-af3c-8a49824a20c1n%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[Andreas Schwarzkopf]

Hi,

i tried "gam all users show filelist query "'exte...@vendor.com' in writers or 'exte...@vendor.com' in readers" id | gam csv - gam user "~Owner" delete drivefileacl ~id exte...@vendor.com"

It worked like a charm, however ive only got the Drive files from the users... is there a command to retrieve files in that way which are on a shared drive ?

Use case is the following... a trainee shared files from several shared drives with her private gmail account... i need to get rid of these shares...

Is there a chance ? 

[Ross Scroggs]

Andreas,

Advanced GAM:

gam user tra...@domain.com print filelist fields id,name,driveid corpora onlyshareddrives query "'exte...@vendor.com' in readers or 'exte...@vendor.com' in writers" | gam csv - gam user "~Owner" delete drivefileacl ~id exte...@vendor.com"

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/286e3bd1-e8a7-45ee-b964-33e51388d9cbn%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[Braden Vawdrey]

Andreas, I did hop on a call with Ross and he helped me get this command.

gam redirect csv ./teamdrives.csv user admin...@domain.com print filelist corpora onlyteamdrives query "'user....@domain.com' in writers or 'user....@domain.com' in readers" fields id,name,permissions.emailaddress,permissions.role pm type user emailaddress user....@domain.com inherited false em pmfilter oneitemperrow

This will search only team drives for whatever user email you put in. The only catch is that it will only search shared drives that the admin user is at least a contributor. I'd just make the admin user a manager on whatever shared drive you're needing to search in.

You can also use this command to search for emails shared to an entire domain instead of a specific email address:

gam redirect csv ./teamdrives-shared-to-domain.csv user admin...@domain.com print filelist corpora onlyteamdrives fields id,name,permissions.emailaddress,permissions.role pm domain gmail.com em pmfilter oneitemperrow

Again, this will only search shared drives that the admin user has access to. 

Hope this all helps!

You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/c5XOGA6o_qM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/286e3bd1-e8a7-45ee-b964-33e51388d9cbn%40googlegroups.com.

[Andreas Schwarzkopf]

Sorry for getting back so late... i tested the suggestions and was able to do my stuff. 

Thanks Ross & Braden!

[Braden Vawdrey]

Glad it worked for you.

I did forget to mention I’m on GAM advanced, if anyone finds this thread down the road. Not sure if it works with normal GAM. 

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/4a7a3133-b73f-4687-9a26-7a6f52ae3cdfn%40googlegroups.com.

--

Thanks,

Braden Vawdrey

System Administrator at Pattern

[John Voegtlin]

I have the unfortunate upcoming task of removing the access of a couple of volunteers from anything and everything that's been shared with them (Shared Drives & My Drives).
I think that because it's two users and both of them have had several different email addresses over the years that I'm going to have to do this search for at least 6 different IDs (email addresses) including one that shows up on the web view as user%olddom...@gtempaccount.com (weird? abandoned google account or something?)

Questions 

1) All of this seems to be file-based. I know that I've recently run a script that showed me the files shared with those people who are not Members of the Shared Drives... does this script take Drive membership into account?

1a) I assume I'll need to remove their membership to the drives they are members of as a separate action. This is probably determined by the answer to question 1, but should I do that before or after?
2) because of the several accounts, I'd like to build a list of files that I can then run the remove command on later... this seems to have come up in earlier questions and responses, so I assume it's still possible, would it be separate remove commands for Shared Drives and My Drive shares, because these are separate python scripts? Or can I use those scripts to build one list to then run the remove command on? 

[Ross Scroggs]

John,

Send me a Meet/Zoom invitation and we can discuss your options.

Ross

----

Ross Scroggs

Ross.S...@gmail.com

*** We are excited to welcome all of you to our 35th Annual International Conference & Expo, taking place from January 22nd to 26th, 2025 in Cleveland, OH. For more information about the association, please visit www.acctinfo.org. We look forward to seeing you there! ***


Notice of Confidentiality

The information contained in and transmitted with this e-mail is CONFIDENTIAL. It is intended only for the individual or entity designated. You are hereby notified that any dissemination, distribution, copying, or use of or reliance upon the information contained in and transmitted with this email by or to anyone other than the recipient designated above by the sender is UNAUTHORIZED and STRICTLY PROHIBITED. If you have received this email in error, please notify this office immediately and upon authorization by sender destroy the information contained herein.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/2ad059ad-edda-4343-bfda-59fd6c2b7737n%40googlegroups.com.

[Eduardo Alves]

Hi,

Sorry to come so late

Try running the command below to remove access from my drive

 gam all users show filelist query "'ven...@gmail.com' in writers or 'ven...@gmail.com' in readers" id | gam csv - gam user ~Owner delete drivefileacl ~id ven...@gmail.com

He executed the command and pointed out the users who have a shared file, however, when deleting it, he returned the message below

2024-06-20T12:27:54.168+00:00,0/5,Using 5 processes...
2024-06-20T12:27:54.169+00:00.0,Processing item 5/5
User: vendor@test, Service not applicable/Does not exist
User: , Service not applicable/Does not exist
User: vendor@test, Service not applicable/Does not exist
User: vendor@test, Service not applicable/Does not exist
User: vendor@test, Service not applicable/Does not exist
2024-06-20T12:27:55.187+00:00,0/5,Processing complete

Could you help me please?

Thank you very much