Question: We have a G Suite Enterprise account. We used to share documents with a contractor. They no longer contract with us. How do we remove that contractor from every shared document.
Answer 1: Run this report to get a list of every document shared with them. Manually visit each document and un-share it.
Answer 2: Our API docs are at...
FFS, Google. I really don't think this is that unusual of a request. I refuse to believe that we're the first company ever that wanted to remove people from our Google Drive. Why do you make it so difficult?
G Suite says Enterprise but doesn't actually do it.
For years, you had to turn of 2fa enforcement for the whole org, or do janky hacks with special groups and policy exceptions for groups to onboard new employees because they hadn't gotten around to a first time login flow that had a mandatory 2fa enrollment; instead they'd just prompt for the 2fa code you couldn't have setup.
There's no way to merge two separate G Suite accounts, in case your company merges with another company. You're just supposed to setup new users in the new org and close the old org account. Even more fun to be had if you want to keep the same usernames (I can't imagine the collosal pain it would be if you also wanted google handling the email during that transititon).
Oh yeah: there's no way to stop people from trying to setup consumer google accounts on your corporate domain. Most of those are spammers or idiots that won't get confirmed, but some of them are employees doing things wrong, and can confirm them, but then you have things like two accounts with the same name that are different because one is a g suite (but you can't register the domain for two different organizations, because three accounts with the same name would be too much)
> For years, you had to turn of 2fa enforcement for the whole org, or do janky hacks with special groups and policy exceptions for groups to onboard new employees because they hadn't gotten around to a first time login flow that had a mandatory 2fa enrollment; instead they'd just prompt for the 2fa code you couldn't have setup.
That's still the case. We require 2FA, and 2FA setup on first login, but then you can't log in the first time because you don't have 2FA. We have a group we put new employees in so that they can set it up, then we remove them afterward.
I was pretty sure they had made this better recently. I recall being able to remove the new users group, but I'm no longer working there, so I can't verify. (Also, I didn't have to make a lot of new users in the recent past before I left, because of the merger stuff).
Look for a setting like "New user enrollment period"
It's recommended (and much easier) to share access to a folder instead of individual files. You can also use Google Groups instead of adding individual users. Google Team/Shared Drives has finally started to improve permissions and includes sharing with external emails as well.
Otherwise it's better to use something like Box.com which is actually designed for enterprise-level features including complex access controls and user management.
That might be true, but nowhere in the UI does it recommend that. If you want to share a file, nothing suggests you consider sharing a folder instead. And even then, we'd still have to find and disable all of the folders that had been shared with the ex-associate. That would reduce the number of items to un-share, but the fundamental problem of having no easy way to find and handle each item is still there.
Yeah, we're going to Box for everything outside our organization for exactly those reasons. If Google Drive lived up to the "enterprise" label they stick on accounts, we would stick with it. It's just not business-ready in its current form, though.
It's not a UI thing. It's a general recommendation about workflows because folders are usually easier to manage than files. Have you tried using Google Groups? Add them to a single "external associates" group and then you can just edit group membership in the future instead of managing files.
The other person commented that the UI didn't suggest using folders over files. Why would it? That's up to your specific workflow, and using folders or groups is general advice for bigger organizations.
How you verify access is something else entirely, but the same advice helps in that case too.
> It's recommended (and much easier) to share access to a folder instead of individual files.
It’s not. folders don’t actually exist in google drive. files are shared individually. there’s a very complex interaction between imaginary folder ACLs and file ACLs. if you depend on the folders as being hierarchical (which they aren’t), this will bite you through unexpected leftover sharing.
The exceptionally stupidly names Shared drives (used to be called Team Drives) fix this.
Otherwise, ‘gam’ is the best tool out there for managing this.
Some of the paid tools are like VPNs. you end up giving full access to the tool developer. be very careful if you go with a paid tool vs ‘gam’.
> folders don’t actually exist in google drive. files are shared individually.
What do you mean? Drive has UI for folders, shows folders hierarchically, and allow sharing of folders with a single dialog-box interaction. There are instructions online that explain how to use folders for organizing and sharing:
For a software engineer, it may help to understand how folders are implemented when dealing with tricky ACL situations, but for all practical purposes, and for the majority of (non-engineer) users, folders definitely exist in Drive.
Our solution is to clone docs which we plan to share externally. Then, at least, it's a doc that has already been shared out, instead of docs that you continue to update.
Generally, you would disable an account to revoke sharing. Are you sharing these outside your domain? That could be part of the problem. I agree there should be an easier way to remove sharing for everything for a particular user (and there may be). Have you checked out GAM?
Yep, we're sharing outside your domain, but that's a feature that they advertise and recommend. I've started to check GAM, but what should have been a chore in our sprint has quickly turned into a fullblown story. I'll have to find some time to waste figuring out how to do this thing that I can't believe Google doesn't have built in.
When I search to:email@here.com it shows all the documents shared with that person, then I can Ctrl+a and click "share" and remove that person from all of them at once.
Question: We have a G Suite Enterprise account. We used to share documents with a contractor. They no longer contract with us. How do we remove that contractor from every shared document.
Answer 1: Run this report to get a list of every document shared with them. Manually visit each document and un-share it.
Answer 2: Our API docs are at...
FFS, Google. I really don't think this is that unusual of a request. I refuse to believe that we're the first company ever that wanted to remove people from our Google Drive. Why do you make it so difficult?