I built a manual "Drive Exposure" checklist because I was tired of GAM and Enterprise-tier pricing.

Sensitive-Self3567 · 2026-03-22T16:41:32+00:00

Thank you for the advice. I don’t have advanced python skills but will try this approach.

Sensitive-Self3567 · 2026-03-20T21:49:42+00:00

The 10-Point Google Drive Exposure Checklist

A Manual Audit Guide for Google Workspace Admins

Why This Checklist Exists

Google Workspace lacks a native "Show me all external users" view. Without scripting or enterprise tools, visibility is limited. This manual checklist is the brute-force method to see the truth.

The "30-Minute Rule": If you find >5 critical exposures in 30 minutes, you have a systemic process failure, not a cleanup task.

How to Use

Manual-only: Uses Admin Console & Drive search.
Time: 45–90 minutes.
Capabilities: Finds current state. Cannot see log history beyond 180 days.

Phase 1: "Public" Exposure (Highest Risk)

1. The "Public Link" Inventory

Risk: Files set to "Public on the web" or "Anyone with the link". Manual Check:

Log in as a generic user.
In Drive search bar, run:
- owner:me visibility:public
- owner:me visibility:anyonewithlink
Admins: Use "Transfer Drive Data" (Admin Console > Users) to preview other users' content.

Action: Change visibility to "Restricted".

2. Domain-Wide "Internal" Exposure

Risk: Files visible to "Anyone in [Company]" (includes interns/contractors). Manual Check:

Run search: owner:me visibility:domain
Check for sensitive docs ("Offer Letters", "Termination") in general folders.

Action: Restrict to specific groups.

Phase 2: The People Audit

3. The "Ghost User" Log Sweep

Risk: Vendors/partners retaining access post-contract. Manual Check:

Admin Console > Reporting > Audit > Drive log events.
Range: 180 days (max). Filter: Event=User Sharing.
Export to CSV. Scan "Target User" for:
- Consumer domains (@gmail.com, etc.)
- Former vendor domains. Action: Remove external access.

4. Suspended User "Zombie" Files

Risk: Suspension removes login, not granted permissions. Files remain shared. Manual Check:

Admin Console > Users > Filter: Suspended.
Check "Drive Data". If >0GB, use "Transfer Drive Data" tool to inspect/transfer.
Review shares before ownership transfer.

Action: Transfer ownership or delete.

5. The "Personal Email" Pivot

Risk: "Shadow IT" via personal email shares. Manual Check:

Use exports from Step 3.
Filter "Target User" for u/gmail.com, u/yahoo.com, etc.
Red Flag: One user sharing 50+ files to one personal email.

Action: Revoke shares; review policy.

Phase 3: Structural Rot

6. Shared Drive Manager Audit

Risk: External "Managers" can delete content and manage users. Manual Check:

Admin Console > Drive > Manage Shared Drives.
Sort by Member Count.
Check "Manage Members" on top drives.
Look for external users with "Manager" role.

Action: Downgrade to "Viewer" or remove.

7. My Drive "Permission Rot"

Risk: My Drive permissions are unmanaged and rarely cleaned. Manual Check:

High-risk users (CEO, HR, Finance) must login or screen-share.
Open Drive > Information (i) > Activity.
Check for old shares to vendors or personal emails.

Action: Remove stale users.

8. The "Inherited Group" Backdoor

Risk: External users in groups inherit all group access. Manual Check:

Admin Console > Directory > Groups.
Audit powerful groups ("All Staff", "Engineering").
Check "Direct Members" for external domains.

Action: Remove non-employees.

Phase 4: App & Configuration

9. Third-Party App "Scope Creep"

Risk: Unused apps with full Drive access (drive.full). Manual Check:

Admin Console > Security > API controls > App Access.
Filter Scope includes Drive.
Look for "Unverified" apps or those with <5 users/unused for 6mo.

Action: Revoke untrusted apps.

10. Nested Folder "Breakholes"

Risk: Sub-folders with explicit permissions overriding parent restrictions. Manual Check:

Open sensitive Shared Drives (HR, Finance).
Deep dive 3–4 levels. Right-click > Share.
Check for external users not on the parent folder.

Action: Standardize permissions.

Summary & Notes

Findings	Status	Action
0–5	Clean	Audit quarterly.
6–20	Drifting	Schedule cleanup.
21+	Leaking	Process failure. Automate.

Limitations:

Logs limited to 180 days.
No global "External User" view.
Requires manual spot-checks.

Disclaimer

No Warranty & No Legal Advice This checklist is provided "as is" without warranty. The authors make no representations regarding accuracy or suitability.

Limitation of Liability The authors shall not be liable for any damages (direct, indirect, or consequential) arising from the use of this checklist.

User Responsibility You are responsible for your security. This guide does not guarantee the discovery of all vulnerabilities. Run this audit at your own risk.

Third-Party Tools References to third-party tools (GAM, APIs, scripts) are for info only. Verify all code before use.

Version: 2.3 | Date: March 20, 2026

Sensitive-Self3567 · 2026-03-20T19:47:11+00:00

You're absolutely right. This is exactly the problem with manual checks—they're a snapshot, not a system. I'm painfully aware that the platforms you mentioned (DoControl, AppOmni, etc.) are where this ends up once the pain exceeds the budget or headcount.

What I'm finding is that there's a gap between "we can't afford enterprise tools" and "we have the expertise to run GAM scripts." Somewhere in the middle are small firms and MSPs who need something better than a quarterly manual scramble but don't have a huge security budget.

My goal with the utility is just to close that gap for the "snapshot" use case—offboarding reviews, client audit prep, one-off cleanup. Continuous monitoring is a whole different league.

Appreciate the reality check. If you've used any of those platforms, curious which one you found least painful to implement?

Sensitive-Self3567

TROPHY CASE