One Click to Clean House: How We Removed a Former Employee’s Access Across Our Entire Google Drive

stacyTips & Tricks

TL;DR: We built a Google Apps Script that scans our entire Google Drive (My Drive + Shared Drives), finds every file/folder where a given email has access, and removes that access in bulk—with safety checks, dry-run, logs, and a CSV audit. It turned a tedious, error-prone chore into a 2-minute, repeatable process. Want the script? It’s free—email Stacy Cook and he’ll share it.

The problem we had (and you probably do too)

An employee left. Their personal email still had access to… a lot: handbooks, briefs, client folders, old proposals—you name it. Manually opening “Share” → “Remove” file by file was a time sink and guaranteed to miss something. We needed a drive-wide, exact, and auditable way to revoke access.

So we wrote a small script to:

  • Search every file/folder we could see in Drive
  • Detect if the target email was a collaborator (any role)
  • Remove that permission in one go
  • Log what changed, what failed, and what was already clean

What the script does

  • Targets one or more emails (e.g., personal Gmail the employee used).
  • Discovers access across My Drive and Shared Drives you can manage.
  • Removes the permission safely (never touches owners; can skip writers/organizers if you choose).
  • Dry-run mode to preview everything before changes.
  • CSV exports: results (removed / skipped / not found / failed) for HR + IT audit trails.
  • Optional notifications (usually off for revokes).

How it works (in plain English)

  1. Inventory: Uses Drive API to list files/folders you can administer (paged; supports Shared Drives).
  2. Match: For each item, reads permissions and looks for the target email(s).
  3. Decision: For each match, the policy decides: remove, skip (e.g., if they’re owner), or flag.
  4. Action: Removes the permission in batch-like loops (rate-limit friendly).
  5. Record: Writes a results CSV: item, type, old role, action, error (if any).
  6. Verify (optional): Re-scan the deltas to confirm no lingering access.

Safety & error handling

  • Dry-run first: Prints exactly what would be removed—no surprises.
  • Owner safety: Never attempts to remove file owners.
  • Role guards: Configurable: remove all non-owners, or only viewers/commenters.
  • Shared Drive aware: Requires you to be Manager/Content manager to modify permissions.
  • Rate-limit backoff: Retries on transient 403/429 with exponential delay.
  • Full audit trail: Results CSV + human-readable summary.

Configuration knobs (simple)

  • TARGET_EMAILS: One or more emails to purge.
  • SCOPE: My Drive only, Shared Drives, or both.
  • ROLE_POLICY: Remove any non-owner vs. only lower roles.
  • DRY_RUN: true to preview; false to enact.
  • NOTIFY: false (default) so no emails go out during revocation.
  • CSV_FOLDER: Where to drop the results CSV(s).

How we used it (our playbook)

  1. HR supplied the email(s) to revoke.
  2. Set DRY_RUN = true and ran the scan—reviewed the “would remove” list.
  3. Flipped DRY_RUN = false and ran the removal.
  4. Received a summary (removed/failed/skipped) and the results CSV for HR’s file.
  5. Ran a verify pass to ensure zero lingering access.
  6. Repeated for the Agency Starter Kit bundle and other sensitive folders just to be safe.

Bonus: other things this script is great for

  • Contractor offboarding: Remove marketing/vendor emails in one sweep after a project ends.
  • Scope reduction: Downgrade large groups from “editor” to “viewer” across a shared workspace, with a diff CSV.
  • Compliance sweeps: Quarterly “no personal emails on client folders” cleanup.
  • M&A migrations: Normalize sharing across legacy orgs before a big Drive move.
  • Guest access expiration: Time-boxed access that’s easy to revoke later.
  • Security incident response: Rapidly remove a compromised account’s access surface.

What it doesn’t do (by design)

  • Doesn’t remove owners (Drive disallows it unless you transfer ownership first).
  • Doesn’t expand Google Groups to member emails (can be added with Admin Directory API if you’re a Workspace admin).
  • Doesn’t break domain-wide or “anyone with link” unless you turn on those toggles—you can, but we keep defaults safe.

Get the script (free)

Want a copy? Email Stacy Cook and he’ll share the latest version plus a quick start guide (paste into Apps Script, set CONFIG, run in dry-run first).

FAQ

Will users be notified when removed?
 No—by default NOTIFY = false. You can enable notifications, but we don’t for revocations.

Can I target multiple emails?
 Yes—comma-separated list. The CSV shows which items each address was removed from.

Will this work on Shared Drives?
 Yes, provided your account has Content manager or Manager on those drives.

Is there an undo?
 We export a results CSV; if needed, you can re-grant access with our companion “copy shares” script using that list.

If you want the script, help setting it up, or a folder-wide / workspace-wide version with progress reporting, just reach out to Stacy Cook. We’re happy to share. 🚀

a. Want a companion “snapshot & restore” pair (export all permissions now; restore later)?
b. Need group expansion (convert Google Groups to member emails) for stricter audits?