This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Change all settings on a shared drive - people with link view

alexgrutza
Contributor III

‎06-02-2025 08:19 AM

So we got notice that our storage was at 10% available. So I looked and appears that an @gmail.com address was able to create a Shared Drive within our GW, and upload 4TB of Vietnamese movies... 

I'm currently investigating to see if/who at our Organization had their account compromised to add these @gmail.com accounts, but so far the audit (EDU Fund) is less than helpful. 

I've opened a P1 case with Google considering to our ability to access audit logs, that no one within our Organization created this Shared Drive.

To the topic of the subject of this post: if we have the following settings, does that mean the "people with link" can no longer view? Or do we have to use GAM to unshared everything in that Shared Drive? I don't want to delete it at this time in case Google support needs to have it available to investigate.

alexgrutza_0-1748877514422.png

 

--
CISSP | LinkedIn | @Phyxiis
Topics:
0 Kudos
Reply
5 REPLIES 5

alexgrutza
Contributor III

‎06-02-2025 08:34 AM

It would appear the drive was created in 2022, and the creator no longer exists (doesn't show up in the creator column in GW admin). So my guess is two things without Google getting back yet: 6 month log retention that we have access to, potentially Google has longer access, and that the creator had created this shared drive and shared it or the account was compromised and subsequently deleted after having shared it. 

The further logs we have is from Feb/2025 of a gmail account uploading a zip file, but nothing further back than that

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

mpartenope4676
Contributor
In response to alexgrutza

‎06-02-2025 11:12 AM

If you have GAM set up, you should be able to run this command and you might be able to find a little more info. Modify "testuser" to be an account that has access and "1234ABCD" with the folder id that shows up in the address bar when you have the root folder open.

gam user testuser show fileinfo 1234ABCD

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎06-11-2025 03:52 AM

I recommend activating log export to BigQuery, so you (in the future!) have a second chance of seeing events older than six months.

--
https://wheretofind.me/@NoSubstitute
Reply

alexgrutza
Contributor III
In response to Kim_Nilsson

‎06-24-2025 05:42 AM

Unfortunately we're not using Cloud Identity Free or Premium and we're on EDU Fundamentals 😞

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to alexgrutza

‎07-03-2025 08:12 AM

Might be worth temporarily activating Cloud Identity Premium for your admin user, and see if the feature becomes available. Sometimes certain features become available as long as the admin has a licence. Others, sadly, require all users to have such licences.

If it works, it's a cheap way to get the feature and not have to go for Standard/Plus for all users.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines