This repository contains a collection of Python scripts to help Google Workspace administrators audit, assess, and manage their organization's resources. These tools provide detailed exports and analysis capabilities beyond what's available in the Google Admin Console UI.
- Advanced Shared Drive Finder - Locate all Shared Drives in your organization using multiple methods
- Google Workspace Assessment - Export groups, memberships, buildings, rooms, and calendar resources
- Google Workspace Groups Export - Export only groups and their memberships
- Google Users Assessment - Collect Gmail and Drive usage statistics for users
- Google Mailbox Permissions Exporter - Export mail delegations, forwarding, and access settings
-
These scripts require Python 3.7 or newer. Check your Python version:
python --version
-
If needed, download and install Python from python.org
Install all required Python packages:
pip install google-api-python-client google-auth google-auth-oauthlib google-auth-httplib2 pandas- Go to the Google Cloud Console
- Click on the project dropdown at the top of the page
- Click "New Project"
- Enter a project name (e.g., "Workspace Admin Tools")
- Click "Create"
- Once created, select your new project from the dropdown
- In your Google Cloud project, go to "APIs & Services" > "Library"
- Search for and enable each of these APIs:
- Admin SDK API
- Google Drive API
- Gmail API
- Google Sheets API (if needed)
- Go to "IAM & Admin" > "Service Accounts"
- Click "Create Service Account"
- Enter a service account name (e.g., "workspace-admin-tools")
- Add a description (optional)
- Click "Create and Continue"
- For the "Grant this service account access to project" step, you can skip by clicking "Continue"
- For the "Grant users access to this service account" step, click "Done"
- Find your new service account in the list, click the three dots menu, and select "Manage keys"
- Click "Add Key" > "Create new key"
- Select "JSON" and click "Create"
- The key file will download automatically - keep this secure!
- Go to your Google Workspace Admin Console at admin.google.com
- Navigate to Security > Access and data control > API controls
- In the "Domain-wide Delegation" section, click "Manage Domain Wide Delegation"
- Click "Add new"
- Enter the Client ID from your service account (found in the service account details page)
- Add the following OAuth scopes (or copy the complete list from below):
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://apps-apis.google.com/a/feeds/emailsettings/2.0/
- Click "Authorize"
These are all the possible scopes you might need for the tools in this repository:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.directory.resource.calendar.readonly
https://www.googleapis.com/auth/admin.directory.resource.calendar
https://www.googleapis.com/auth/admin.directory.orgunit.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/gmail.settings.basic
https://www.googleapis.com/auth/gmail.settings.sharing
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly
https://apps-apis.google.com/a/feeds/emailsettings/2.0/
Note that each script only uses a subset of these permissions. You can review each script to determine the minimum required scopes if you prefer to limit permissions.
All scripts require these basic parameters:
--domain- Your Google Workspace domain (e.g., example.com)--service-account- Path to your service account JSON key file--admin-email- Email of an admin with appropriate permissions
Locates all Shared Drives using multiple methods:
python advanced_shared_drive_finder.py --service-account /path/to/service-account.json --admin-email admin@yourdomain.comAdditional options:
--deep-search- Enable more thorough searching (slower)--output-file- Specify custom output file (default: found_shared_drives.json)
Exports groups, memberships, buildings, rooms, and calendar resources:
python google_workspace_assessment.py --domain yourdomain.com --service-account /path/to/service-account.json --admin-email admin@yourdomain.com --output-dir workspace_exportsThe script will create a directory with the following CSV files:
- groups_export.csv
- group_memberships_export.csv
- buildings_export.csv
- rooms_export.csv
- equipment_export.csv
Simplified version that only exports groups and memberships:
python google_workspace_groups_export.py --domain yourdomain.com --service-account /path/to/service-account.json --admin-email admin@yourdomain.comOutput will be saved to:
- workspace_exports/groups_export.csv
- workspace_exports/group_memberships_export.csv
Collects Gmail and Drive usage statistics for users:
python google_users_assessment.py --domain yourdomain.com --service-account /path/to/service-account.json --admin-email admin@yourdomain.com --output-dir workspace_stats --max-users 10Additional options:
--max-users- Maximum number of users to process (0 for all)
Output includes:
- workspace_stats/workspace_stats_complete.csv - Contains Gmail and Drive usage metrics
- Raw data in JSON format for detailed analysis
Exports mail delegation, forwarding, and access settings:
python google_mailbox_permissions.py --domain yourdomain.com --service-account /path/to/service-account.json --admin-email admin@yourdomain.com --output-dir mailbox_permissions --max-users 10Additional options:
--max-users- Maximum number of users to process (0 for all)
Output includes:
- mailbox_permissions/mailbox_permissions_complete.csv - Main permissions report
- mailbox_permissions/detailed_delegates.csv - Delegate relationships
- mailbox_permissions/detailed_forwarding.csv - Email forwarding settings
If you see errors like "Request had insufficient authentication scopes":
- Verify that you've enabled all required scopes in domain-wide delegation
- Check that your service account has the correct OAuth scopes
- Ensure your admin user has appropriate permissions in Google Workspace
These scripts include delays to prevent hitting API rate limits. If you still encounter rate limit errors:
- Increase the delay by modifying the
time.sleep()values in the scripts - Run the scripts during off-peak hours
- Process fewer users at a time using the
--max-usersparameter
If a script crashes during execution:
- Check the error message for specific API issues
- Many scripts save partial results, so you can often recover some data
- For large exports, consider running with a smaller
--max-usersvalue
- Store service account key files securely
- Use a dedicated service account for these administrative scripts
- Review the permissions needed and only grant what's necessary
- Run these scripts periodically to maintain accurate records
- Store exports securely as they may contain sensitive information