Skip to main content

How to Find Publicly Shared Files in Google Drive

"Anyone with the link" is Google Drive's most useful sharing setting — and its most dangerous one. Toggling it on takes one click. Forgetting about it lasts forever.

This guide shows you how to find every publicly shared file in your Google Drive in one pass, using the free DriveAuditr Google Sheets template.

What "publicly shared" actually means in Google Drive

Drive has a few sharing modes that all get called "public":

ModeWho can access
Anyone on the internet (link)Anyone with the URL — no login required
Anyone in your domain (link)Any signed-in user at your company
Specific peopleOnly the listed users
Published to webIndexable, served as a webpage

The most common silent risk is the first one — files set to "Anyone with the link" that should have been set to "Specific people." In the Drive permissions API these show up as a permission with type = anyone and domain empty, which is exactly what we filter on.

Step 1: Get the free audit template

Open the DriveAuditr template (free, emailed instantly) and click "Make a copy". The template runs entirely in your Google account — your files and metadata never leave it.

Step 2: Run the audit

Drive Audit → Run Audit Now

Authorize read-only Drive access on the first run. The script is open source; the source is short enough to read end-to-end.

Step 3: Filter for public files

Once the audit finishes, open the "Drive Audit" tab and apply this filter:

Permission type = anyone

Every row that comes back is a file accessible to anyone with the link. You'll see at a glance:

  • The file's name and direct URL
  • Who owns it
  • Whether the public access is reader (view-only), commenter, or — most concerning — writer (anyone can edit)
  • When it was last modified

If a row has Permission type = anyone and Role = writer, anyone with the URL can change the file. Treat those as P0.

Step 4: Decide what to do with each file

Walk the filtered list and bucket each row into one of three actions:

  1. Revoke the public link entirely. Best default — switch to "Restricted" or "Specific people."
  2. Downgrade the role. If a file legitimately needs to be public (a marketing PDF, a public form), at least make sure the public access is reader, never writer.
  3. Leave it as-is, but document why. For genuinely public content (press kits, public templates), add a note in a separate "Approved public files" sheet so future audits don't re-flag them.

Open the file via the Direct URL column, click Share, and adjust the link sharing setting. The next audit will confirm the change.

A useful sub-filter: external domain shares

While you have the audit open, run a second pass for one more risky pattern — files shared with an entire external domain:

Permission type = domain AND Domain ≠ your company domain

This finds files where the sharing dialog says "Anyone at somecompany.com with the link." That's nearly as broad as a public link and is just as easy to forget.

Step 5: Make this recurring

A one-time cleanup is only as good as the moment you finished it. Schedule the audit:

Drive Audit → Setup Weekly Schedule

Add a conditional format that highlights any row where Permission type = anyone. Now any newly-public file shows up bright red the next time you open the sheet — turning audit from a project into a passive monitor.

What about files "Published to web"?

Drive's "Publish to web" feature (File → Share → Publish to web in Docs/Sheets/Slides) is a separate publishing mechanism. It doesn't appear in the standard permissions list and isn't surfaced by this audit. For sensitive documents, also confirm Publish to web is off — it's per-file and rarely used, but worth a manual check on anything mission-critical.

FAQ

Will this find files inside Shared Drives? Yes — any Shared Drive you're a member of is scanned.

Can it find public files I don't own? Only if you have access to them. To get a tenant-wide view, run the audit from a Workspace super-admin account.

Does the script change anything? No. The audit is read-only. Every revocation is something you do yourself in the Drive UI after reviewing the list.

Next steps

Questions or a specific use case? Email driveauditr@terrydjony.com.