Google Workspace Pain: What We See in the Wild
A rant from the Workspace admin trenches: My Drive sprawl, the CFO who never enrolled in 2SV, six-year-old shared links, and the licence stuck on day one.
TL;DR
Every Workspace tenant we audit has the same eight pains. None are exotic. All of them are admin discipline that nobody got round to. Here are the patterns, the consequences, and which three of yours are probably the worst.
Everyone Saves to My Drive Anyway
You bought Workspace. You set up shared drives. You sent the email. People nodded.
Six months later the finance team’s quarterly model lives in Bongani’s My Drive. The board pack template lived in someone who left in 2023’s My Drive. Now it doesn’t, because at offboarding nobody transferred it and the admin console deleted the lot after the grace period.
This is the single most common Workspace pain we see. Shared drives survive the human. My Drive does not. Enforce shared-drive discipline at the OU level, or every offboarding becomes an archaeology dig.
The CFO Still Hasn’t Enrolled in 2SV
It has been five years. You “rolled it out” in a town hall. Compliance is delighted on paper.
Then the audit lands and you check the admin console security report. 2SV is set to “encouraged” instead of “enforced”. Nineteen accounts haven’t enrolled. Eleven are dormant. Eight are real, active humans, including the finance director and (because of course) the CEO’s PA with delegated access to half the executive calendars.
Twenty minutes of admin work and one uncomfortable conversation. Set 2SV to Enforced at the tenant level with a grace period. Security keys for super admins. Audit quarterly. The reason you haven’t already is political, not technical, and a breach won’t care which one it was.
Permissions Sprawl from One Shared Link, Six Years Ago
In 2019 someone shared a folder with “anyone with the link can view”. Just for the demo. Just for one client meeting. Just to make Tuesday easier.
That folder now contains 1,400 files. Half are still public. Two are payroll spreadsheets with ID numbers. The link has been forwarded into three WhatsApp groups and pasted into a vendor onboarding form. Google’s Drive sharing report will tell you about it in two clicks. Nobody runs the Drive sharing report.
Run it now. Reports → Drive → Files shared externally. Filter to “anyone on the internet”. Read the list. Cry. Fix it.
We cover this in Google Workspace Lockdowns: Hardening for SMEs, but the entry-level move is: turn off “anyone with the link” at the OU level for departments that have no business sharing externally. Finance, HR, exec. Today.
Nobody Knows What Apps Are Connected via OAuth
Shadow IT used to mean a Dropbox subscription on a personal card. Now it’s “Sign in with Google” on a SaaS app you’ve never heard of, granted Read all your Drive files scope by a sales rep on a free trial that ended fourteen months ago.
Open Security → API Controls → App access control in your admin console. Read the list. Count the apps you don’t recognise. Now check which ones have restricted scopes (Gmail, Drive, full access). That number is almost always above zero. The apps don’t go away when the trial does. The grants don’t expire. The vendor that built them might not even exist anymore.
Make it a quarterly job. Audit, revoke, allowlist what’s approved, block-by-default for the rest. The first pass takes a morning and turns up at least one app you didn’t know existed, touching mail you’d rather it didn’t.
Drive Desktop Sync, Untracked, Eating Laptops
You let everyone install Drive for desktop. Sensible. Files offline, no VPN gymnastics. Lovely.
What you didn’t do is monitor what people sync. Three years later, half the laptops have synced 400 GB of shared-drive content to a 256 GB SSD. Someone’s machine has been alerting “Drive is full” for nine months and they ignore it because “the IT guy will sort it”. Boot times are ten minutes. The helpdesk thinks it’s a hardware refresh problem.
Selective sync policy enforced at the MDM layer, plus a quarterly check on Drive client health. Mirror only what users need offline. Stream the rest.
Fourteen Super Admins, Most of Them Forgotten
Admin console → Account → Admin roles → Super Admin.
Count them. We’ve seen tenants with fourteen. The ex-MSP. The ex-MSP’s intern. The one-time consultant who set up SSO in 2021. Two founders who haven’t been operational since the Series B. Three “just in case” accounts. The actual admins, somewhere in the middle of the list.
Super admin is a god role. It can disable 2SV on any account, read any mailbox, export any Drive, change billing. Every name on that list is a complete account takeover risk. Trim it to two human supers plus a hardware-key-protected break-glass account. Use scoped Admin roles for everyone else. Nobody does, because it requires an awkward conversation about who’s still trusted and who maybe isn’t.
Stuck on Business Starter Since Day One
You bought ten Business Starter seats in 2020. The team is now thirty-five. Storage is full. People are deleting attachments to free space. Vault would help with the legal hold a board member just asked about. Endpoint management would help with the stolen MacBook last month. Neither is on Starter.
The licence-stuck-on-day-one problem is everywhere. The original purchase was right at the time. The business grew. Nobody re-evaluated. The CFO sees “Workspace” as a fixed line item and never twigs that a different SKU would solve three problems already on the risk register.
Walk the SKU ladder honestly. Most SMEs above twenty seats want Business Standard at minimum. Anyone with a whisper of compliance, audit or legal-hold needs to be on Business Plus for Vault. We covered the differences on the Google Workspace page. The cost delta is smaller than people think. The problem-delta is enormous.
What Else Goes Wrong
That’s the 80%. The other 20% is its own genre. Calendar invites with broken recurrence that survived an M365 migration. OUs designed like a family tree, with policy inheritance nobody can predict. Context-Aware Access turned on without a fallback, locking the COO out from a conference hotel. End users forwarding their Gmail to a personal address “for backup”. Drive trash holding two years of accidentally-deleted client work because nobody set retention.
We see it. All of it. We’ve fixed most of it.
The Audit
Thirty-minute Workspace pain audit. No commitment, no slide deck. We sit on your admin console with you, run the obvious checks (2SV enforcement, super admin list, OAuth grants, sharing report, SKU fit, DMARC posture), and name the worst three things in your tenant you don’t currently know about. Usually one of them is something the board would want to know.
If the verdict is “you’ve done the boring work properly”, we’ll say so and you’ll have a clean bill of health on record. We’ve delivered that verdict before. Not often, but more than zero.
To avoid most of the above on the next tenant, work through the Google Workspace onboarding checklist before users land. It forces 2SV, sharing policy, SPF/DKIM/DMARC, and OU structure into the setup instead of bolted on six months later. For the proper offboarding fix, see the Google Workspace offboarding checklist. For the full hardening pass, Google Workspace Lockdowns. For everything else, our services.
Book the 30-minute pain audit and we’ll show you the three worst things in your tenant.
