How to Find the Space Used on Google Drive

In this post, you will learn how to find used space on your Google Drive.

Using GAT, enter the User Audit, then select “Quota” from the top bar.

Select 'Users'

It will display Quota available for all the users in your domain

It will display Quota available for all the users in your domain

It shows all the users and their Google account usage.

    • Quota available for individual users
    • Quota used out of the availability
    • Quota used for Drive only
    • Quota used for GMail only
  • Quota used for Photos only

Remember you can use “Apply custom filter” to narrow the search down to find individual users, groups, organizational units and so on. Reports can also be generated based on the usage by individual users/groups.

Create a daily report of files shared internally

As super admins, we are interested in what files are shared in or out of our domain but it can also be quite interesting to see what documents are being shared internally. This is quite easy with the GAT+.

In Drive Audit, click on the apply custom filters button.

In Drive Audit, click on the apply custom filters button.

Select the following search parameters in the filter selection area.

Select the following search parameters in the filter selection area.

Select 'apply & schedule'

Note: We selected a time period since the files were last updated.
In our case since yesterday. Then we schedule the report to run daily.
This report will show us data for all files shared internally within our domain on a daily basis for each previous day going forward.

The date will be changed automatically to run a new search for files shared internally on the next day and so on.

How to Find if the Contents of a Folder Changed

Here is a frequent question we get from our G Suite super admins who use GAT+.

‘I want to know when the contents of a folder change?’ In GAT+ we can automate and set up a scheduled report to give us this information.

Go to Drive Audit, Search for the folder you are interested in using the Apply custom filters button.

"Drive" audit section

Select this filter

Select the following search parameters:

    • Make the type of the search equal to a ‘Title / Description Search’
    • Enter the title of the folder into the Terms field.
  • In the Definition area, select the search parameter Type equal Folder and also Owner equal to user’s email address.

"filers filters" section

Once the folder appears in the Drive result table. Click on the drop-down menu next to the title of the folder. Select the option to ‘Show contents of this folder and its subfolders’. Selecting this option will expand the folder completely open and all files within its folder tree will be displayed.

Select the option to ‘Show contents of this folder and its subfolders’.

Now a search will start. You can refresh the screen to see if the search is complete. Once its done, Apply the filter.

"long search" filter

Once we access the content of the folder we can make another search to find files which have been updated since yesterday. The reason why we are looking back a single day is that we want to create a scheduled report which runs daily and shows us files which have been updated in this folder, this report will run automatically each day and it will update the dates selected and increment it to reflect the new day.

Select filter

Underneath the Long Search ID parameter, add another rule called Updated after or equal yesterday’s date. The select the option ‘Scheduled’.

Underneath the Long Search ID parameter, add another rule called Updated after or equal yesterday’s date. The select the option ‘Scheduled’.

select "apply & schedule"

The report will be shared with you via email with a Google spreadsheet attached.

If this receives 0 results in the spreadsheet it just means nothing changed in that folder since the previous day.

Remove Everyone as an Editor

Removing Everyone as an Editor (where ‘Everyone’ means the whole world).

Many users are not used to the concept of external sharing, sometimes they may share a file to ‘Everyone’ with edit privileges.

Using the G Suite Admin Console finding these files which have ‘Everyone’ as editors is an impossible task, with GAT+ this is made easy.

Note: Sometimes there may be a legitimate reason to have ‘Everyone’ as a viewer, but there are very few circumstances where a company document should have everyone in the world as an editor!

Launch GAT+ and enter Drive Audit. Click on the familiar custom filters button.

Select 'apply custom filter'

When the menu appears, select the following search parameters:

    • Editors contains (exact match) everyone
  • Sharing Flags contains Shared in

select desired edits and apply

Now I can see all of the files which have everyone as editors! So I will now remove these permissions. Click on the File Operations button and select ‘Remove permissions’.

select ‘Remove permissions’.

In the menu that appears select the following configurations:

Enter the key term everyone in the field “Remove Only the following External Shares”. And notify the owners which were affected.

'multi permission change' (for filter selection)

Detailed Audit of External Shares

In this post, we will discuss how you can handle and audit external files shared into your domain. You will quickly be able to analysis which external users are sharing in the most number of files.

select 'drive'

On the GAT+ homepage, click on Drive, then select External Users tab. This will provide a list of all external users.

'external users'

To identify the files shared in by these external users, review the column Owns (not ours).

To identify the files shared in by these external users, review the column Owns (not ours).

The External Users auditing section shows in detail all the external users that have access to documents on your domain as well, some of these docs may be owned by your domain, some not, but they are all opened by or shared explicitly to your users.

The report produces 6 columns, all sortable. The external view lists all the external users and is sorted by the number of documents you have in common but may be sorted by any other column also.  

  • In particular, Can edit (our docs only) is an important sort, to see who the big external collaborators are for documents owned by local users on your domain.
  • Can view (our docs only) indicates files external users can view which are owned by your local users on your domain.
  • Can Edit (any doc) and Can view (any doc) these values may contain files which are not owned solely by your domain, they may be owned by other external domains.

Clicking on any blue number links to the files reflected in that category. This allows the admin to export the detailed metadata about these files.

 

Remove External Users as Editors or Readers

In External Users Tab sort, the column Can Edit (any doc) and Can view (any doc) can be used quickly to remove a particular external share. Click on the values, this will take you to those files.

Next to the email address of the external user will be a drop-down menu. Click on it, and select either remove the external user as an Editor or Reader.

  • Remove this permission, will remove the external user from just that document.
  • Remove userX@externaldomain.com as Reader/Editor from files in the current filter, will remove the external user from all files within the current filter.

Getting Alerted When Files are Shared to Gmail

Some of you may know that you can create G Suite accounts with usernames based on your yahoo.com and hotmail.com accounts. Therefore it is possible to share Google Docs to and from these account names. These Google accounts are typically personal accounts therefore many businesses want to track shares to and from these usernames. In this post, we show you how to monitor files that are shared out to the external domain such as Gmail.com, Hotmail.com, Yahoo.com.

Below is an example of how this can be achieved using GAT+:

set alerts in gat

In Drive audit, Click on the “Apply custom filter” button.
Then we select “Sharing Flags contains Shared Out”
Then any changes made after or equal to yesterday – this is used to display files that have been shared out since yesterday.
Then we add a group which has the option “OR” – this allows us to search, all the external domains, for example, gmail.com, hotmail.com, yahoo.com.
This will display files which have been shared out to the domains above, that have been updated in the last day.

After this, we can schedule a report to run everyday after midnight showing all files that have been shared to these personal domains in the last day. This can be scheduled with different time frame if we like. To schedule the report we can simply select “Scheduled” and an extra submenu will be displayed where we can select “Occurrence” and select the recipients.

To schedule the report we can simply select “Scheduled” and an extra submenu will be displayed where we can select “Occurrence” and select the recipients.

Then we can click “Apply & Schedule”.

This report will now run everyday after midnight producing a report of updated files that have been shared out to members of these of the selected domains.

Find and delete old inactive documents in Google Drive

How to search for all files that have not been viewed since for example, 01 July 2015. 
To find the files across your domain that have not been viewed since 1-July-2015
You can select Drive audit – Apply custom filter – Updated before or equal to July 1, 2015
This will display only the files across  your domain that last been updated before July 2015
How to delete all files that are shown in the search across all users.
You would need to take ownership of the files using GAT+
To do this you would need to use GAT Unlock
You can request to become the owner of those files – by sending the request to your security officer
Once you become owner you can delete the files.
The files will be accessible on your Google drive.
Here is a link you can follow for  GAT Unlock feature if you need.

Apply a Search Filter in Google Drive Audit

Searching for files of a user/editor/reader etc

In GAT’s Google Drive audit, we provide an array of search parameters to filter by. Making it the most useful feature on in this section. You can quickly find files and take action on them or to export this data for archiving purposes.

 

Click on the funnel icon also known as ‘Custom apply filter’ button.

In the menu which appears the default type is set to Simple Filter.

Select Owner parameter equal to UserX’s email address. If you wish not to enter the entire email address then change equal to contains (case insensitive).

 

Other Search parameters are as follows:

  • Organizer – This is related to Team Drive roles, Organizers roles allow users to permanently remove content and modify Team Drive name and membership.
  • User – This search parameter returns files which can be edited, read or are owned by UserX
  • Editors – This search parameter will return files which can be edited by UserX
  • Readers – This search parameter will return files which can be viewed or read by UserX

Long Search

If you wish to find files owned or related (editors, readers, organizers) with a Google Group or a user OU structure this is achieved using the Long Search.

For example, if I want to find all of the files owned by members of Sales Group (sales@generalaudittool.com) I can enter the following info into the fields provided.

Note: If the option Owned is not checked, the search will return files which the members of Sales Group can own, edit, or read. All 3 states will be covered.

 

Once you request the search, it will take a few seconds for the search to complete, the load speed depends on a number of factors mainly the number of files which need to be indexed. Click on the reload button to update the UI and to see if the search is completed.

If the search is complete, select it and apply it.

Once the search is applied you will see all of the files owned by the group you have selected in the Drive result table.

 

Remember you can build on top of this search. For example, if I now wanted to narrow down my search for PDF files owned by Sales Group, I can click on the ‘Apply custom filter’ button.

Then I can add a new rule, for Mimetype equals application/pdf

Of course, you can also apply other search operators to make the search even more narrow and specific.

 

Note: Do not remove the Long Search ID which is shown, this is a reference to the long search you carried out in the previous steps.

 

Measuring user engagement over the last 90 days

We can measure user engagement over the last 90 days (by counting Google Docs created in that time frame).

 

In Drive audit, click on the ‘Apply custom filter’ button.

apply the custom filter

In the Drive Files filters popup, perform the following actions, click on ‘Add group’, in this group select the following search parameters.

  • Type equal Document
  • Type equal Word

Note: This group is OR’d.

Outside of the group add an additional rule.

  • Created After or equal dd/mm/yyyy (look back 3 months)

Filters for Drive files

And then apply the filter.

 

When the results appear in the Drive result table, click on the ‘Export data’ button and select ‘Export to Google Sheet’

‘Export to Google Sheet’

A message will appear when the export is ready.

Data exported to your google drive

The spreadsheet will contain a lot more columns of data.

How to Use GAT to Detect a Sharing Policy Violation

Using GAT to detect a sharing policy violation

 

This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or to a particular external target such as a user or a domain.

 

Security Lesson Part 1

 

In the Drive Audit, Click Long Search button and enter the email of a local user against whom you wish to make a policy watch. (For a group of users, add the group name to the ‘Local User/Group’ field)

long search

Note: The Owned checkbox will return the documents that user owns only. If left unchecked it will return files that user can edit, read or owns.

Click on the refresh to see if the search is complete, if the search is done, click on the Green checkbox to apply the filter.

 

Now, let’s modify this feature slightly when the results have been displayed. Click on the ‘Apply custom filter’ button.

When the Drive Files filter appears, add these additional search parameters on your existing Long Search.

  • Updated after or equal today’s date dd/mm/yyyy hh:mm
  • Sharing Flags contains Shared out

 

Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.

Once you have added these additional search parameters click on Scheduled. Once Scheduled is selected, you will see additional options. You should make the scheduled report run on a daily basis ‘Every day – after midnight’

You can also choose who should receive this report which contains data on files shared out by user X each day.

 

Click on Apply & Schedule.

 

Now navigate to Scheduled reports on the configuration side menu.

You can modify your existing scheduled jobs from here.

If you want to create action with this policy you can click on Jobs Action Edit this is the icon next to the pen icon.

 

Setting up this scheduled report, you will receive an email with a spreadsheet of all of the files shared out of User X each day.

 

Security Lesson Part 2

 

Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there maybe another vulnerability that exists with files shared in that may be used to leak sensitive data. A user on your domain can copy and paste data into this shared in document without your awareness. That is why we recommend creating a schedule report which can show you the files shared in to an individual user, entire group, specific OU structure or folder.

 

In this example we will take a look at files shared into a specific user.

In Drive audit, click on the ‘Apply custom filter’ button.

In the Drive Files filter popup apply the following search parameters.

  • Sharing Flags contains Shared in
  • Flags doesn’t contain Team Drive
  • Editors contains (exact match) UserX’s email address

We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter

  • Updated After or equal dd/mm/yyyy hh:mm

 

And click on Scheduled checkbox. Select how often you want the report to run.

 

Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.

 

Of course, we have made this easy for Admins  – for this type of report for the entire domain, just go to ‘One Click Reports’, select ‘Docs shared in or out changed in the last 24 hour’.