GAT Removes Your Pain Points

Google Drive

1) “What files on my google domain can everyone on the internet find or see?”

In the GAT+ Drive Audit one click on the number ‘Open to full public’ shows you all the public files on your domain’s Google Drive. You can see those that are available to all with the link or ‘Open to public with link’ both reports just a click away).

2) “We have files that are shared to lots of other domains, how can I see which ones?”

Within the Google Drive Audit and with the press of one button ‘Domain Connections’, we draw a map of your entire set of Drive shares into and out of your domain.

Domain connection graph

Select each ‘dot’ and it will lead you to those files, from there you can select the number of shared files, and be directed to them

Select each ‘dot’ and it will lead you to those files, from there you can select the number of shared files, and be directed to them

3) “I need to see a list of all the external people that have explicit access to files on your Domain drive?”

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.

Gmail

4) Need to find and remove an email in a hurry? (even from hundreds of accounts!)

In the Email Audit using the ‘Domain Gmail Search’ you can do a live search of every folder in every account on your domain for an email containing text in any location (subject, body, attachment) or any other identifier and have a list of those emails found.

Once you find the emails you need (using Unlock) you can view, download or remove these emails in bulk for one or all accounts.

5) Need to see the top sender or receiver of emails?

Just a press of the ‘Sender/Receiver’ button will tabulate the top senders and receivers of email for your domain or for whatever search you used to narrow the data.

6) Need to delegate access to another user’s email account?

In the “User audit” select the “Email info” button and select the account you want to add delegated auditor to and add. After its approved by security officer, the user will have delegated access the person’s email.

7) Need to get a daily/weekly/monthly report of emails per user, sent and received?

On the GAT+ Email audit select “User Statistics” presenting different options  “Daily Statistics” and “Summary statistics”

Once you select the Daily Statistics, you can just apply filter to schedule daily reports for all emails coming and going out from all your user accounts you can also select to cover user/group/OU.

G Suite Users

8) Need to save on license costs then you need to know which accounts were not used in the last 6 months.

On the GAT+ select ‘Users Audit’ and select ‘Last Login’ and it will be filtered based on Last login.

You can apply filter to search by ‘Last login’ or ‘Last negative login’ searching for users whose last login to your G Suite domain was 6 months ago.



9) Need to easily bulk add or remove users or simply add/remove/change them between groups and OUs?

In the new GAT+ select the Users report. Filter for the set of users you are interested in working with. Export that selection of users, change the spreadsheet as described here. You can add the users to one or more groups or change their group mix completely. When finished with the changes, just import the spreadsheet to perform all the changes at once.

10) Need to be warned when some critical event has happened on your domain?

Under Configurations section in GAT+ select ‘Alarms’ and configure for the alerts you need. Alarms can be configured and saved on a per OU basis.

Sharing exposure and file types within Google Drive Audit

GAT+ can present G Suite Super Admins with a lot of useful summaries relating to sharing permissions in Google Drive, this document will explain each category.

Drive Audit One click table

Total

This is the total number of files and folders owned by users within your domain or files shared into your domain by external users.

Open to full public

Files publicly shared with the world, anyone who comes across it can see the contents of it, users are not required to authenticate themselves or be signed into a Google account. Additionally, the Google search engine can find and index these files. This category includes full public files shared into your own domain by external users.

Open to Public with link

Files publicly shared to anyone with a link. The Google search engine cannot find or index it. Anyone who has been given the URL link to these files can view the contents. This category includes public documents shared via link into your domain by external users.

Open to external users

Any file shared to an external domain such as external editors, readers. Team Drive files with Managers or Content Managers who are from an external domain will have this classification as well.

Open to internal users

This category includes any file which is shared internally to anyone within your own domain. This includes internal editors or readers and our domain (with link). Nevertheless, these files are not shared externally to anyone outside your organization.

Team Drive files

These are Team Drive files.

Team Drive Files with extra shares

When Team Drives are created, they will have Managers, Content Managers, Contributors, Viewers, and Commenters, therefore any Team Drive file which has permission shares anyone outside of the defined scope will fall into this category.

Private

Files are not shared with anyone, period. Only the owner can see it.

Trashed

Files that are moved to the Trash/Bin folder on the users myDrive.

Orphaned

Here’s how a file can become orphaned:

    • You create a file in someone else’s folder. Then they delete the folder. Your file isn’t deleted because only you can do that. But it’s no longer in a folder.

  • Or, you share a folder with someone who removes your file from the folder. Again, the file isn’t deleted, but it’s no longer in a folder.

This category will show you those orphaned files.

Auth errors

Indicates the number of users GAT+ can not scan properly. If this shows any value, check if GAT+ is turned ON for everyone within the G Suite Admin Console.

File Types

In Drive Audit, we make it easy for G Suite super admins to view the number of files across users myDrives. These are the most common file types. The values in the table include files shared into your domain by external owners.

Sites

The value for sites will show you all of the Google sites created by your domain or shared into your domain by external users.

Forms

These are Google survey forms created by your domain or shared into your domain by external users.

Identify All Externally Owned Files with GAT+

G Suite Admins can now Identify externally owned Google Drive files and which folders they reside in in your G Suite domain.

An admin can click on “One Click Report” – External users – Docs

This will show us all external users who have ‘shared in’ Google Drive files into your domain.

By clicking on each of the numbers under the column ‘Owns (not ours)’, the admin will be taken to Drive Audit Files tab where you can examine these Google Drive files in greater detail.

Another way to find all external owned Google documents within your G Suite domain is to open Drive audit and apply a custom filter – show the files which have been shared in. (we excluded deleted/trashed Google docs in this example) because they are included by default.

The result will show all Google docs “Shared in” to your domain and you will be able to view their paths. Since these files are externally owned, you as a G Suite Super admin, your only course of action is to remove and cut the ties to those users they’ve been shared with.

Note: To remove editors and readers from shared in files, there has to be at least one local editor from your Google domain on each of those files.

For each file, you can see the folder or folders that each particular file resides in.

Many files may not have a folder path because they haven’t been added to the local user’s myDrive.

The G Suite Admin can export a Google spreadsheet or a CSV of all shared in file paths by selecting the option ‘with path flattened’. With paths flattened each unique path will be displayed.

Find Internally Shared Google Documents

In Drive audit, we can see a nice overview of all drive files of your entire G Suite domain.

overview of all drive files in GAT+

An admin can select each of the categories and it will lead them to all the files from which the category was created from.
In this case will display all Google Drive files which are Open to internal users.
Sharing flags is set ‘Open to internal’, the users are in grey background color, which also indicates that the user are local and not from an outside domain.

Sharing flags tab in GAT+

How to Change Ownership of an Entire Folder Tree on Google Drive

In Google Drive audit in GAT+, you can use the features of File Management to change ownership of an entire folder tree using the recursive option.

You may want to change ownership of a root folder such as a myDrive or other folders within a users account.

Follow these steps, in Drive audit, use the funnel icon “Apply custom filters” button to find the folder.

“Apply custom filters” button.

Now select the following parameters. Since in this example I’m searching for a root folder (myDrive of a user) I selected these parameters.

Owner equals userY@generalaudittool.com

AND

Flags contains Root folder

selected parameters and apply them

This returned the following search once applied.

gat+ features

Now click on the drop-down next to the folder name. Select the option “Apply permission change to this folder (recursive)”.

Select the option “Apply permission change to this folder.

The recursive option will take our action and apply it through all of the subfolders as well. Now enter the new owner of the file. Also, make sure to remove the previous owner from the editor privilege access.

file management tab within gat+

Note: When changing ownership in GAT+ the previous owner is added as an editor of his files so when changing ownership and you don’t want this to happen, make sure to remove them.

Once you have filled in the appropriate fields, send the request of, your security officer will then get an email to approve or revoke your permission change.

You can change the Admin logs for the stats of the ownership change.

select the "admin log"

The folder will appear on the new owners myDrive with the following format:

In the myDrive of the new Owner, you will see a folder containing multiple subfolders appear.

(Root Folder) with the name: File_Transfer_reference_number

(Subfolder) From_UserX@myOrganisation.com (previous owners email address)

The above structure accounts for files which were created by other owners which happen to be inside the folder which was transferred by the super admin. This is the most optimal way to retain a folder and subfolders structure taking into consideration that the folders may be owned by multiple users.


How to Restore Deleted Files

Admins, did you know Google now lets you restore deleted files?

This really useful facility is now available under the Admin panel, Manage User Accounts section.

Here are the general rules …

  • You can restore files for one user at a time on each user’s page.
  • You can select a date range to restore files from up to 25 days ago.
  • If a user provides others with access to any Drive item, when you restore that item, the access is not restored. The user can re-enable access as needed.

Unfortunately, the restoration tool is a little broad, allowing you only to select a date range for each user.

the "restore data" tab.

GAT can help you locate the files you need, identify if they were there in the first place and not just a share and allow you to greatly narrow the date range you might need to look at.

The metadata for Deleted files can be found by simple search in GAT+ (see below)

The metadata for Deleted files can be found by simple search in GAT+.

From the day you installed GAT, it is tracking not only the files in ‘Trash’ but also all files removed from ‘Trash’. Files removed from trash were up until now, permanently deleted, however, GAT always kept their metadata records for you to search.

Files removed from trash were up until now, permanently deleted, however, GAT always kept their metadata records for you to search.

When you click “Show stats for current filter” files are shown as 0, mind you the ‘0’ file count is only ‘0’ because by default the search is always on for ‘Docs not deleted’, which means in this positive search ‘files deleted’ is always zero.

When you click “Show stats for current filter” files are shown as 0, mind you the ‘0’ file count is only ‘0’ because by default the search is always on for ‘Docs not deleted’, which means in this positive search ‘files deleted’ is always zero.

Looking at all files deleted helps you identify who actually owned the missing files, something that is not always apparent to users of Google Drive. Last Updated date helps you identify the date they were deleted.

How to Restrict the Audit Tool Use to a Select Few [Old UI]

Auditing for all Org Units(Only affects domains with GAT in a sub-OU)

In the beginning, Google recommended that to restrict app use to a select few, you should create an OU for those chosen to run the app and then make the app available only to those in that OU. General Audit Tool followed this procedure and this was our recommended method of restricting GAT access. With the arrival of OAuth2, applications in sub-OU’s only have authority for some audit features over the users in that sub-OU. This is impacting GAT’s ability to report domain-wide. To solve this problem we recommend you set the following.


For GAT+ to work properly and allow the Admin to Audit their domain.
We recommend GAT to be installed domain-wide, and full access to be granted.

This will enable auditing of all users on the domain for details like Google+, Drive, Email etc.
The access to the tool can be restricted by following the steps below.

On the GAT homepage (Old UI) select ‘Configure GAT’ option

On the GAT homepage (Old UI) select ‘Configure GAT’ option.

Then at the bottom of this configuration tick the box under ‘Restrict GAT users’ and ‘Save’.

Then at the bottom of this configuration tick the box under ‘Restrict GAT users’ and ‘Save’.

GAT will now only be available to Super Admins, security officers and delegated auditors. If you had GAT in a sub-OU, then in Google Admin panel you should move GAT from the sub-OU (‘/auditors’ for example) to the root OU (i.e. ‘/’). See here for more details.

See here to learn about Delegated Audits to auditors who are not Admin staff.

How to silently copy or view files

We are going to use a powerful search feature inside of GAT+ Drive audit to identify the contents of documents we’re going to investigate. This feature is called the ‘File content text search’. It allows admins/delegated auditor to use a word or sentence to search through all of the files across the domain and to return documents which contain them.

Step 1: Click on the ‘Apply custom filter’ button.

Step 2: Enter the word or sentence to return files which contain them. Select the user’s account you want to search through you can leave this field blank to search your entire domain’s Drive or enter a user, Google Group or Org Unit to search through them only.

You can also use multiple rules in the definition section of the Apply custom filter. I used the Updated search parameter. Once you click on Apply button the search will begin.

It will take a few minutes depending on how many files you have across your domain.

Step 3: Select the files you are interested in, remember that these files contain the sentence “private and confidential”.

Step 4: Click on the ‘Files operation’ button and then select ‘Access permissions granted’.

Step 5: Next we will select a date in the future, we will have access to these files until this date. You have an option to write to your security officer explaining why you need access to these files.

Send the request to the Security Officer(s) for approval.

The following email will be sent to the Security Officer.

The Security Officer can click on the link in the email and will be taken to the approval area(Grant) in GAT+. 

When the Security Officer grants access an email will be sent to the requesting Administrator/delegated auditor informing them. The Administrator from the ‘Access permission granted’ menu can see the full list of their access requests along with the time left for each request to remain valid.

Once the request is selected, the requestor can download documents or view the contents silently without the owners’ awareness.

GAT Search Choices Explained

New Filters

One of the key features of GAT+ is it’s very powerful Drive audit search capability. Its power comes from its ability to use so many search operators and parameters to find files based on a multitude of different aspects of its metadata. Navigating through Drive audit you will notice how quickly the data loads.

We have even dedicated an entire post to talk about powerful things you can do from the Drive Audit list.

Let us examine the options in detail.

Title – Can be the file name or any part of the name.

Note: GAT remembers document name history, so if someone renames a document GAT will return matches against the new and old names.

File ID – Is the ID for the file in question.

All files have an ID which can be found in the URL of the file or in GAT+ you can click on the title which will display the full ID.

All files have an ID which can be found in the URL of the file or in GAT+ you can click on the title which will display the full ID.

MimeType – MIME stands for Multi-purpose Internet Mail Extensions. MIME types form a standard way of classifying file types on the Internet.

Here are a few examples:

  • image/png
  • video/mp4
  • application/pdf
  • audio/wav
  • text/css

Flags – State conditions applied to files.


Flags - State conditions applied to files.

Restricted – Whenever the file is prevented from being downloaded, printed or copied.

Restricted - Whenever the file is prevented from being downloaded, printed or copied.

Editors can’t share – This flag is self-explanatory and refers to files not being able to be shared by editors.

Editors can’t share - This flag is self-explanatory and refers to files not being able to be shared by editors.
  • Team Drive Extra ACLs – Some files within Team Drives might have additional sharing settings, for example, a TD file can be shared out with a link.
  • ACLs Changed – ACLs Changed is set when a super admin makes some changes through GAT+ (e.g. remove editor/reader, change owner etc.)
  • Title Truncated – Some files have reaaaaaaaaaaaaaaaaally long file names and we’re forced to truncate them so that they can be indexed.
  • Incomplete data – When changes are made to some files using GAT Unlock the data in the database can be out of date.

Sharing Flags – This flag covers all of the scenarios a file can be exposed.

Anyone in Domain – Anyone within your domain (myOrganisation.com)

Quota Bytes – this parameter refers to the size of the files. Native Google files do not display any size details but all non-Google files do. This parameter takes Bytes. For example:

1 Kilobyte = 1024

1 Megabyte = 1048576

1 Gigabyte = 1073741824

The below example will return all files greater than 1 Gigabyte:

this example will return all files greater than 1 Gigabyte:

Type – The most popular file type extensions are shown with this search parameter.

Type - The most popular file type extensions are shown with this search parameter.

Users – Anyone who is an Owner, Editor or Reader of a file. Can also be entered as a regular expression.

Users – Anyone who is an Owner, Editor or Reader of a file. Can also be entered as a regular expression.

Owner – Anyone who is the owner of a file. This can be a full email address or a partial address.  For example to find all files owned by joe@gmail.com

You can select the following:

Owner equal joe@gmail.com or Owner contains (case insensitive) joe

You can also use the contains (case insensitive) to find all files owned by gmail accounts for example:

Owner contains (case insensitive) gmail.com

Owner contains (case insensitive) gmail.com

Editors – Anyone who is the editor of a file. Same search criteria as ‘Owners’.

Readers – Anyone who is the viewer of a file.

Created – When a file was created/uploaded into Google Drive.

Updated – The updated date field changes whenever certain actions are taken. Please see below:

  • File permission changes (add/removing editors or reader, add/removing internal or public share)
  • A file has been edited
  • A files name has changed

Updated is NOT changed whenever:

  • A user is viewing a file.
  • A user is moving a file (surprisingly!).

Advanced Filters

Full Content Search

Using the Advance filters, select ‘Full Content Search’ by default ‘Simple Filter’ is ON. ‘Full Content Search’ allows you to find files which contain specific words or sentences. Even in images and or videos using Googles OCR (Optical Character Recognition) technology.

 ‘Full Content Search’ allows you to find files which contain specific words or sentences. Even in images and or videos using Googles OCR (Optical Character Recognition) technology.

Examples:

“Credit Card” – This will return files which contain exactly this sentence.

Credit Card without the quotation marks will return files which contain the words Credit and/or Card. If you don’t specify a scope either by entering a user, Google group or Org Unit it will return filtered files for all non-deleted and non-suspended users by default which contain the query.

Title / Description Search

Title / Description Search queries are performed using only files metadata, that is only text columns presented in Drive result table. Contents are not considered. This is a very fast method of finding files using their title or description.

Example 1: The following example below finds all file records containing ANY terms from the list: “java”, “shop” and “coffee” with a file’s title or description.

Example 1: The following example below finds all file records containing ANY terms from the list: “java”, “shop” and “coffee” with a file's title or description.

Example 2: You can also search for exact phrases by wrapping them in double quotes. For example, the following finds all records containing “java” or “coffee shop”:

Example 2: You can also search for exact phrases by wrapping them in double quotes. For example, the following finds all records containing “java” or “coffee shop”:

Example 3: To exclude a word, you can prepend a hyphen “-” character. For example, to find all file records containing “java” or “shop” but not “coffee”, use the following:

Example 3: To exclude a word, you can prepend a hyphen “-” character. For example, to find all file records containing “java” or “shop” but not “coffee”, use the following:

Sorting by text score

GAT returns results in unsorted order by default. However, tile / Description queries compute a relevance score for each record that specifies how well a record matches a query.

Also, each text column has a weight which denotes the significance of this column relative to the other ones in terms of a text search score. The order of importance is:

title (10), description (5), owner (4), organizers (4), writers (3), readers (1)

For each column, GAT multiplies the number of matches by the weight and then sums the results. Using this sum, GAT then calculates a score for a record.

To sort results in order of relevance score, you must enable the following option:

To sort results in order of relevance score, you must enable the following option:

It’s disabled by default.

Case Sensitivity

Terms queries are case insensitive by default. You can make them case sensitive by enabling this option:

Terms queries are case insensitive by default. You can make them case sensitive by enabling this option:

It’s disabled by default.

Note also that both the options (case sensitive and sort by text score) can be combined:

Note also that both the options (case sensitive and sort by text score) can be combined:


Additional Resources

‘Copy this Folder’ Feature

GAT+ has introduced a very powerful feature as part of it’s ‘Unlock’ feature set.

‘Copy this folder’ allows Admins, with the permission of a Security Officer, to make a copy of any folder which any user on the Admin’s domain owns or has edit access to. The folder can be any part of the folder tree. Even external folders, shared-in, can now be copied, as long as a local user has edit access rights.