GAT Unlock – First Steps

GAT Unlock is the most sophisticated security management mechanism for Google Apps available today. It works on the principle that access to documents, or change of ownership of documents, without the owner’s knowledge or permission can only be accomplished with the active input of at least two people in the organization. One of these will be the requestor who must be an Administrator, the other a Security Officer (or Verification Officer), who must be identified and verified through a senior executive in the organization.

This is an extra service on top of all GAT versions and for non-education domains comes with a limited cost. All license types must apply for this service if they require it. It does not automatically install nor can it be self configured.

Policy

Because of the sensitivity of documents held in the cloud ‘Unlock’ can not be self enabled and is available ‘on trial’ only by special request.

From introduction the service will be visible to domains and each domain Admin can apply to have it enabled. To avail of this service please email unlock@generalaudittool.com with your request. The requesting email must contain the following 4 items.

  • The contact details of the Google Apps Administrator applying.  
  • The name of the Security Officer(s), her/his position(s), email and phone number.
  • The contact details (email and phone number) for the person from whom the GAT team must seek confirmation before enabling this feature (See list below for minimum level of organization officer we expect to have to request approval from. Please send us their full contact details also and inform them they may receive contact from us.) This is required to verify the separate identities of both the Administrators and Security Officers.
  • The PO details for the requested service, see price list below. (Not required for education domains that have purchased GAT.)

There can be many Security Officers, and the service will be available to all Super Admins once enabled.

Administrators and Security Officers should remember the verification process is there to protect you, your domain data and your user’s privacy and rights, while also enabling you to act in the organization’s best interests.

When the ‘GAT Unlock’ service is enabled Administrators can generate access or change requests, but only Security Officers can approve them. An individual can be a member of both lists but cannot approve their own requests. The Security Officer list for all domains is maintained by GeneralAuditTool.com staff. A Security Officer can not generate a change or view request and have it approved by another Security Officer.

Why all this effort? We really respect your data security. We respect your company’s right to be protected. This is the highest security model available within the Google for Work environment.

‘GAT Unlock’ pricing and approval authority needed

From September 1st, 2016, GAT Unlock will be bundled at no extra cost for educational domains who subscribe to GAT+ Email at the educational rate of $0.50 per user per year.

How to use GAT Unlock

File Management – Changing ownership or file access rights

GAT Unlock is tightly integrated with the powerful search and filter options available in GAT+. This means you only have to do things once.

In this example we are going to find all the spreadsheets owned by the group ‘sales’ that are shared externally, then we will remove the external sharing and change the ownership (on all the selected files at once).

TIP: Always narrow the file request with a search first – saves time and makes approval simpler.

Step 1: Click on the ‘Apply custom filter’ button in Drive Audit.

Step 2: Select the following option:

  • For the filter type select User/Group/OU search, we will enter the ‘Sales’ group in this field ‘Local User/Group’, make sure to enter the full email address.
  • Click the checkbox option ‘Owned’, this will show all the files owned by ‘Sales’ group. Otherwise, it would show all of the files associated with ‘Sales’ group, were Sales shows up as Owner, Editor or Reader.
  • In the filter definition area, select the parameter Type equal to Spreadsheets and to add another search parameter click on ‘Add rule’ button and select ‘Sharing Flag’ to ‘Shared Out’. Selecting shared out will only focus on files leaving your domain.  

Step 3: Next click on the ‘Toggle Selectable’ button, this will allow you to select files individually or all of them at the same time.

Note: You can not perform actions on a ‘Suspended’ account.

Step 4: Click on the button ‘File operation’ and then select the ‘File Management’ option.

Step 5: In this example, we are removing external access to the spreadsheets and making the manager the owner of all the files.

When you click on the ‘Send request’ button, an email is going to be sent to your security officer.


If the security officer approves your actions, they will be executed and you will be notified.

If permission is not granted by the security officer, you will also be notified and no actions will be taken.

Access Permissions Granted – How to silently copy or view files

We are going to use a powerful search feature inside of GAT+ Drive audit to identify the contents of documents we’re going to investigate. This feature is called the ‘File content text search’. It allows admins/delegated auditor to use a word or sentence to search through all of the files across the domain and to return documents which contain them.

Step 1: Click on the ‘Apply custom filter’ button.


Step 2: Enter the word or sentence to return files which contain them. Select the user’s account you want to search through you can leave this field blank to search your entire domain’s Drive or enter a user, Google Group or Org Unit to search through them only.

You can also use multiple rules in the definition section of the Apply custom filter. I used the Updated search parameter. Once you click on Apply button the search will begin.

It will take a few minutes depending on how many files you have across your domain.

Step 3: Select the files you are interested in, remember that these files contain the sentence “private and confidential”.

Step 4: Click on the ‘Files operation’ button and then select ‘Access permissions granted’.

Step 5: Next we will select a date in the future, we will have access to these files until this date. You have an option to write to your security officer explaining why you need access to these files.

Send the request to the Security Officer(s) for approval.

The following email will be sent to the Security Officer.

The Security Officer can click on the link in the email and will be taken to the approval area(Grant) in GAT+.

When the Security Officer grants access an email will be sent to the requesting Administrator/delegated auditor informing them. The Administrator from the ‘Access permission granted’ menu can see the full list of their access requests along with the time left for each request to remain valid.

Once the request is selected, the requestor can download documents or view the contents silently without the owners’ awareness.

Pre-approved Access for Admins to all Files for a range of Users

If your Super admins wish not to get Security Officer approval every time they want to make file permission changes or to view file contents, a security officer can give them pre-approval.

In the Security Officer section on the GAT+ sidebar menu, select ‘Pre-approved Access’ and then click on +’ button to add a new pre-approved admin.

Once clicked a new ‘pop-up’ screen will appear.

Here the security officer can add the email address of the Super Admin, the OU over which they will have access, they can select a full OU tree and set approval access until a certain future date. In the above screenshot, I gave Anna (super admin) access to the entire organisation because I selected / and I covered the Sub-Org Units as well.

Multiple different grants can be given by the security officer, including several to the same Super Admin, each covering different scopes.

Changing Ownership of an entire folder tree

Another feature of ‘Unlock’ is that it enables an often requested task of moving an entire folder tree, root folder and sub-folders, from one or many owners to a new owner.

This task is completed with the File Management tab. Use the drop-down menu button next to the folder name to see the options. Click on ‘Apply permission change to this folder (recursive)’. When the File Management option menu appears enter the new owner’s email address. And make sure to remove the previous owner as editor.

Note: When changing ownership with GAT Unlock the previous owner is added automatically as an editor to the files he owned prior to your changes. Make sure to enter the previous owner into the field ‘Remove following users as Editors’ if you don’t want them to have that privilege by default before sending the request to your Security Officer.

This is an ideal feature for consolidating a shared folder structure, or handling leaving staff or students.

Delegating Access to an email account

GAT+ allows Admins to delegate access for a User account to another User for a certain period of hours. This may be for business purposes but it is also facilitates the fast search and viewing of all the account emails via another user’s browser.

BEFORE USING: Please ensure email delegation is allowed for users in your domain. Go to the G Suite Admin Console and under Apps > G Suite Apps > Settings for Gmail check if the email delegation box is allowed for your domain.

Launch the GAT+ tool, enter the User Audit section and click on the Email Info Tab.

In the Email Info Tab, select any user and click on the Actions button to add an email delegate to their account.

You have the ability to remove existing mail delegation which are already in place as well.

Here the Admin can select the account they wish to gain access to, then select the account they want to give this access to and finally select the number of hours they would like delegated access to be granted for. Once the request is sent, the Security Officer will still have to approve before the delegation is created.

Once granted the delegated account appears in the accounts drop down list when the profile picture is selected in Gmail.

The delegation will automatically be revoked after the requested time period.

Note: If during the period of delegation, the account under audit, logs into their Google account and goes to their email settings, then under ‘Accounts’ the account owner will see that the Admin has granted delegated access to the account.

In addition if the delegated user reads any unopened email in the audit account, this email will be marked as ‘read’.

Deleting Spam, Inappropriate or Accidental Emails

There are multiple reasons to have the ability to identify and remove emails which have been received by all or any of your domain users. Here are some unwanted scenarios:

  • An email is sent to the wrong user or group
  • An email contains inappropriate content
  • An email that contains sensitive information
  • An email which has gone pass spam filtering or is a phishing email.

GAT+ allows Admins to delete these emails from all accounts at once.

We recommend using ‘Gmail Search’ for tracking down these emails. It is a ‘real time’ search that is highly configurable (see ‘search tips’ link beside the search box). In the screenshot above we use the example search parameters

“SEO proposal” in:anywhere newer_than:180d”

This tells GAT+ to search in all folders, for all users and look for emails that contain the words “SEO proposal” which are also newer than 180 days. When the results come back, click on ‘Apply’.

Next, select the ‘Toggle Selectable’ button and select the emails you wish to view/download/delete.

Once the emails are selected, click on the ‘Access permissions granted’ button and send a request to your SO (security officer). Your SO will have to approve your request.

Before sending the request if you intend to delete the emails rather than just view or download them then check the ‘Request permission to remove’ box.

After doing that hit ‘send request’ and wait for approval to be returned from the Security Officer.

Once you have received an approval email, remember to refresh the list within the ‘Access permissions granted’ and click on the ‘Activate grant’ to display just your selected emails.

You can then delete one or all of the emails using the drop-down option in the Emails Operation button.

By default, you can send the emails to user’s trash folder on their Gmail but if you wish to permanently delete these emails then select ‘Delete permanently’.

In future when you search for these emails they will still be listed in our database but they will have a bin icon next to the subjects.

Pre-approved Access for Super Admins to all Emails

To enable pre-approval for Super Admins navigate to the Configuration section of GAT+ and enter the security officer area.

Once there click on the Pre-approved Tab and click on the plus icon “Add new pre-approved access”.

Your security officer will have to select you (super admin) to have pre-approval over users across your domain.

This is ideal for situations where Admins do not need to get constant approval to view/download or remove emails. An example would be in an education domain where the Super Admin would have full open access (view/download or remove emails) for all Student OU’s but would still have to get selective approval from the security officer to access an in the Staff or HR OU.

For a single OU level add a value like /Staff (Note, this will not grant access to the OU /Staff/IT unless “Sub Org. Units equals Yes!).

In the above screenshot I put Anna (Super Admin) to have pre-approved access to the entire domain by select / for the Org Unit and I made sure to cover all Sub-Org Units. / means the root User Org. Unit. She has access to remove and add email delegations as well because I enabled the last two option which are “Can remove?” and “Can add email delegation”.

The Admin should now see something like this when they click on ‘Access permissions granted’ in Email audit.

Every time admins enter the Email audit area they need to apply the Granted pre-approval privilege then carry out the search for the email(s) in question and next to each email there will be an action column visible.

Bulk Download or View Email Contents

The global live email search is under the ‘Gmail Search’ tab within email audit.

Here you can search for all the emails sent to or from a particular user on your domain. (You can also search for emails associated with groups or OUs of users.) The search can also take many flags, for example you could search for email sent to a particular user that was ‘Unread’, click on ‘Search tips’ to open a new page with all the flags you can use.

Because the entire domain is searched, it may take some time unless you narrow down the scope in which case I’m doing in the above screenshot. I narrowed down the search to a specific Google Group. The above example will look for all emails older than 1 day and that have been opened.

When the search is finished you can click on ‘Apply’ to see the table of the results.

When the results appear select some or all emails in the result table by using the ‘Toggle Selectable’ button then click on the Email Operation drop-down menu and click on ‘Access permissions granted’.

Click on ‘New Request’ to send this search to a Security Officer for their approval to allow you to read or download copies of these messages. Decide for how long you want to have access to these emails and enter a custom message to your Security Officer with your request.

The Security Officer will receive an email detailing the the access request being made. They can click on the link in the email to approve.

Once approved the Super Admin will receive an email in return notifying them of the SO decision.

It will look like this.

Once you receive this email, refresh the Current request list to see access grants that have been changed from pending to granted. These requests will now have a check mark beside them. Click on ‘Activate Grant’.

Each email can be read or downloaded individually by clicking on the Action button beside them.

To download all the emails select the ‘Toggle Selectable’ button and click on the top checkbox which will select every email within the result table. Right next to the ‘Toggle Selectable’ button click on ‘Email Operations’ drop-down menu and click on Download e-mails.

Downloading individual emails will occur almost instantaneously. Downloading all the emails takes some time. We have to retrieve the emails and add them to a zip as PDFs. Allow about 10 minutes for every 100mb of emails. To make it efficient we will create the download zip file on one of our servers and will create a link for you to bring down the zip to your own PC or server.

A password is generated and sent to your email address, use this password to be able to view the contents in the zip file because all of the PDFs will be password protected.

If the download is big, you can complete other audit tasks or grab a coffee. When you return to GAT+ go to the Admin Log in the Configuration section.

Non-Super Admin Auditors

This feature is ideal where Super Admins want to delegate the audit function to local managers or regional security personnel. GAT+ allows anyone to audit any range of users based on the model of Google Groups, Google Classrooms, and Org Units. It does not require passing on Google Admin authority. Selected auditors can have audit rights over individual users, Google Groups or Org Units. This allows you to have multiple auditors for a specified scope.

Auditors will have access to the auditing areas of GAT+ but will not have access to the Configuration sections.

To learn more visit our knowledge base and read the following article ‘Create Delegated Auditors within GAT+’.

How to silently copy or view files

We are going to use a powerful search feature inside of GAT+ Drive audit to identify the contents of documents we’re going to investigate. This feature is called the ‘File content text search’. It allows admins/delegated auditor to use a word or sentence to search through all of the files across the domain and to return documents which contain them.

Step 1: Click on the ‘Apply custom filter’ button.

Step 2: Enter the word or sentence to return files which contain them. Select the user’s account you want to search through you can leave this field blank to search your entire domain’s Drive or enter a user, Google Group or Org Unit to search through them only.

You can also use multiple rules in the definition section of the Apply custom filter. I used the Updated search parameter. Once you click on Apply button the search will begin.

It will take a few minutes depending on how many files you have across your domain.

Step 3: Select the files you are interested in, remember that these files contain the sentence “private and confidential”.

Step 4: Click on the ‘Files operation’ button and then select ‘Access permissions granted’.

Step 5: Next we will select a date in the future, we will have access to these files until this date. You have an option to write to your security officer explaining why you need access to these files.

Send the request to the Security Officer(s) for approval.

The following email will be sent to the Security Officer.

The Security Officer can click on the link in the email and will be taken to the approval area(Grant) in GAT+. 

When the Security Officer grants access an email will be sent to the requesting Administrator/delegated auditor informing them. The Administrator from the ‘Access permission granted’ menu can see the full list of their access requests along with the time left for each request to remain valid.

Once the request is selected, the requestor can download documents or view the contents silently without the owners’ awareness.

A Brief Overview of GAT+

GAT+ is a powerful audit and security tool for your G suite domain. This post will take you through a visual overview of some of GAT’s features within the Drive Audit.

See this video walkthrough

In the GAT+ dashboard, where you can audit all areas of your domain. We’ll be starting off a GAT+ Drive audit.

Drive Audit

In this audit area, you can search your entire domain for documents for any user. You can easily identify documents using the apply filters button. For example, if we look at files which are being shared outside of our domain, the exposure summary will help you identify documents shared publicly to other domains as well as documents shared inside your domain and also private and orphaned documents. You can also identify documents by file type.

To take actions on a document you can select the files you wish to take actions on and select file management. Then you can change ownerships editors or viewers by adding or removing them. You can also view the contents of documents silently using view file contents.

You can check your exposure to other domains using the domain connection graph.

Clicking on a particular domain will show you the documents shared to them for further analysis. You can also search through users drives or team drives using the folders tree. This can help you identify all the folders in your domain and the permissions set for those folders.

Users Audit

The Users audit allows you to get an overview of all the users across your domain. You can use a custom filter to look for an individual, Groups or OU’s.

Once you have applied a filter to find a set of users, you can then export those users to a Google spreadsheet. You can edit the information on this spreadsheet which can then be imported back in and the changes will be reflected on your admin console. This is helpful for removing or adding users or changing their emails or order details all at the same time. Email info will allow you to see the emails they’re receiving or sending. File count lets you see all the files they have access to or have created. Quota shows you two quotes they are using for their drive in Gmail you can also go through these subsequent sections to modify the users information that way. In the course audit area you can see all the Google Classrooms across your entire domain. You can see which teachers created those Google Classrooms, the name of the class, and details about said class.

You can also check the work being assigned to students from the teachers you can then see the submissions from students here you could filter a particular course to further analyze. You can also get more information about teachers and students using Google Classroom.

Applications Audit

Application audit allows you to identify threats from third-party applications. GAT+ will automatically rank these applications based off the permissions third-party application has access to your G Suite API as a super admin you would want to examine if this application is malicious.

In the case of a malicious application being found, you can easily create a policy to ban the application for a user group or the entire domain you can also view other policies made by other administrators.

Printer Audit

The printer section within the GAT+ tool allows you to view all of the Google printers which are connected to your domain, you can also find print jobs that your users have carried out here you can apply filters for a particular user to see what they have printed. This can show you the title of what they have printed and when they printed it.

Chrome OS Devices

In Chrome OS devices, you can see all of the Chromebooks which are enrolled in your domain. You can also modify their details and see who was the last user to login to those devices in mobile devices. You can see who has signed into the domain with their mobile device in case of a security breach, you can block the device, remote wipe the device, or wipe the account and also delete the device from your domain.
You can check this link for more information.

User Logins

For added security and protection for your G Suite domain, you can use a user login section of the GAT+ tool here you can see all of the logins occurring across your domain by your users.

You can also see suspicious activity by users such as invalid passwords being entered.You can filter events which are suspicious to find such activity. You can also get information such as what IP address is being used to log into your domain.

This concludes our brief overview of GAT+. Feel free to install the tool from the G Suite Marketplace.

GAT Search Choices Explained

New Filters

One of the key features of GAT+ is it’s very powerful Drive audit search capability. Its power comes from its ability to use so many search operators and parameters to find files based on a multitude of different aspects of its metadata. Navigating through Drive audit you will notice how quickly the data loads.

We have even dedicated an entire post to talk about powerful things you can do from the Drive Audit list.

Let us examine the options in detail.

Title – Can be the file name or any part of the name.

Note: GAT remembers document name history, so if someone renames a document GAT will return matches against the new and old names.

File ID – Is the ID for the file in question.

All files have an ID which can be found in the URL of the file or in GAT+ you can click on the title which will display the full ID.

MimeType – MIME stands for Multi-purpose Internet Mail Extensions. MIME types form a standard way of classifying file types on the Internet.

Here are a few examples:

  • image/png
  • video/mp4
  • application/pdf
  • audio/wav
  • text/css

Flags – State conditions applied to files.


Restricted – Whenever the file is prevented from being downloaded, printed or copied.

Editors can’t share – This flag is self-explanatory and refers to files not being able to be shared by editors.

  • Team Drive Extra ACLs – Some files within Team Drives might have additional sharing settings, for example, a TD file can be shared out with a link.
  • ACLs Changed – ACLs Changed is set when a super admin makes some changes through GAT+ (e.g. remove editor/reader, change owner etc.)
  • Title Truncated – Some files have reaaaaaaaaaaaaaaaaally long file names and we’re forced to truncate them so that they can be indexed.
  • Incomplete data – When changes are made to some files using GAT Unlock the data in the database can be out of date.

Sharing Flags – This flag covers all of the scenarios a file can be exposed.

Anyone in Domain – Anyone within your domain (myOrganisation.com)

Quota Bytes – this parameter refers to the size of the files. Native Google files do not display any size details but all non-Google files do. This parameter takes Bytes. For example:

1 Kilobyte = 1024

1 Megabyte = 1048576

1 Gigabyte = 1073741824

The below example will return all files greater than 1 Gigabyte:

Type – The most popular file type extensions are shown with this search parameter.

Users – Anyone who is an Owner, Editor or Reader of a file. Can also be entered as a regular expression.

Owner – Anyone who is the owner of a file. This can be a full email address or a partial address.  For example to find all files owned by joe@gmail.com

You can select the following:

Owner equal joe@gmail.com or Owner contains (case insensitive) joe

You can also use the contains (case insensitive) to find all files owned by gmail accounts for example:

Owner contains (case insensitive) gmail.com

Editors – Anyone who is the editor of a file. Same search criteria as ‘Owners’.

Readers – Anyone who is the viewer of a file.

Created – When a file was created/uploaded into Google Drive.

Updated – The updated date field changes whenever certain actions are taken. Please see below:

  • File permission changes (add/removing editors or reader, add/removing internal or public share)
  • A file has been edited
  • A files name has changed

Updated is NOT changed whenever:

  • A user is viewing a file.
  • A user is moving a file (surprisingly!).

Advanced Filters

Full Content Search

Using the Advance filters, select ‘Full Content Search’ by default ‘Simple Filter’ is ON. ‘Full Content Search’ allows you to find files which contain specific words or sentences. Even in images and or videos using Googles OCR (Optical Character Recognition) technology.

Examples:

“Credit Card” – This will return files which contain exactly this sentence.

Credit Card without the quotation marks will return files which contain the words Credit and/or Card. If you don’t specify a scope either by entering a user, Google group or Org Unit it will return filtered files for all non-deleted and non-suspended users by default which contain the query.

Title / Description Search

Title / Description Search queries are performed using only files metadata, that is only text columns presented in Drive result table. Contents are not considered. This is a very fast method of finding files using their title or description.

Example 1: The following example below finds all file records containing ANY terms from the list: “java”, “shop” and “coffee” with a file’s title or description.

Example 2: You can also search for exact phrases by wrapping them in double quotes. For example, the following finds all records containing “java” or “coffee shop”:

Example 3: To exclude a word, you can prepend a hyphen “-” character. For example, to find all file records containing “java” or “shop” but not “coffee”, use the following:

Sorting by text score

GAT returns results in unsorted order by default. However, tile / Description queries compute a relevance score for each record that specifies how well a record matches a query.

Also, each text column has a weight which denotes the significance of this column relative to the other ones in terms of a text search score. The order of importance is:

title (10), description (5), owner (4), organizers (4), writers (3), readers (1)

For each column, GAT multiplies the number of matches by the weight and then sums the results. Using this sum, GAT then calculates a score for a record.

To sort results in order of relevance score, you must enable the following option:

It’s disabled by default.

Case Sensitivity

Terms queries are case insensitive by default. You can make them case sensitive by enabling this option:

It’s disabled by default.

Note also that both the options (case sensitive and sort by text score) can be combined:


Additional Resources

Access Scope of Delegated Auditors

Education, business and enterprise domains usually have a few G Suite super admin roles within their organization. For security reasons, they may want to delegate responsibilities to other users to have super admin like privileges within GAT+ or GAT Shield without having G Suite super admin roles. This is why its critical for them to have a feature called Delegated Auditors that allows them to distribute responsibilities to normal users while securing the number of users who have access to the G Suite Admin Console.

Delegated Auditor has very similar scopes comparable to super admin within GAT+.

They have full access to all of the Auditing areas.

In the Auditing Areas, they can utilize all of the features of GAT Unlock of course with Security Officer approval.

  • They can modify permissions/download files/view file content.
  • They can download emails, view emails and remove emails from users Gmail accounts.
  • They can set up email delegation to give one user direct delegation into another user’s Gmail account.

In Drive Audit they can’t use the Remove Permissions functionality yet. We will let you know when this feature is available to them as well.

Currently, Delegated Auditors will not have access to the Configuration areas unless they are a Security Officer then they will only see the SO section.

Future Improvements: In the coming weeks, we will be releasing features that give Super Admins more controls the scopes of delegated auditors. Super Admins will have the option to switch on certain areas of Configuration section, it will be up to the super admin’s own discretion.

‘Role’ Reporting in the Users Audit

GAT+ has added ‘Role’ reporting to the Users Audit. This will be particularly helpful to Admins of large domains, who have many delegated admin users performing different roles.

‘Copy this Folder’ Feature

GAT+ has introduced a very powerful feature as part of it’s ‘Unlock’ feature set.

‘Copy this folder’ allows Admins, with the permission of a Security Officer, to make a copy of any folder which any user on the Admin’s domain owns or has edit access to. The folder can be any part of the folder tree. Even external folders, shared-in, can now be copied, as long as a local user has edit access rights.

Who Read What Document and When?

This question comes up from time to time and GAT makes it easy to find the detailed answer.

 

First, we find all the documents the person reads (or has ‘viewed’).
To achieve this we navigate to the Drive audit in GAT+. We select the Event tab, then we apply a custom filter.
For the search we enter the email address of the person we’re interested in, then pick an event type as “View” (you can select different options such as download, upload, print, created).
You can select a date parameter to narrow down your search results (If you don’t put date it will scan the user and event type and find every document ever read by that person).

 

The example in the screenshot below will display all events (view) by the user in the past 29 days(since the start of month).

 

However, we can refine this further…

Let’s exclude files where this user is also the owner of those files because we are only interested in files this user viewed which are not his own.

To do this export the results, this will create a spreadsheet where we can edit the owner tab to exclude the person you are currently searching for.

The result you get is all the documents visited by the subject, excluding the files he owns.

A follow-on question from this is how do we create daily/weekly reporting for all or some documents in our domain?

We have a post about how to schedule daily/weekly report on event activities on files you can read more about that below here:

How to Track Visitors and Editors

How to find a File ID

Finding the file ID is useful when you want to perform an Audit of the File.
To find the ID of the file, we can avail to two different methods using GAT+.
For example, we can search for the owner of a file and the tool will display all files owned by that user.

When the folder is selected, the File ID can be seen in the general tab in File details.
You can use several other ways to find a file, such as using different search parameters, like owners, editors, type of files.
Description search is also another way of discovering File ID. See the example below:
Once the file is found, select it and i the File details and File ID will be desplayed.

Another way of finding File ID is via Google drive.

For example, if you know the file and you have it open on your device.
You can extract the FileID from the URL of the file, so, for example, the file can be:
“docs.google.com/document/1/d/1t8T28-rR5Kpx” – in this case 1t8T28-rR5Kpx is the actual FileID

How to Track Visitors and Editors

First, we have to find the file we would like to check the events for.

Finding the file can be as easy as opening the Drive Audit, then “Apply Custom Filter” search option which will allow us to search using various different search parameters.

For our example case here:
We select simple filter and just search for the File ID equals to: 1gOUqfrOmAQxULze

(Read this post to learn how to extract “File ID”)

After we find the file extracting the historical actions performed on the document, can be achieved as simple as selecting on the file and showing the events.

The result will display all events – view/edit/changed visibility actions occurred on the file.

You can also generate a report, to show new events associated to the file. It can be scheduled weekly and managers can be notified via email notifications.

Screenshot below will display the events of viewed and edit for certain file, and report will be generated weekly based on the date parameter we set up.

In this example, a weekly report will be generated showing events types View and Edit to this particular file.

It will run every weekend and date will be changed automatically to show us only the new information.