Identify External members within your Google Groups

Vulnerabilities are introduced when a Google Group contains many or one external member. If these members are no longer in communication with your organization, or they are ex-partners, you should audit such groups and investigate whether these members should still be present.


Follow these instructions to identify, audit and take action on external members.

Go to Groups Audit, Group members Tab (top menu bar selection) then click on the apply custom filter button.

When the menu option appears, apply the following search rule, Member doesn’t contain domain email. For example, Member doesn’t contain

External members are displayed adjacent to group email address.

Export the data to a Google Spreadsheet.

Find and delete old inactive documents in Google Drive

How to search for all files that have not been viewed since for example, 01 July 2015. 
To find the files across your domain that have not been viewed since 1-July-2015
You can select Drive audit – Apply custom filter – Updated before or equal to July 1, 2015
This will display only the files across  your domain that last been updated before July 2015
How to delete all files that are shown in the search across all users.
You would need to take ownership of the files using GAT+
To do this you would need to use GAT Unlock
You can request to become the owner of those files – by sending the request to your security officer
Once you become owner you can delete the files.
The files will be accessible on your Google drive.
Here is a link you can follow for  GAT Unlock feature if you need.

Apply a Search Filter in Google Drive Audit

Searching for files of a user/editor/reader etc

In GAT’s Google Drive audit, we provide an array of search parameters to filter by. Making it the most useful feature on in this section. You can quickly find files and take action on them or to export this data for archiving purposes.


Click on the funnel icon also known as ‘Custom apply filter’ button.

In the menu which appears the default type is set to Simple Filter.

Select Owner parameter equal to UserX’s email address. If you wish not to enter the entire email address then change equal to contains (case insensitive).


Other Search parameters are as follows:

  • Organizer – This is related to Team Drive roles, Organizers roles allow users to permanently remove content and modify Team Drive name and membership.
  • User – This search parameter returns files which can be edited, read or are owned by UserX
  • Editors – This search parameter will return files which can be edited by UserX
  • Readers – This search parameter will return files which can be viewed or read by UserX

Long Search

If you wish to find files owned or related (editors, readers, organizers) with a Google Group or a user OU structure this is achieved using the Long Search.

For example, if I want to find all of the files owned by members of Sales Group ( I can enter the following info into the fields provided.

Note: If the option Owned is not checked, the search will return files which the members of Sales Group can own, edit, or read. All 3 states will be covered.


Once you request the search, it will take a few seconds for the search to complete, the load speed depends on a number of factors mainly the number of files which need to be indexed. Click on the reload button to update the UI and to see if the search is completed.

If the search is complete, select it and apply it.

Once the search is applied you will see all of the files owned by the group you have selected in the Drive result table.


Remember you can build on top of this search. For example, if I now wanted to narrow down my search for PDF files owned by Sales Group, I can click on the ‘Apply custom filter’ button.

Then I can add a new rule, for Mimetype equals application/pdf

Of course, you can also apply other search operators to make the search even more narrow and specific.


Note: Do not remove the Long Search ID which is shown, this is a reference to the long search you carried out in the previous steps.


Measuring user engagement over the last 90 days

We can measure user engagement over the last 90 days (by counting Google Docs created in that time frame).


In Drive audit, click on the ‘Apply custom filter’ button.

apply the custom filter

In the Drive Files filters popup, perform the following actions, click on ‘Add group’, in this group select the following search parameters.

  • Type equal Document
  • Type equal Word

Note: This group is OR’d.

Outside of the group add an additional rule.

  • Created After or equal dd/mm/yyyy (look back 3 months)

Filters for Drive files

And then apply the filter.


When the results appear in the Drive result table, click on the ‘Export data’ button and select ‘Export to Google Sheet’

‘Export to Google Sheet’

A message will appear when the export is ready.

Data exported to your google drive

The spreadsheet will contain a lot more columns of data.

How to Use GAT to Detect a Sharing Policy Violation

Using GAT to detect a sharing policy violation


This example is for a user, but you can also check for sharing violations on a file, or file type, a folder, a group (all the users in the group – ‘Local User/Group’), an organization, a file id and anyone sharing in or to a particular external target such as a user or a domain.


Security Lesson Part 1


In the Drive Audit, Click Long Search button and enter the email of a local user against whom you wish to make a policy watch. (For a group of users, add the group name to the ‘Local User/Group’ field)

long search

Note: The Owned checkbox will return the documents that user owns only. If left unchecked it will return files that user can edit, read or owns.

Click on the refresh to see if the search is complete, if the search is done, click on the Green checkbox to apply the filter.


Now, let’s modify this feature slightly when the results have been displayed. Click on the ‘Apply custom filter’ button.

When the Drive Files filter appears, add these additional search parameters on your existing Long Search.

  • Updated after or equal today’s date dd/mm/yyyy hh:mm
  • Sharing Flags contains Shared out


Note: You should also give it a meaningful name, for example, files shared out of UserX on a daily basis.

Once you have added these additional search parameters click on Scheduled. Once Scheduled is selected, you will see additional options. You should make the scheduled report run on a daily basis ‘Every day – after midnight’

You can also choose who should receive this report which contains data on files shared out by user X each day.


Click on Apply & Schedule.


Now navigate to Scheduled reports on the configuration side menu.

You can modify your existing scheduled jobs from here.

If you want to create action with this policy you can click on Jobs Action Edit this is the icon next to the pen icon.


Setting up this scheduled report, you will receive an email with a spreadsheet of all of the files shared out of User X each day.


Security Lesson Part 2


Although you have created a policy in security lesson part 1 to show you files a user has shared out on a daily basis, there maybe another vulnerability that exists with files shared in that may be used to leak sensitive data. A user on your domain can copy and paste data into this shared in document without your awareness. That is why we recommend creating a schedule report which can show you the files shared in to an individual user, entire group, specific OU structure or folder.


In this example we will take a look at files shared into a specific user.

In Drive audit, click on the ‘Apply custom filter’ button.

In the Drive Files filter popup apply the following search parameters.

  • Sharing Flags contains Shared in
  • Flags doesn’t contain Team Drive
  • Editors contains (exact match) UserX’s email address

We will apply the filter instead of scheduling this information. If you wish to schedule this report, add another search parameter

  • Updated After or equal dd/mm/yyyy hh:mm


And click on Scheduled checkbox. Select how often you want the report to run.


Once the results appear in the Drive result table, you can use the functionalities of GAT Unlock to examine the file contents. For more information about viewing file contents silently read this post “View File Contents: How to silently copy or view files”.


Of course, we have made this easy for Admins  – for this type of report for the entire domain, just go to ‘One Click Reports’, select ‘Docs shared in or out changed in the last 24 hour’.


Google Drive Use Productivity Measured

select users

In the new Drive UI, under Users audit, we have added a tab called Drive Productivity.
Once it is selected it shows the Drive Productivity for each individual user in the domain.
It shows all files owned by the user, the number of Public, Public with a link, Shared out, Internal, Private, G Suite docs, spreadsheets and presentations created/updated last week.
All this information is available just by selecting Drive productivity tab.  
The user can apply different filters on the top and gather different information and even schedule a report on the activities of the users for a certain period of time.
For example, you can schedule report for all users who created G Suite docs greater than 100 and generate a report every weekend.

Users Drive Filters

The general purpose of scheduling reports is to show user engagement with overall Google Drive environment.

How to Best Deal with Docs from Leaving Google Users

An issue that comes up from time to time is how best to deal with Google Drive documents from departing G Suite users. This is usually not a big problem if it is just one or two people leaving the Google domain, but what if you are a college with hundreds of departing students and perhaps dozens of departing staff each faculty year, how can you get to grips with such a large number? What are the documents involved? Which documents are important? You need audit tools for that.

Here we examine some ways GAT’s Drive Audit for Google Drive can help you assess the issues whether with 1,000 users are leaving or just one.

Many users leaving – what documents to deal with?

When a user is leaving, the account is usually marked ‘suspended’ while a decision is made on what to do with the contents of their Google Drive. Suspended accounts should be moved to an OU. In the example below, we have an OU called ‘Leavers’.

apply long search

Once all the suspended users are collected in a single OU they can be dealt with collectively in each of the audit areas. For this example, we are going to focus on ‘Drive’.

Select the Long Search option – then the Org Unit, select the option to include Sub.Org if any and Owned option (to ensure you return only the documents owned by the suspended users)

long search in new GAT UI

GAT new UI: drive files filters

Once the long search we find all user in Leavers OU, then we apply custom filter on top of that to locate the Shared out documents.

In this worked example, we are only interested in documents shared with other users.
What is left in the report are all the shared documents, owned by the departing users, shared internally or externally.

Finding active shared documents

As part of a further filter process, you can sort on the ‘Updated’ column, this will bring the docs that changed recently to the top, because these are active it might be more important to transfer ownership.

This will return only documents changed in those dates. You may consider older ones to be irrelevant.

These results can be saved as a spreadsheet for further analyses or passed to department heads for comment.

Once you find all documents changed in a period of time, a super admin can act upon the files and change ownership of those files using GAT Unlock feature

Quickly Replicate Alert Rules

Are you a large School district or Enterprise? Have you suffered the pain of having to add individual but identical alerting rules for each group or OU in your organization? With nothing changing except the group or OU and the notification recipients? If that is you, help is on hand from GAT.

Any single alert rule can now be exported as a spreadsheet (or json file), here the row can be replicated as many times as you want. On each row just update the name of the group or OU you want targeted and the address of the folks you want notified, then simply import the sheet again to create all the rules at once, even if it is 50 or 100 or more.

Find and Transfer Ownership of Mp3 Files

You can find MP3 files by using the mimetype search parameters.
Go to Drive audit, click on the ‘Apply custom filter’.
Use the mimetype search parameters
You can then apply the following search parameter:
  1. Select the search parameter mimetype equals audio/mp3
  2. Click on Add Rule to add an optional search parameter called ‘Sharing Flags’ doesn’t contain Shared inThis will ignore all files which are shared into your domain Note: you have no administrative control over files shared in.
  3. Click on ‘Apply’ to apply the search.

Drive Files filters

When the search results appear you can then select any mp3 file by using the ‘toggle selectable’ button (1).
Use the 'toggle selectable' button
You can check the boxes of the files you want to make changes to.
Finally, when you have selected the mp3 files you want to transfer ownership of, click on ‘File Operations’ then select ‘File Management’ from the drop-down menu.
select 'File Management' from the drop-down menu
Enter the new owner in the field provided.
File management section
You security officer will receive an email which will ask him/her to approve your request.

How to Find Your Users’ Owned Files in Google Drive via Long Search

To look for a Users owned files, use the Long Search in Drive audit.
Select the User/Group/OU Search type.
Enter the user’s email address and select ‘Owned’, otherwise, it will bring up files he has access to as a reader, editor or owner.
use the Long Search in Drive audit
This will begin the long search, you can click on the refresh to update the UI, and when its finished click on the ‘Apply filter’ (Green button).
 click on the refresh to update the UI
Alternatively, to find files owned by a user you can use the normal filters in Drive Audit. Click on the ‘Apply Custom filters’ button and select the owner search parameter.
you can use the normal filters in Drive Audit
We have now showcased both methods, the Long Search is also used to find files owned by members of a Group or OU which is really helpful!