Auditing for all Org Units(Only affects domains with GAT in a sub-OU)
In the beginning, Google recommended that to restrict app use to a select few, you should create an OU for those chosen to run the app and then make the app available only to those in that OU. General Audit Tool followed this procedure and this was our recommended method of restricting GAT access. With the arrival of OAuth2, applications in sub-OU’s only have authority for some audit features over the users in that sub-OU. This is impacting GAT’s ability to report domain-wide. To solve this problem we recommend you set the following.
For GAT+ to work properly and allow the Admin to Audit their domain.
We recommend GAT to be installed domain-wide, and full access to be granted.
This will enable auditing of all users on the domain for details like Google+, Drive, Email etc.
The access to the tool can be restricted by following the steps below.
On the GAT homepage (Old UI) select ‘Configure GAT’ option
Then at the bottom of this configuration tick the box under ‘Restrict GAT users’ and ‘Save’.
GAT will now only be available to Super Admins, security officers and delegated auditors. If you had GAT in a sub-OU, then in Google Admin panel you should move GAT from the sub-OU (‘/auditors’ for example) to the root OU (i.e. ‘/’). See here for more details.
See here to learn about Delegated Audits to auditors who are not Admin staff.