Email Content Search is a live search for your entire domain.
This allows G Suite Super admins to search for any piece of text in any email in any mailbox across the domain. As long as the email is not permanently removed from the bin folder, Gmail Search can find it.
Note: this process may take a long time if you are searching through many accounts at the same time.
To start a live search to find emails from one user’s account, select the following operators; from: OR to: or “some sentence” etc. I used the following; from:firstname.lastname@example.org “private and confidential” newer_than:30d is:read. You should narrow down the search as much as possible to speed up the search.
I also covered the root Org Unit which is / and I made sure to cover sub-Org Units. This search will only be limited to the members of / and its sub-Org Units.
I can also make sure to ignore Google Meet/Hangouts chat records by using -is:chat. The (-) symbol excludes chat messages.
When the search results appear, if you wish to view the contents, delete the email from users account or download everything in bulk then you must make an Access Permission request to your security officer.
There are many things you can do from this point forward.
- Send a request to your Security Officer to have permission to view/download and delete these emails
- You can export the metadata to a Google Spreadsheet or CSV