Posts

GAT Removes Your Pain Points

Google Drive

1) “What files on my google domain can everyone on the internet find or see?”

In the GAT+ Drive Audit one click on the number ‘Open to full public’ shows you all the public files on your domain’s Google Drive. You can see those that are available to all with the link or ‘Open to public with link’ both reports just a click away).

2) “We have files that are shared to lots of other domains, how can I see which ones?”

Within the Google Drive Audit and with the press of one button ‘Domain Connections’, we draw a map of your entire set of Drive shares into and out of your domain.

Domain connection graph

Select each ‘dot’ and it will lead you to those files, from there you can select the number of shared files, and be directed to them

Select each ‘dot’ and it will lead you to those files, from there you can select the number of shared files, and be directed to them

3) “I need to see a list of all the external people that have explicit access to files on your Domain drive?”

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.

Gmail

4) Need to find and remove an email in a hurry? (even from hundreds of accounts!)

In the Email Audit using the ‘Domain Gmail Search’ you can do a live search of every folder in every account on your domain for an email containing text in any location (subject, body, attachment) or any other identifier and have a list of those emails found.

Once you find the emails you need (using Unlock) you can view, download or remove these emails in bulk for one or all accounts.

5) Need to see the top sender or receiver of emails?

Just a press of the ‘Sender/Receiver’ button will tabulate the top senders and receivers of email for your domain or for whatever search you used to narrow the data.

6) Need to delegate access to another user’s email account?

In the “User audit” select the “Email info” button and select the account you want to add delegated auditor to and add. After its approved by security officer, the user will have delegated access the person’s email.

7) Need to get a daily/weekly/monthly report of emails per user, sent and received?

On the GAT+ Email audit select “User Statistics” presenting different options  “Daily Statistics” and “Summary statistics”

Once you select the Daily Statistics, you can just apply filter to schedule daily reports for all emails coming and going out from all your user accounts you can also select to cover user/group/OU.

G Suite Users

8) Need to save on license costs then you need to know which accounts were not used in the last 6 months.

On the GAT+ select ‘Users Audit’ and select ‘Last Login’ and it will be filtered based on Last login.

You can apply filter to search by ‘Last login’ or ‘Last negative login’ searching for users whose last login to your G Suite domain was 6 months ago.



9) Need to easily bulk add or remove users or simply add/remove/change them between groups and OUs?

In the new GAT+ select the Users report. Filter for the set of users you are interested in working with. Export that selection of users, change the spreadsheet as described here. You can add the users to one or more groups or change their group mix completely. When finished with the changes, just import the spreadsheet to perform all the changes at once.

10) Need to be warned when some critical event has happened on your domain?

Under Configurations section in GAT+ select ‘Alarms’ and configure for the alerts you need. Alarms can be configured and saved on a per OU basis.

Identify All Externally Owned Files with GAT+

G Suite Admins can now Identify externally owned Google Drive files and which folders they reside in in your G Suite domain.

An admin can click on “One Click Report” – External users – Docs

This will show us all external users who have ‘shared in’ Google Drive files into your domain.

By clicking on each of the numbers under the column ‘Owns (not ours)’, the admin will be taken to Drive Audit Files tab where you can examine these Google Drive files in greater detail.

Another way to find all external owned Google documents within your G Suite domain is to open Drive audit and apply a custom filter – show the files which have been shared in. (we excluded deleted/trashed Google docs in this example) because they are included by default.

The result will show all Google docs “Shared in” to your domain and you will be able to view their paths. Since these files are externally owned, you as a G Suite Super admin, your only course of action is to remove and cut the ties to those users they’ve been shared with.

Note: To remove editors and readers from shared in files, there has to be at least one local editor from your Google domain on each of those files.

For each file, you can see the folder or folders that each particular file resides in.

Many files may not have a folder path because they haven’t been added to the local user’s myDrive.

The G Suite Admin can export a Google spreadsheet or a CSV of all shared in file paths by selecting the option ‘with path flattened’. With paths flattened each unique path will be displayed.

GAT Search Choices Explained

New Filters

One of the key features of GAT+ is it’s very powerful Drive audit search capability. Its power comes from its ability to use so many search operators and parameters to find files based on a multitude of different aspects of its metadata. Navigating through Drive audit you will notice how quickly the data loads.

We have even dedicated an entire post to talk about powerful things you can do from the Drive Audit list.

Let us examine the options in detail.

Title – Can be the file name or any part of the name.

Note: GAT remembers document name history, so if someone renames a document GAT will return matches against the new and old names.

File ID – Is the ID for the file in question.

All files have an ID which can be found in the URL of the file or in GAT+ you can click on the title which will display the full ID.

All files have an ID which can be found in the URL of the file or in GAT+ you can click on the title which will display the full ID.

MimeType – MIME stands for Multi-purpose Internet Mail Extensions. MIME types form a standard way of classifying file types on the Internet.

Here are a few examples:

  • image/png
  • video/mp4
  • application/pdf
  • audio/wav
  • text/css

Flags – State conditions applied to files.


Flags - State conditions applied to files.

Restricted – Whenever the file is prevented from being downloaded, printed or copied.

Restricted - Whenever the file is prevented from being downloaded, printed or copied.

Editors can’t share – This flag is self-explanatory and refers to files not being able to be shared by editors.

Editors can’t share - This flag is self-explanatory and refers to files not being able to be shared by editors.
  • Team Drive Extra ACLs – Some files within Team Drives might have additional sharing settings, for example, a TD file can be shared out with a link.
  • ACLs Changed – ACLs Changed is set when a super admin makes some changes through GAT+ (e.g. remove editor/reader, change owner etc.)
  • Title Truncated – Some files have reaaaaaaaaaaaaaaaaally long file names and we’re forced to truncate them so that they can be indexed.
  • Incomplete data – When changes are made to some files using GAT Unlock the data in the database can be out of date.

Sharing Flags – This flag covers all of the scenarios a file can be exposed.

Anyone in Domain – Anyone within your domain (myOrganisation.com)

Quota Bytes – this parameter refers to the size of the files. Native Google files do not display any size details but all non-Google files do. This parameter takes Bytes. For example:

1 Kilobyte = 1024

1 Megabyte = 1048576

1 Gigabyte = 1073741824

The below example will return all files greater than 1 Gigabyte:

this example will return all files greater than 1 Gigabyte:

Type – The most popular file type extensions are shown with this search parameter.

Type - The most popular file type extensions are shown with this search parameter.

Users – Anyone who is an Owner, Editor or Reader of a file. Can also be entered as a regular expression.

Users – Anyone who is an Owner, Editor or Reader of a file. Can also be entered as a regular expression.

Owner – Anyone who is the owner of a file. This can be a full email address or a partial address.  For example to find all files owned by joe@gmail.com

You can select the following:

Owner equal joe@gmail.com or Owner contains (case insensitive) joe

You can also use the contains (case insensitive) to find all files owned by gmail accounts for example:

Owner contains (case insensitive) gmail.com

Owner contains (case insensitive) gmail.com

Editors – Anyone who is the editor of a file. Same search criteria as ‘Owners’.

Readers – Anyone who is the viewer of a file.

Created – When a file was created/uploaded into Google Drive.

Updated – The updated date field changes whenever certain actions are taken. Please see below:

  • File permission changes (add/removing editors or reader, add/removing internal or public share)
  • A file has been edited
  • A files name has changed

Updated is NOT changed whenever:

  • A user is viewing a file.
  • A user is moving a file (surprisingly!).

Advanced Filters

Full Content Search

Using the Advance filters, select ‘Full Content Search’ by default ‘Simple Filter’ is ON. ‘Full Content Search’ allows you to find files which contain specific words or sentences. Even in images and or videos using Googles OCR (Optical Character Recognition) technology.

 ‘Full Content Search’ allows you to find files which contain specific words or sentences. Even in images and or videos using Googles OCR (Optical Character Recognition) technology.

Examples:

“Credit Card” – This will return files which contain exactly this sentence.

Credit Card without the quotation marks will return files which contain the words Credit and/or Card. If you don’t specify a scope either by entering a user, Google group or Org Unit it will return filtered files for all non-deleted and non-suspended users by default which contain the query.

Title / Description Search

Title / Description Search queries are performed using only files metadata, that is only text columns presented in Drive result table. Contents are not considered. This is a very fast method of finding files using their title or description.

Example 1: The following example below finds all file records containing ANY terms from the list: “java”, “shop” and “coffee” with a file’s title or description.

Example 1: The following example below finds all file records containing ANY terms from the list: “java”, “shop” and “coffee” with a file's title or description.

Example 2: You can also search for exact phrases by wrapping them in double quotes. For example, the following finds all records containing “java” or “coffee shop”:

Example 2: You can also search for exact phrases by wrapping them in double quotes. For example, the following finds all records containing “java” or “coffee shop”:

Example 3: To exclude a word, you can prepend a hyphen “-” character. For example, to find all file records containing “java” or “shop” but not “coffee”, use the following:

Example 3: To exclude a word, you can prepend a hyphen “-” character. For example, to find all file records containing “java” or “shop” but not “coffee”, use the following:

Sorting by text score

GAT returns results in unsorted order by default. However, tile / Description queries compute a relevance score for each record that specifies how well a record matches a query.

Also, each text column has a weight which denotes the significance of this column relative to the other ones in terms of a text search score. The order of importance is:

title (10), description (5), owner (4), organizers (4), writers (3), readers (1)

For each column, GAT multiplies the number of matches by the weight and then sums the results. Using this sum, GAT then calculates a score for a record.

To sort results in order of relevance score, you must enable the following option:

To sort results in order of relevance score, you must enable the following option:

It’s disabled by default.

Case Sensitivity

Terms queries are case insensitive by default. You can make them case sensitive by enabling this option:

Terms queries are case insensitive by default. You can make them case sensitive by enabling this option:

It’s disabled by default.

Note also that both the options (case sensitive and sort by text score) can be combined:

Note also that both the options (case sensitive and sort by text score) can be combined:


Additional Resources

Google Drive: Who Read What Document and When?

This question comes up from time to time and GAT makes it easy to find the detailed answer.

First, we find all the documents the person reads (or has ‘viewed’).
To achieve this we navigate to GAT’s Google Drive audit. We select the Event tab, then we apply a custom filter.
For the search we enter the email address of the person we’re interested in, then pick an event type as “View” (you can select different options such as download, upload, print, created).
You can select a date parameter to narrow down your search results (If you don’t put date it will scan the user and event type and find every document ever read by that person).

The example in the screenshot below will display all events (view) by the user in the past 29 days(since the start of month).

However, we can refine our Google Drive searches even further…

Let’s exclude files where this user is also the owner of those files because we are only interested in files this user viewed which are not his own.

To do this export the results, this will create a spreadsheet where we can edit the owner tab to exclude the person you are currently searching for.

The result you get is all the documents visited by the subject, excluding the files he owns.

A follow-on question from this is how do we create daily/weekly reporting for all or some documents in our domain?

We have a post about how to schedule daily/weekly report on event activities on files you can read more about that below here:

How to Track Visitors and Editors

How to Find if the Contents of a Folder Changed

Here is a frequent question we get from our G Suite super admins who use GAT+.

‘I want to know when the contents of a folder change?’ In GAT+ we can automate and set up a scheduled report to give us this information.

Go to Drive Audit, Search for the folder you are interested in using the Apply custom filters button.

"Drive" audit section

Select this filter

Select the following search parameters:

    • Make the type of the search equal to a ‘Title / Description Search’
    • Enter the title of the folder into the Terms field.
  • In the Definition area, select the search parameter Type equal Folder and also Owner equal to user’s email address.

"filers filters" section

Once the folder appears in the Drive result table. Click on the drop-down menu next to the title of the folder. Select the option to ‘Show contents of this folder and its subfolders’. Selecting this option will expand the folder completely open and all files within its folder tree will be displayed.

Select the option to ‘Show contents of this folder and its subfolders’.

Now a search will start. You can refresh the screen to see if the search is complete. Once its done, Apply the filter.

"long search" filter

Once we access the content of the folder we can make another search to find files which have been updated since yesterday. The reason why we are looking back a single day is that we want to create a scheduled report which runs daily and shows us files which have been updated in this folder, this report will run automatically each day and it will update the dates selected and increment it to reflect the new day.

Select filter

Underneath the Long Search ID parameter, add another rule called Updated after or equal yesterday’s date. The select the option ‘Scheduled’.

Underneath the Long Search ID parameter, add another rule called Updated after or equal yesterday’s date. The select the option ‘Scheduled’.

select "apply & schedule"

The report will be shared with you via email with a Google spreadsheet attached.

If this receives 0 results in the spreadsheet it just means nothing changed in that folder since the previous day.

Audit Google Team Drives Users and Activity with GAT+

Applying a search for Team Drive files

Use the exposure summary table in Drive Audit to quickly display all of the files within your Team Drive for all of your domain users.

Use the exposure summary table in Drive Audit

In the above example, our domain has a total of 1778 Team Drive files. Once you click on exposure summary table for Team Drive files a filter will be automatically applied with the following search parameter selected.

Drive files filter option

Don’t hesitate to build on top of this filter search. Let’s search for Team Drive files which have been updated in the past few months and which are images and docs only. Follow the steps below to achieve the same search:

    1. Clicked on the ‘Add rule’ button.
    1. Select the Updated search parameter and then select ‘after or equal’ and then enter the months of interest.
    1. After clicking on the ‘Add group’ button.
    1. Select the OR operator so the search parameters in this group will be OR’d together.
    1. The first search parameter was Type is equal to ‘Image’.
    1. Click on ‘Add rule’ button to create the second search parameter.
    1. The second search parameter was Type is equal to ‘Doc’.
  1. Apply the filter.

Click on the button ‘Show stats for the current filter’,

To know the exact number of Team Drive files which have been updated in the past few months and are images or docs. Click on the button ‘Show stats for the current filter’, this will run a search and calculate what file types are appearing for this current filter.

‘Stats for the current filter’ will take some time to generate the results.

The ‘Stats for the current filter’ will take some time to generate the results.

A look at what the "stats of the current filter" feature shows

View Events History for Team Drives

In the Files Tab of Drive audit, apply a search filter for Team Drive files, once the filter is applied click on the Events Tab. This will show you all of the events carried out on those files.

Click on the 'events' tab

expanded info in the feature

How to Find Publicly Shared Google Files with GAT

You may find that on your domain a large number of the User’s Google files are publicly shared. There is a possibility that not all of these publicly shared files were intentional. We wrote a detailed article about how to manage publically shared files.

Method 1 – With GAT+, an Admin can remove Public access in two different ways. The Admin can select the ‘everyone’, ‘everyone with link’ permission from the drive audit table and click the drop-down menu option and select the remove link options available.

To do this, use the exposure summary table to either select ‘open to the public in full’ or open to the ‘public with link’ shares.

use the exposure summary table to either select ‘open to the public in full’ or open to the ‘public with link’ shares.

Now, let’s slightly modify this filter by clicking on the ‘apply custom filter’ button.

modify this filter by clicking on the ‘apply custom filter’ button.

We need another search rule, click on ‘Add rule’ and select the search parameter ‘Sharing flag’ and set it to ‘Shared out’. This will ignore files shared into your domain which fall into the fully public category. Publicly shared in files appear in your domain’s drive stream because a local user on your domain has accessed them at one stage.

Drive Files filters

Now, click on the dropdown menu option to remove the ‘everyone’ permission so that all of these files will no longer be fully public.

click on the dropdown menu option to remove the ‘everyone’ permission

Method 2 – However, method 1 may also revoke access to documents intentionally publically shared. Therefore to address the problem we should a) alert users to their current situation and b) implement a plan of ongoing monitoring and alerting and scheduled removal if necessary. To learn more about best practices whenever removing files shared externally visit our post how to manage publically shared files.

 

Related Resources:

How to Manage Publically Shared Files with GAT+

See Where Certain Files Are On The Domain ‘Drive’

Keeping an organised Team Drive or myDrive folders structure is important so important that GAT+ has a specific tab called Folder Tree. The Folder Tree audit area lays out all of the folder structures for all your users myDrives and Team Drives.

You can now search for a specific Team Drive or users myDrive. Once you’ve located the folder you can descend through the folder tree.

You can now search for a specific Team Drive or users myDrive

Click on the folder name to display the ‘Detailed view’ and the ‘Files list’.

Click on the folder name to display the ‘Detailed view’ and the ‘Files list’.

See the detailed view

In the ‘Files list’ you can apply a custom to filter to find files based on a multitude of different search criteria.  You can click on the drop-down menu for any file and remove a particular editor or reader.

apply a custom to filter to find files based on a multitude of different search criteria

How to Easily Identify and Organise Orphaned Files in G Suite

Orphaned files are those that a user has access to but do not exist in any folder for that user, including the root folder. They are a particular problem because the Google Drive client app on PC’s allows other users to delete a folder and leave the files orphaned. GAT now allows Admins to find all orphaned files for any user.

Here is a detailed how-to video that shows you how to find and fix orphaned files:

Displaying Orphaned Files

In the Drive Audit, click on the “Apply custom filter” button. This is one way to display orphan files.

apply custom filter in GAT's Drive Audit

When the filter menu appears select the “Flags” operator contains “Orphaned”. Then press apply.

Drive files filters tab

You can easily display orphaned files by using the exposure summary table. Click on Orphaned.

see number of orphaned files in GAT filter

Fixing Orphaned Files

 

Once you are ready to fix the orphan files, Click on the “Files operations” button, then select “Fix orphans”.

 

A popup menu will appear, you will be able to perform the fix in 2 ways, one way will fix all of the orphan files for everyone on the domain who has them or you can select individual users and fix their orphan files.

 

A folder will be automatically created on the users myDrive, the folder name can be changed to whatever you prefer, by default its called Orphaned.

Selecting the “Process all users” option will fix orphaned files for all domain users who have them.

select 'process all users'

Or you can fix them for individual users in small batches if you prefer.

update 'users'

Visualizing specific G Suite relationships or workloads

Specific Use Case

Specific use cases for these features include decommissioning users, analysing relationships, understanding the state of a business relationship with a specific company, identifying contacts with a specific company, assessing workload and many other important Business Intelligence tasks.

Read more