Out of Hours Email Activity Reporting with GAT+

In France, the legal length of the working week is 35 hours in all types of companies with more than 50 employees. The working day may not exceed 10 hours. Furthermore, employees may not work for more than 4.5 hours without a break. The maximum working day may be extended to 12 hours under a collective agreement.

If you wish to enforce this policy throughout your organization you can utilize GAT Shield. Let’s presume you already know about Shield and utilize it within your organization.

You have the ability as a super admin to enforce the French working hours after getting proper approval from your management team.

Navigate to the Configuration area of GAT Shield. In the Login Control section.

Now, I will create a time frame window outside of this time frame users on my domain won’t be allowed to log into their G Suite account to check emails or other cloud services.

The below example covers 9AM to 7PM.

Login time window (from): 0 0 9 1/1 * ? *

Login time window (to): 0 0 19 1/1 * ? *

This means my employees can log in and do their work from 9AM to 7PM after which they will be blocked.

If you don’t wish to block entry into the account when users are out of hour you can report on your employee’s activities using GAT Shield User Activity section. This will show you when a user was active and what sites they went to throughout a given day.

Less is More: Email Audit

How to see the tree from the woods.

Sometimes we can be overwhelmed with search results and where we have a lot of information coming at us we sometimes want to turn down the noise a little.

In our domain, we get a lot of email from one particular source. We have a domain called that we use to relay certain events.  For example, we have a series of internal cameras at sensitive doors in the building. These record to a NAS system, but to be sure we also turn some of the images into email and email them to a google account. These all come from the account  As you can imagine this generates quite a bit of noise. When we’re auditing email we like to eliminate this noise.

First, we search for email from ‘’

GAT 'negate filter' button

Then we hit ‘Negate Filter’ to remove these 15,000+ emails from the results.


This really starts to become useful when combined with another filter.

For example, if we want to see all the email with attachments, we ‘clear filter’, select the attachments box and hit ‘Search Emails’

Unfortunately, this returns all emails with attachments, including the thousands of alerts from

What we can do is go to the tab ‘Recent Filters’ and combine searches, all email ‘With Attachments’ and all email ‘not from[]’

You can see we select the two filters we want, join them with ‘AND’ and hit ‘Show’.

This returns a much smaller subset of all emails with attachments, except those from ‘alerts’.

If we add dates to this search, we get an example like in line 1. (picture at top of page), which is getting all the email we want from the 30th of Jan, 2013.

We can then schedule this for 5 past midnight on the 31st of Jan.

Assuming we are on the 30th of January, this will generate a report that will run everyday showing us all the email that comes or goes the day before, with files attached, excluding all those thousands of emails from the alerting system.

How to Debug Email Routing Problems

GAT+ Lets Admins see the filters Users have in place. Useful for debugging email routing problems. Users audit, Emails, click on the filters count for the User of interest to see what the underlying filters are.

GAT Gmail filter


Understanding Group Activity email and file sharing

Some recent questions raise the interesting problem of how do we measure email activity at group level (and group activity in general).

Groups inside Google are phenomenally interesting and at GAT we spend quite a bit of time thinking about them. At a simple level, a group can act as an email alias for a function, ‘’.  A group can also form a platform for email collaboration, ‘’. It can also form the basis of a mini-community, ‘’, where the group name can be used as the basis for sharing documents, emails, access rights, etc.

In reality, any group once established, tends to function to varying degrees in all three roles inside the organization. In addition, you have the situation that members of one group are often members of other groups. Looking at the output of the members, you can never tell if the mail is group related.

However, with GAT+Email you can see some important details

1) How busy, in general, members of that group have been.

Under the ‘Users’ audit, select the email tab, the search for the group you are interested in, then, clicking on ‘show graph’ you can see the detailed internal and external email loads for members of that group.

Understanding Group Activity email and file sharing


2) The amount of email sent specifically to any Group (where the group is viewed as a collection of members), which domain and which user it came from (internal or external).

Here we use GAT+Email and select the email audit. Once in the email audit we search for the group we are interested in. This can be done two ways, firstly we can just reference the Group and this will return all emails for which members of the group were involved

Or we can make the group address the subject of a specific search, (the results show only the email sent specifically to the group address).

Here we can see in the table everyone inside and outside the organization involved in sending email to that group address and the volume of email involved. Domain or individual can be turned on or off to see the values for each category more clearly.

In addition, you can search for all the emails sent ‘from’ a particular group address and then using the ‘Recent Filters’ tab combine the two searches to produce a combined set of results. Again these can be examined in the Sender/Receiver table.

A really powerful exercise is to limit the searches to a date range, then look at the ‘Domain Connections’ table for the results. At the top of the table select ‘Show communication graph’.

See this post. The graph shows newest relationships on the right, oldest on the left. Domains sending to us on the top, domains we send to on the bottom. In between have emails in both directions, depending on the balance.

3) To what degree that group is directly involved in document sharing and collaboration

In this case, we go to the ‘Group’ audit on the homepage.

In this audit we can search for a group of interest and from there we can see details like the total of the overall percentage of docs created by members of this group, the percentage of shared in documents shared to its members and the percentage of shared out docs, shared out by its members.

In addition, you can see details like the number of group documents (those shared), the number shared explicitly to the group address and the numbers shared by members of the group to one another. This helps you understand if the Group is being used for Collaboration.


Understanding and Measuring Internal Email Communications

GAT supports two ways to measure and understand internal email communications. The first method is through the ‘Users Audit’.

Select the ‘Users Audit’ from the GAT homepage, and from the range of audit areas, select the ‘Emails’ tab (1).  This shows the last 30 days of email activity, both internal and external.

By default, this will show all the users on the domain. As this might be a large number of users you might like to focus on an individual or a group. You can enter an individual or a group name at (2). You can also select an Organization Unit (3).

The email volumes for each user is laid out in 8 columns. The first 4 are for external volumes and the last 4 are for internal volumes. The columns show the following

No. of email sent

No. of emails sent with files attached

No. of emails received

No. of emails received with files attached

For internal emails look to the second set of 4 columns (5).

Clicking on any number in blue shows you the email metadata that is behind the figure. You can see the ‘from’, ‘to’, ‘cc’ etc.

If you wish to see the volumes for each day of the last 30 days, select ‘Show daily stats’ (6).

All columns are sortable.

They say a picture is worth a thousand words, so for the big picture select the ‘Business Intelligence’ section from the GAT homepage.

From there select ‘Internal/External Collaboration’.

Then select a look back period of the last 4 weeks.

Select ‘Show Graph’.

Wait for the graph to draw. This will take about 30 seconds.

When the graph has drawn select the following choices. Under ‘View’ select ‘Emails’ and in the Filters section, select ‘Dampen external collaboration’

What you are left with on the graph is a map of the actual internal email activity for ‘replied to’ email over the last four weeks.

If you want to see the numerical values behind the pairs of email relationships, select ‘Pairs’. You can sort to the top pairs to the top.

You can even explore the activity between any two individuals, any two groups, any two OU’s or any combination of the above.

Finally, if you want to understand more about this suite of tools and how you can make them work for you, you can read here.


The two methods are actually slightly different in terms of what they measure. Under the ‘Users Audit’ absolute volumes of emails are being measured. Every email sent and every email received is counted and tabulated. Under the ‘Business Intelligence’ graph, the measurement only reflects ‘replied to’ emails. Emails not replied to or ignored are not counted for use in this graph as they are not considered to form part of a collaborative effort. The purpose of the Collaboration graph is to show collaboration activity.

Visualizing specific G Suite relationships or workloads

Specific Use Case

Specific use cases for these features include decommissioning users, analysing relationships, understanding the state of a business relationship with a specific company, identifying contacts with a specific company, assessing workload and many other important Business Intelligence tasks.

Read more

What is collaboration in G Suite?

What is collaboration?

Google, rightly, talks a lot about the importance of collaboration and about how G Suite enables and enhances the collaborative experience in the workplace.

We have thought hard about what collaboration might be and how we could measure it in the Google environment. Sharing a document with someone is not collaboration, it is a connection. Only when that document is read or edited does it become collaboration. Likewise firing emails off at targets is not necessarily collaborating with them, only when replies come and threads are built up do we start to collaborate. In all, Google currently gives us three areas where we can, with reasonable accuracy measure collaboration, these are documents, emails and calendar appointments.

From this data, you can estimate how each individual is collaborating (at least inside G Suite) with everyone else. However, for organizations, it can be even more interesting to understand how teams are performing and how strong the collaborative performance is over a period of time (by default we look at the last 6 weeks)

Group Analyses

As mentioned a collaboration score for an individual is useful to know, but in fact from a G Suite perspective the collaboration inside a group is something that is really interesting. Google groups are core to how we split up our workforce. Groups can cross OU boundaries and can often represent teams.

Groups collaboration needs to be measured along three axes, volume, degree and time.

Volume represents the amount of collaboration between the members of a group.

Degree represents the number of members each individual member collaborates with.

Time represents the period over which collaboration happens.

GAT, because of its highly accurate auditing can measure not just connections, but collaboration for not only docs, but also for emails and calendars. In addition it can do this over a period of time and because it understands Google groups, it can calculate both the volume and degree for each group.

Group analyses presents this information to you.

In a simple, yet powerful table, GAT pulls out every Google group on your domain (presents groups of 5 or more members by default but you can select smaller), looks at the internal behaviour of every member of each group over the the last 6 weeks (you can set your own time window) and then lets you rank the groups by highest average volume and/or degree of collaboration. In one click you can see which groups are working for you as collaborating groups and which you need to look at more closely to see if that group is still useful.

To explore a group in detail, just click on the group name. You will see the group is expanded to show you the individual detail behind the collected averages. This can be very useful to help identify the top collaborators in a group.

Using this data you can start to correlate other performance indicators with collaboration. You can now start to ask and answer questions like ‘do collaborating sales teams close more deals?’, ‘do collaborating support teams have higher customer satisfaction scores?’. It will also allow you to identify unnecessary groups, perhaps allowing for them to be formally wound up, allowing for the better use of resources.

Using some carefully chosen mathematics (to accommodate the fact that degree is upper bounded by group size) we blend both collaboration event and degree to give you a single unique ranking system taking into account both Volume and Degree. This will allow you to sift the highest collaborating groups to the top in a single sort.

Only with G Suite and GAT+ is this sort of analyses now possible.


Who Read What Document and When?

Who read what and when?

This question comes up from time to time and GAT makes it easy to find the detailed answer.

First, we find all the documents the person read (or ‘visited’).

In the Drive Audit, from the drop-down list of the General Search select ‘Visited By’ and enter the email address of the person you are interested in.

This will find every document ever read by that person.


However, we can refine this further…

Clearly, one problem is a person definitely read every document they created and you may not be interested in those.

To eliminate these, search for every document the person owns.

Then ‘negate’ this search by clicking the negate filter. This gives us a search ‘chip’ like this

  • Not (Docs not deleted with Owners [])


Next click on ‘Clear Filter’ and let’s combine our two searches …

Select the ‘Recent Filters’ tab and you will see a history of all your searches for this session

Select the search for ‘Visited by’ and the ‘Not (Docs ..)’ search, combine with ‘AND’ and click ‘Show’


The result you get is all the documents visited by the subject, excluding those the subject owns.


Now to see when the person visited a particular document, find the document of interest, then click on the number of visitors to see the full visit and edit history…

Look down the list to see the exact visit time,

Click on the visit to see other documents visited in a 4-hour window, either side of that visit.


A follow-on question from this is how do we get daily reporting for all or some documents in our domain?

We have allowed for that too with a special scheduled job to cover daily or weekly reporting. To see how to do this look here


How to Schedule Reports for Top 10 or More Email Senders and Receivers

This post will show you how GAT+ can generate a report of all email activity for each user. The report can be scheduled daily, weekly or monthly and will be generated in the form of a spreadsheet that can be sorted by the desired column. The report will cover both internal and external email.

To start building this scheduled report the Admin should go to the Users audit first select the group or OU to report on, then select the Emails tab, followed by clicking the Show daily stats link

From there, select the ‘Schedule’ link

At this point, the Admin will be able to choose the exact type of report s/he wants.

For the daily report, select as a schedule ‘Every day – after midnight’ or choose a custom Cron period. You can also choose the report type such as ‘New spreadsheet will be created for each day’.

You may also add additional email recipients for the report.

You can now also select both the number of results you want, the order in which you want them sorted and select from a wide range of sort fields. 

Once you have made the selection, press ‘Update’ and the job will become a scheduled job for your domain. A new spreadsheet will be created every day, cover the previous day. The Admin will be emailed a link of the spreadsheet.


An example of the spreadsheet output looks like this.

Freeze row 1 and then select any column of interest,  finally sort the sheet based on that column in the Z to A order to bring the largest numbers to the top.

Here is an example of a calendar monthly aggregate report

You might also find these posts relevant:  

Demonstrating GAT+’s Powerful Reporting Range

4 Great Scheduled Audits You Should Set in GAT

Scheduled Report for Top 10 (and more) Email Senders and Receivers (by emails, by attachments, by bytes)

Report Files Created in the Last 24 Hours


How to Remove an Email with GAT+ and Unlock

A very common situation arises when an email is sent in error, a spam attack occurs, or a phishing email is sent to many accounts. The Admin needs to remove all copies at once. GAT with Unlock lets Admins do this quickly and simply.

Removing an Email with GAT+ and Unlock

Select ‘Domain Gmail Search’. Search for all the emails. In the example above we looked for emails in any folder, newer than one day with a subject of ‘Accidental Email’

in:anywhere newer_than:1d subject:”Accidental Email”

Once the results are returned we go to the ‘View Email Contents’ tab and send a request to the pre-defined security officer to access and remove these emails

Once approved you return to the ‘View email contents’ tab, refresh the list, select the approved grant (it should now have a blue check mark behind it), click on the link and wait for the search process to repeat again.

When the results are returned press the trash can at the top of the results column to delete everywhere.

For any given email you can click to read, download or delete as per each icon in front of the email.