How to a Create a Report of End Users Documents They Own

In this usage case, GAT allows domain admins to prepare a report that is sent to each user, showing the files that they own as a spreadsheet attachment.

The report can be prepared around several different user sets, depending on the scope the admin wishes to give to the report.

Select the Drive feature

First, we select Drive Audit then we apply a custom filter and search for files owned by our domain.

Select the filter

We simply search for files where the owner is our domain.

Select apply

Once we find all files owned by our domain, we can click the Apply button and this will run the search.

Click on the Files Operations button and select Remove Permissions. Remove Permissions has a feature to notify the owners of the files in this search result and provide them with a spreadsheet of all the files they own.

Click on the Files Operations button and select Remove Permissions.

Select 'scan' in the multi permission change tab

In the Permission change option select “Report onlythis will ensure no actions are happening on the selected search.

Add a message of your choice.

Key terms to know about when creating a custom message:

{{RECIPIENT}} – recipients full name
{{RECIPIENT.FIRSTNAME}} – recipient first name,
{{RECIPIENT.LASTNAME}} – recipient surname,
{{RECIPIENT.EMAIL}} – recipient email.

{{FILES}} – Displays in the email the files in question with a URL link.

This is the message the end user will see. The email will show him all of the files he/she owns.

This is the message the end user will see. The email will show him all of the files he/she owns.

Clicking on the ‘View files’ button at the bottom will open a Google Spreadsheet for the user.

How to Find the Space Used on Google Drive

In this post, you will learn how to find used space on your Google Drive.

Using GAT, enter the User Audit, then select “Quota” from the top bar.

Select 'Users'

It will display Quota available for all the users in your domain

It will display Quota available for all the users in your domain

It shows all the users and their Google account usage.

    • Quota available for individual users
    • Quota used out of the availability
    • Quota used for Drive only
    • Quota used for GMail only
  • Quota used for Photos only

Remember you can use “Apply custom filter” to narrow the search down to find individual users, groups, organizational units and so on. Reports can also be generated based on the usage by individual users/groups.

Google Drive Use Productivity Measured

select users

In the new Drive UI, under Users audit, we have added a tab called Drive Productivity.
Once it is selected it shows the Drive Productivity for each individual user in the domain.
It shows all files owned by the user, the number of Public, Public with a link, Shared out, Internal, Private, G Suite docs, spreadsheets and presentations created/updated last week.
All this information is available just by selecting Drive productivity tab.  
The user can apply different filters on the top and gather different information and even schedule a report on the activities of the users for a certain period of time.
For example, you can schedule report for all users who created G Suite docs greater than 100 and generate a report every weekend.

Users Drive Filters

The general purpose of scheduling reports is to show user engagement with overall Google Drive environment.

Google Drive: File Type Search

The file type table in Drive audit shows all of the files across your entire domain. Once you click on a particular file category, the filter will be applied and those files will appear in the Drive result table so you examine them in greater detail.

GAT+ File Type Search

When it comes to Google Drive, GAT returns all document details for all users by default. You can filter by any selection range using the custom filters button.

Apply custom filter

Once these results are returned you can then add further filter criteria on top of the Type filter.

For example:

Drive files filter

Note:  This search will return files of type Spreadsheet and which are also shared out of your domain.

Remember if this is a frequent search, you can ‘Apply & Save’ it.

Audit Google Team Drives Users and Activity with GAT+

Applying a search for Team Drive files

Use the exposure summary table in Drive Audit to quickly display all of the files within your Team Drive for all of your domain users.

Use the exposure summary table in Drive Audit

In the above example, our domain has a total of 1778 Team Drive files. Once you click on exposure summary table for Team Drive files a filter will be automatically applied with the following search parameter selected.

Drive files filter option

Don’t hesitate to build on top of this filter search. Let’s search for Team Drive files which have been updated in the past few months and which are images and docs only. Follow the steps below to achieve the same search:

    1. Clicked on the ‘Add rule’ button.
    1. Select the Updated search parameter and then select ‘after or equal’ and then enter the months of interest.
    1. After clicking on the ‘Add group’ button.
    1. Select the OR operator so the search parameters in this group will be OR’d together.
    1. The first search parameter was Type is equal to ‘Image’.
    1. Click on ‘Add rule’ button to create the second search parameter.
    1. The second search parameter was Type is equal to ‘Doc’.
  1. Apply the filter.

Click on the button ‘Show stats for the current filter’,

To know the exact number of Team Drive files which have been updated in the past few months and are images or docs. Click on the button ‘Show stats for the current filter’, this will run a search and calculate what file types are appearing for this current filter.

‘Stats for the current filter’ will take some time to generate the results.

The ‘Stats for the current filter’ will take some time to generate the results.

A look at what the "stats of the current filter" feature shows

View Events History for Team Drives

In the Files Tab of Drive audit, apply a search filter for Team Drive files, once the filter is applied click on the Events Tab. This will show you all of the events carried out on those files.

Click on the 'events' tab

expanded info in the feature

See Where Certain Files Are On The Domain ‘Drive’

Keeping an organised Team Drive or myDrive folders structure is important so important that GAT+ has a specific tab called Folder Tree. The Folder Tree audit area lays out all of the folder structures for all your users myDrives and Team Drives.

You can now search for a specific Team Drive or users myDrive. Once you’ve located the folder you can descend through the folder tree.

You can now search for a specific Team Drive or users myDrive

Click on the folder name to display the ‘Detailed view’ and the ‘Files list’.

Click on the folder name to display the ‘Detailed view’ and the ‘Files list’.

See the detailed view

In the ‘Files list’ you can apply a custom to filter to find files based on a multitude of different search criteria.  You can click on the drop-down menu for any file and remove a particular editor or reader.

apply a custom to filter to find files based on a multitude of different search criteria

Powerful Things You Can Do from the Drive Audit List in GAT

This article shows you a few powerful things you can do in Google Drive Audit with GAT+.

1) Find the folder you want
find the folder you are looking for
and using the drop-down, find the contents.
click on "show contents of this folder"
2) Remove an editor or viewer from one or more files.
Once you select the files in the folder, you can remove an editor from one or many …
remove an editor from one or many
3) To see the full viewer or editor history of a file. Just select the file name and click the drop-down beside it.
Click on show events

How To Report Files Created in the Last 24 Hours

In the GAT+ Drive Audit while looking at the entire Drive, select ‘Created’ and enter yesterday’s date, then press search.

Files Created in last 24 Hours

This will return all files created since yesterday. You will use this as the basis of your scheduled job. You can eliminate files that you don’t want, such as files shared In or Folders by clicking on the ‘x’ beside those file types in the quick filter.

Next, click the ‘Export/Schedule Metadata’ button and then select ‘Schedule or Save’.

Exo/ Sched Metadata in GAT

Once there you will see a wide range of options to choose from. We recommend selecting ‘Policy’ because even though you won’t be making any file rights changes, by selecting policy it means you will only get a report when events happen that match your criteria. (With ‘Policy’ if no files are created you get no report, select ‘Audit’ and if no files created, you still get a report saying ‘no files created’.) You can choose to have the report in PDF or CSV format.

Select ‘Every day at Midnight’ as the run cycle.

Click update and you are done. GAT+ automatically adjusts the start date one day at a time (or if you select a different cycle period the start date will be moved by that period).

Select ‘Every day at Midnight’ as the run cycle

Security Tips for the Google Apps Environment

Google Drive

‘Bin’ or ‘Trash’ is just a folder. If a user moves a file, which was shared out, from ‘My Drive’ to ‘Trash’, the file is still shared out, still visible and still subject to changes. Files do not automatically leave trash. Users should know moving a file to ‘Trash’ is not a solution to a sharing violation.

Your audit tool must audit trash correctly. Shared trashed files must be deleted to remove the security risk. Deleted files must be kept in an audit log.

A file shared into your Domain with Edit rights is just as big a security risk as a file shared out with edit rights. Tracking files shared out of your domain only addresses part of the data leakage risk on Drive. You must be aware of the files shared in with ‘Edit’ rights. Policies must work for file shares in both directions and ideally for internal and external shares.

If you were using files in a shared folder and another user deletes the folder, the files become ‘orphaned’ on Google Drive. The files are there, but they are not in ‘My Drive’ or any other folder. Files that disappear are typically orphaned. GAT lets Admins and Users find orphaned files. Orphaned files may remain fully shared, even public. Out of site for your users does not mean out of sight for externally shared or public files.

Learn how to easily identify and organize orphaned files.

Your audit tool should extend to the end user. Admins are often not the right people to assess the risk or the provenance of a file. End users know their own files best. End users should be shown how to do audits and encouraged to do them frequently.



Passwords of any length and any change frequency are almost waste of time as a security device. Most password attacks now are not dictionary driven, but keyboard scarpes. Google Apps are particularly vulnerable to password loss by this method because of the of the access from anywhere, anytime model. Home PCs are used to access corporate networks. Public spaces with cameras on users. Airport kiosks. All present an opportunity for a keyboard scrape. Enable 2FA and use either a code or a fob to provide additional security. If any part of your security model is solely based on passwords and frequent changes you are deluding yourself into a false sense of security. GAT reports 2FA status by user and you can schedule reports for non-2FA accounts.


Login location

Carriers often obfuscate the true location of the IP address used to make a Google Apps login, but they do not do so at random. Admins should familiarise themselves with the regular IP locations for all logins to their domain. Admins should investigate logins from unexpected locations. GAT tracks and maps IP address locations for connections to your domain. Suspicious or failed logins on Google mean very little to Admins on their own, they need to be seen in the context of where they are coming from. See this post on the subject.

With GAT, you can set an alert type based on IP address or IP subnet.

User Behaviour

A change in user behaviour is often a sign that should alert a security conscious Admin. Changes in behaviour include increased or excessive file shares or emails. It is important to know the regular volumes for your domain. GAT can alarm when it detects thresholds set by you are exceed for files shared in or out, or emails sent or received.


Third Party Apps

Marketplace Apps can be installed at Admin console level, by end users as document, spreadsheet or browser extensions and as browser-based apps. These are all different. Marketplace Apps reported by Google only represent a small portion of the apps users install.

Blocking Third Party Drive Apps does not necessarily cover Chrome extensions. If you are not restricting both these types you need an audit tool that can audit, risk assess and alarm and enforce policy on new instances of both Drive Apps and Chrome extensions. GAT can cover all these areas. It can apply policy by user, group or OU.


Idle Accounts

Accounts that have been idle for a long time that suddenly become active should attract the attention of an Admin, likewise accounts that have suddenly gone quiet. Is HR keeping IT up to date on personnel changes? Are departed employees coming back into their accounts? GAT can alarm you when it detects thresholds for idle account times have been breached.


Idle devices

Devices that have been inactive for a long period and suddenly become active may be a security risk. Likewise, a device that has gone quiet. Has the user reported it missing or stolen? Was it thrown in a drawer for a kid to use later? Is the new user suddenly reading the finance files? GAT can alarm when it detects thresholds for device syncs have been breached.

How to Plan a Google Drive Policy Environment [Old UI]

The General Audit Tool recently released its Policy Enforcement Feature set. This has been very well received by our user base but has raised some interesting implementation issues. This post will look at how you should go about setting up a policy enforcement environment for Google Drive

For tight security, the ideal goal is to set up a whitelist and undo sharing to everything else.

For a more liberal working environment maybe you just want to build a blacklist. Either way follow these simple steps.

Step 1 – Assess the size of the problem you are dealing with

Fortunately GAT lets you do this in a click or two. 

In One Click reports, one of the first reports you will see is the ‘External Users – Docs’ report. Clicking on this will show you a list of external people you share documents with. These are listed under 5 columns. When you share a document with a second party you can do so under three circumstances, you own the doc, they own the doc or a third party owns the doc and you are co-sharers.

GAT identifies all external individuals whom users on your domain share documents with and further identifies the type of sharing relationship you have with those individuals.

To begin with, we are initially interested in ‘Our Documents’ and of those, the most interesting is probably our documents that external individuals can edit. Click on that column to sort in descending order. Now, look at the first column.  The important names and domains should be pretty obvious. Work your way down the list, noting domains or users that you think might not be valid business sharing targets.  When you find an external user or domain you wish to check, click on the corresponding number in the ‘Can Edit (Our Docs only)’ column.  This will show you the full list of internal users who share with that external party, it will also show you the docs they share. Review these and then call the local user(s) to see if this is an appropriate domain to have whitelisted.

Next, repeat the process for ‘Can View (Our Docs only)’. Once this is done, you have covered your own document base. This is the material that should be of primary concern to you and company management. For both these categories you can set policy to unshare, whitelist or blacklist.

The next level of concern in terms of security risk are external documents that your users can edit.  For example, these may be personal Gmail docs, shared into the domain into which, local users are writing company information.

The final category of concern is external documents that your users can view. The concern here is that the viewable material is appropriate for the workplace.

In the last two cases, you cannot set policy to remove the shares as you have no authority over documents external to your domain, however, you can issue a warning to local users that it is against company policy to edit or view documents from non-whitelisted domains.

Remember a click shows you who the local users are. Work closely with the user or their manager to determine the white or blacklist.

Step 2 – Clean up the existing situation

Having identified those users or domains that you definitely should not be sharing documents with, you can clean up the bulk of them fairly quickly.

There are two methods in GAT for doing this.

1) If you wish to remove just one or two individuals or domains and you are certain they can be removed, go to the ‘Drive Audit’

Go to the Drive audit section in the GAT+ console

Search for the individuals or domains you wish to remove and pick each target off one by one.  Remember you can only remove them from documents owned by your domain.

2) If you have a large number of external users and domains that you wish to remove from your document shares, or you have prepared a whitelist and want everyone else removed you can do that with the scheduler.

NOTE: For a large number of file access removes it is always better to notify the users of the files that will be affected and to confirm with the users that this is now company policy.

User and management engagement and feedback is essential.

First, let us prepare the rules and confirm with our user base.

  1. a) Blacklist example

Prepare the blacklist and modify this example blacklist to meet your own needs


Then using the Drive Audit search in GAT, search for ‘Users’ from these domains. Be sure to tick ‘Reg. Ex.’, because it is a regular expression.

search for ‘Users’ in GAT+. Be sure to tick ‘Reg. Ex.’

This will find all documents where users from these domains are the owners, editors or viewers of documents. Next click on ‘Schedule/Save’

Here we will run the job once.

The first time we take no removal action. We warn all the local users and invite them to remove the shares themselves.  We also invite feedback, so we can refine the list. All affected users will get the notice along with a list of their files which are affected.

Example of a message, which you can cut and paste.

Please note, all files shared to or from, and are going to have external shares removed if we own the document, or will have warning notices sent to internal users if the document is shared in. You are invited to remove the shares yourself beforehand.

Please check that these files conform with company policy. If you feel a name should not be on the list, please let us know.

This is only a warning message. No action has been taken on this audit.’

After running the job one evening, we log in the morning, disable the job and wait for feedback.  You may need to run over a few weeks, if you feel many users are on vacation.

Having warned all users we need to turn the rule from a warning into an action.

Select ‘Remove Only the Following External Shares’ and add the blacklist of users or domains. Enable to run nightly to ensure policy is complied with.

  1. b) Whitelist example

Prepare the Whitelist of domains or users it is acceptable to share with.

First, lets search for the ‘whitelist’ docs on Drive. Then when we found those, we click on ‘Negate Search’ to find every document not ‘used’ by the whitelist.

After negating the search, select clear filter to start a fresh search.

First click on ‘In’ to find the documents shared in, then click on ‘Out’ to find all the documents shared out. The result of these two clicks will be a list of all documents shared in or out.

We will then combine this result with our non-whitelisted search, to produce a search for all documents not on the whitelist shared in or out.

We can use this search to form the basis of our warning campaign before taking any removal action.

Step 3 – Enforce the Policy

In both the whitelist and blacklist user case, you can now return to the scheduler and turn the warning into action.

Policy enforcement should then proceed in 2 phases. The first phase is to remove all past infringements and the second phase will be to enforce the policy going forward.

For a complete ‘shutdown’ of non-domain access to your domain files we have a single button ‘Remove All External Shares’.

Selecting this will do exactly what it says!

To enforce a ‘Blacklist’ you select ‘Remove only the following shares’ and enter the list of domains or users, separated by commas, which you have determined need to be removed.

To enforce the ‘Whitelist’ you select ‘Remove All External Shares Excluding the following’ and enter the list of domains or users, separated by commas, which you have determined are safe to allow see your domain’s documents.

For phase one of the policy enforcement, you then schedule the job to run once, with the appropriate warning message. In each case, this will clear the past sharing infringements.

For the second phase, scheduling ongoing policy enforcement, you need to introduce a date element into your rule.  This job can then be run daily, weekly or monthly and the date updated.

For many examples of how this is done see here.

Basically, it requires you to enter the rule again, but select it to apply only from today’s date, (if you want to run the job daily). We will then run the policy check for you every day and update the date.