‘Role’ Reporting in the Users Audit

GAT+ has added ‘Role’ reporting to the Users Audit. This will be particularly helpful to Admins of large domains, who have many delegated admin users performing different roles.

How to Track Visitors and Editors

First, we have to find the file we would like to check the events for.

Finding the file can be as easy as opening the Drive Audit, then “Apply Custom Filter” search option which will allow us to search using various different search parameters.

For our example case here:
We select simple filter and just search for the File ID equals to: 1gOUqfrOmAQxULze

(Read this post to learn how to extract “File ID”)

After we find the file extracting the historical actions performed on the document, can be achieved as simple as selecting on the file and showing the events.

The result will display all events – view/edit/changed visibility actions occurred on the file.

You can also generate a report, to show new events associated to the file. It can be scheduled weekly and managers can be notified via email notifications.

Screenshot below will display the events of viewed and edit for certain file, and report will be generated weekly based on the date parameter we set up.

In this example, a weekly report will be generated showing events types View and Edit to this particular file.

It will run every weekend and date will be changed automatically to show us only the new information.

Monitoring Cloud Login Behaviour

With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.

Servers on your LANs that have been breached, no matter what the path, will leave a packet trail that you can follow up to a suspicious device. There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow.

In the Google cloud, how do you identify such suspicious activity? Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data?

One tool GAT provides is ‘User Logins’.

select 'user logins'

Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

see login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

The screenshot above is from ‘Events tab’ and will give the big picture view of worldwide accesses to your domain. Are there logins from unexpected locations?

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.

Users Logins can also be checked by clicking on the “Apply custom filter” button.

For example, an Admin can search for all events with status “Invalid Password” this will bring all results and it will be displayed on the map where this actually happen and generate a report for this.
It shows Login Event Locations and Login IP Locations.

What else should you look for? search by ‘OK’ logins and look for the ratio of different users to successful logins. If you see something like 10 logins from a single IP address and 5 different users, then that is either a new office you opened yesterday or very strange behavior – if it is not a new office then check out that address and those accounts in more detail.

The second-way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).

select 'alarms'

While these are no substitute for the human intelligence an Admin brings to bear by knowing their own data, they can help watch your back in some areas. To configure an alarm click on the plus icon/button.


To configure an alarm click on the plus icon/button.
See alarm details
change alarm settings as needed

Based on our experience the alarm ‘Alert on new IP addresses with negative logins’ is the most useful because it flags someone taking a ‘potshot’ at one of your domain accounts. We only alarm you if we have never seen a successful login from that address before – this eliminates a lot of false positives.

How to Find the Space Used on Google Drive

In this post, you will learn how to find used space on your Google Drive.

Using GAT, enter the User Audit, then select “Quota” from the top bar.

Select 'Users'

It will display Quota available for all the users in your domain

It will display Quota available for all the users in your domain

It shows all the users and their Google account usage.

    • Quota available for individual users
    • Quota used out of the availability
    • Quota used for Drive only
    • Quota used for GMail only
  • Quota used for Photos only

Remember you can use “Apply custom filter” to narrow the search down to find individual users, groups, organizational units and so on. Reports can also be generated based on the usage by individual users/groups.

Ways for GAT to Search for Two or More Users at Once

Examples of the different types of searches GAT can perform. Learn to get more out of GAT.

The Regular Expression Method

Select 'users'

select filter


Using Drive method

Click on 'drive'

Select filter

Note in this last example, you are searching for the more generic match of all docs in the accounts of the ‘Users’ in the group rather than the docs owned by ‘Owners’ (this wider search includes public documents which the ‘Users’ in the group may have viewed).

Find Inactive Accounts with GAT

To find inactive accounts with GAT, follow these steps:

In the GAT+, go to the ‘Users’ Audit and then select the ‘Basic’ tab.

Our first task is to find users who have not logged in during the past few weeks.

To do this we need to click on the ‘Apply custom filter’ button. When the menu appears, select the search parameter ‘Last login’ before or equal mm/dd/yyyy. In my example, I looked back for 2 months.

We can then export this list of accounts to Google Sheet or Download to CSV file.

If you want to suspend or remove these users in bulk, you can use the Import/Export feature in GAT+.

Measuring user engagement over the last 90 days

We can measure user engagement over the last 90 days (by counting Google Docs created in that time frame).


In Drive audit, click on the ‘Apply custom filter’ button.

apply the custom filter

In the Drive Files filters popup, perform the following actions, click on ‘Add group’, in this group select the following search parameters.

  • Type equal Document
  • Type equal Word

Note: This group is OR’d.

Outside of the group add an additional rule.

  • Created After or equal dd/mm/yyyy (look back 3 months)

Filters for Drive files

And then apply the filter.


When the results appear in the Drive result table, click on the ‘Export data’ button and select ‘Export to Google Sheet’

‘Export to Google Sheet’

A message will appear when the export is ready.

Data exported to your google drive

The spreadsheet will contain a lot more columns of data.

Google Drive Use Productivity Measured

select users

In the new Drive UI, under Users audit, we have added a tab called Drive Productivity.
Once it is selected it shows the Drive Productivity for each individual user in the domain.
It shows all files owned by the user, the number of Public, Public with a link, Shared out, Internal, Private, G Suite docs, spreadsheets and presentations created/updated last week.
All this information is available just by selecting Drive productivity tab.  
The user can apply different filters on the top and gather different information and even schedule a report on the activities of the users for a certain period of time.
For example, you can schedule report for all users who created G Suite docs greater than 100 and generate a report every weekend.

Users Drive Filters

The general purpose of scheduling reports is to show user engagement with overall Google Drive environment.

Google User Folder Structure Displayed in GAT+

GAT+ displays the User folder structure for each user on your domain 

In the ‘Users’ audit section, as you hover over each user, a new icon will appear beside the folder count.

Clicking on the folder icon will display the folder tree beneath the user’s photo or email.

Each folder name has a file count and a quota usage count for the folder itself.

Selecting any folder name and clicking on it will show you the exact file type breakdown of that folder.

You can click the > marker before the folder to expand or contract the folder to the next level.

GAT Removes Your Pain Points


1) “What files on my google domain can everyone on the internet find or see?”

files in your Google domain

In the GAT+ Drive Audit one click on the number ‘Open to full public view’ shows you all the public files on your domain Drive. (Or you can see those that are available to all with the link or ‘Published’ like a web page, both reports just a click away also.)


2) “We have files that are shared to lots of other domains, how can I see which ones?”

Within the Drive Audit and with the press of one button ‘Domain Connections’, we draw a map of your entire set of Drive shares into and out of your domain.


3) “I need to see a list of all the external people that have explicit access to files on your Domain drive?”

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.



4) Need to find and remove an email in a hurry? (even from hundreds of accounts!)

In the Email Audit using the ‘Domain Gmail Search’ you can do a live search of every folder in every account on your domain for an email containing text in any location (subject, body, attachment) or any other identifier and have a list of those emails found.

Using ‘View Email Contents’ (with the ‘Unlock’ feature enabled) you can now view, download or remove these emails in bulk for one or all accounts.

5) Need to see the top sender or receiver of emails?

Just a press of the ‘Sender/Receiver Table’ button will tabulate the top senders and receivers of email for your domain or for whatever search you used to narrow the data.

6) Need to delegate access to another user’s email account?

In the Email Audit select the Email Delegation button and fill in the two account address – job done!

7) Need to get a daily/weekly/monthly report of emails per user, sent and received?

On the GAT+ homepage select ‘Scheduled Reports’ and from there choose ‘Daily User Email Stats’

Once you select this scheduled report type (from a long list of other choices), you can then choose the exact mail report you want.



8) Need to save on license costs then you need to know which accounts were not used in the last 6 months.

On the GAT+ home page, select ‘Users Audit’ and select ‘Last Login’ between a date range in the last 6 months, then ‘Search Users’.

When the results come back press ‘Negate Filter’ and find every account which did not log in in the last 6 months. You can then export this account list to a spreadsheet and clean up the accounts.


9) Need to easily bulk add or remove users or simply add/remove/change them between groups and OUs?

In the new GAT+ UI, select the Users report. Filter for the set of users you are interested in working with. Export that selection of users, change the spreadsheet as described here. You can add the users to one or more groups or change their group mix completely. When finished with the changes, just import the spreadsheet to perform all the changes at once.

10) Need to be warned when some critical event has happened on your domain?

Simply select ‘Alarms’ on the GAT home page and configure for the alerts you need. Alarms can be configured and saved on a per OU basis.