File activity report, external sharing email address

106 views
Skip to first unread message

GreenEnvy22

unread,
Mar 29, 2023, 3:56:40 PM3/29/23
to GAM for Google Workspace
Hi all,
We're trying to figure out who a former employee shared a bunch of files with before they left.
I've used the command:
gam user us...@domain.com print driveactivity start 2022-10-01 end 2022-10-31 todrive

This gave me a report which shows all the actions that this user did to files they had access to.
The issue is it shows the external user just with their UID, which is just a bunch of numbers.

Is there any way to tie this to the Google account address, without involving the user? I know if we were in their 'my account' in google, we can get their UID, but getting this from the user isn't an option.
For internal shares, it does show the email address, just external users it only shows the UID.

Thanks in advance

Ross Scroggs

unread,
Mar 29, 2023, 4:09:24 PM3/29/23
to google-ap...@googlegroups.com
Try this with Advanced GAM.

gam user us...@domain.com print filelist fields id,name,mimetype,basicpermissions pm not role owner em pmfilter oneitemperrow


pm not role owner em - Only display files with an ACL other that owner, i.e., shared files

pmfilter - Only display those ACLs.

oneitemperrow - Only one ACL per row



See: https://github.com/taers232c/GAMADV-XTD3/wiki/Permission-Matches

See: https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Files-Display#display-file-list Scroll down to Choose what fields to display


Ross




--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/05413340-6c04-4763-9c42-b492ab55b036n%40googlegroups.com.


--

GreenEnvy22

unread,
Mar 29, 2023, 8:29:14 PM3/29/23
to GAM for Google Workspace
That would work if the files were still shared, but the user shared them externally, we assume made copies, then removed the sharing.
So we're trying to track down which outside accounts they shared with.

i think if I know the accounts they shared with, I could test that my sharing a dummy file with the suspected email address, then remove sharing, and run my original command again, I'd then see the uuid and could compare the number.
But that only works if we have known  email addresses to test against.

Reply all
Reply to author
Forward
0 new messages