Who dunnit? Using the Admin Audit Report to Understand and Track Changes to Your Google Apps Environment

If your Google Apps environment has grown to more than a dozen users it's likely you have more than one user with at least some level of delegated administrator rights if not multiple super admins.  Sharing the administrative load with Google Apps is a good thing but sometimes an admin needs to play detective and determine who and why changes were made to Google Apps.  For that, there's the audit log.  The audit log shows you who, what, when and where changes have been made to your Google Apps settings.  Let's take a look at how your organization can make the best use of the audit log to understand and track your Google Apps environment.

Optimize your Admins
To get the most out of the audit log, make sure each admin user is using their own account. For most organizations, making the admin user's primary account admin rights is acceptable.  However, some prefer to distinguish between the admin's day to day work account and an account with full administrator rights. Either setup is fine but sharing a single admin account will lead to a poor experience with the audit log as the log won't be able to show you who actually made the changes. Best practice is to give each admin their own admin account that only they have access to.

Also be sure that any automated services you are using have their own admin account. If you utilize Google Apps Directory Sync (GADS), make sure it's using an admin account of it's own. Do the same for any password sync tool you might be using and other admin tools you use like Google Apps Manager (GAM). By giving these tools their own admin login, you'll be able to distinguish automated changes to your Google Apps settings from those done interactively by a real admin.

Side note: While you're shuffling your admins, be sure to take a look at the new administrator roles feature that allows you to pre-define admin rights to a role and then apply the role to users.

Find Out What's Happening in Your Google Apps environment
Now you're ready to to take your first look at the audit log. Head to google.com/a/yourdomain.com and login as an admin. You can find the audit log under Reports --> Audit Log.

When you first open the audit log. You'll see the most recent admin changes to your Google Apps environment. The audit log provides you an event name and description of the change. It also logs the user who performed the action, the IP address showing where the change was made, and the exact date/time the change was made.

Narrow the Search
Seeing the most recent changes is nice but what if you want to search for a specific date range, action, or what a particular admin has been doing? You can filter the shown events by clicking Edit next to Filter Options at the top of the audit log. Audit log allows you to filter which events should be displayed, which admin user actions should be shown for and the date range of events to show.

Filter Options

Export to CSV
Audit log also lets you easily pull your events down into a local file and search, sort or further analyze them with a tool like Google Docs Spreadsheets or Excel. Just click the Export to CSV button at the top right of the screen. The most recent events (or those that match your filter will be downloaded to a file on your computer for further analysis or sharing with your colleagues.

So how has audit log helped you understand your Google Apps environment?  Let us know in the comments section below.  Also, if you enjoyed the post and found it informative .... share it on your Facebook page, Twitter account, or email it to your colleagues!  Most importantly, give the article a +1 and share it publicly on Google+.