User Accounts audit log

View user activity 

As your organization's administrator, you can check critical actions carried out by users on their own accounts. These actions include changes to passwords, account recovery details (telephone numbers, email addresses), and 2-Step Verification enrollment.

Step 1: Open your User Accounts audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.

    To see Reports, you might have to click More controls at the bottom.

  3. On the left, under Audit, click User accounts.
  4. (Optional) Next to the columns, click Manage columns Manage columns and select the columns that you want to see or hide.

Step 2: Understand audit data

Data you can view
Data type Description
Event description

Summary of the event

Examples:

Account password changeUsername has changed Account password

Account recovery email changeUsername has changed Account recovery email

Date

Date and time the event occurred (browser default time zone).

IP address IP address associated with the logged action. The address can reflect the user’s physical location, a proxy server, or a Virtual Private Network (VPN) address.
Event name descriptions
Event name Description
2-step verification disable Log entry for each time a user disables 2-Step Verification.
2-step verification enroll Log entry for each time a user enrolls for 2-Step Verification.
Account password change Log entry for each time a user changes an account password.
Account recovery email change Log entry for each time a user changes a recovery email address.
Account recovery phone change Log entry for each time a user changes an account recovery phone number.
Account recovery secret question/answer change Log entry for each time a user changes an account recovery secret question and answer.

Step 3: Customize and export your audit data

Filter the audit log data by user or activity

You can narrow your audit log to show specific events or users. For example, find all log events for when users changed account passwords or disabled 2-Step Verification.

  1. Open your User Accounts audit log as shown above.
  2. Click Add a filter.
  3. Select and enter the criteria for your filter and if needed, click Apply.
  4. (Optional) To filter by organizational unit, at the top right, click Organization filter, select the organizational unit, and click Apply.
  5. (Optional) To specify a date range to search, click Date range and select a period from the list or enter a start and end date and time. If needed, click Apply.

Filter by organizational unit

You can filter by organizational unit to compare statistics between child organizations in a domain.

  1. Open your audit report as shown above.
  2. At the top, click Organization filter.
  3. Select an organizational unit and click Apply.

Filter by date

  1. Open your report as shown above.
  2. At the top, click Date range.
  3. Select a period from the list or enter a start and end date and time.
  4. If needed, click Apply.

You can only filter the current organizational unit hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.

Export your audit log data

You can export your audit log data to Google Sheets or download it to a CSV file.

  1. Open your audit log as shown above.
  2. (Optional) To change the data to include in your export, click Manage columns Manage columns, select or remove the columns that you want to export, and click Save.
  3. Click Download Download.
  4. Under Select columns, click Currently selected columns or All columns.
  5. Under Select format, click Google Sheets or comma-separated values (CSV).
  6. Click Download.

You can export a maximum of 100,000 rows to Sheets or CSV.

How old is the data I'm seeing?

For details on exactly when data becomes available and how long it's retained, see Data retention and lag times.

Step 4: Set up email alerts

Track specific user-account activities by setting up alerts. For example, get an alert whenever someone changes a password.

  1. Open your audit log as shown above.
  2. Click Add a filter.
  3. Enter or select the criteria for your filter and click Create Alert.
  4. Enter a name for the alert.
  5. (Optional) To send the alert to all super administrators, under Recipients, click Turn on Turn on.
  6. Enter the email addresses of alert recipients.
  7. Click Create.

To edit your custom alerts, see Administrator email alerts.

Was this helpful?
How can we improve it?