As your organization's administrator, you can check critical actions carried out by users on their own accounts. These actions include changes to passwords, account recovery details (telephone numbers, email addresses), and 2-Step Verification enrollment.
From the Admin console Home page, go to Reports.
- On the left, under Audit log, click User Accounts.
(Optional) To customize what data you see, on the right, click Manage columns . Select the columns that you want to see or hideclick Save.
(Optional) Review ways to filter and export log data and create alerts.
Data you can view
The User accounts audit log provides the following information:
Summary of the event. For example
Date and time the event occurred (browser default time zone)
|IP address||IP address associated with the logged action. The address can reflect the user’s physical location, a proxy server, or a Virtual Private Network (VPN) address.|
At Add a filter, select an Event name to filter data for that event. The audit log shows entries for each time the particular event occurred during the time range that you set. Most event names are self-explanatory.
|2-step verification disable||Each time a user disables 2-Step Verification|
|2-step verification enroll||Each time a user enrolls for 2-Step Verification|
|Account password change||Each time a user changes an account password
Note: This refers to users changing passwords at myaccount.google.com. It doesn’t include password changes when the admin forces users to change their password at the next sign in.
|Account recovery email change||Each time a user changes a recovery email address|
|Account recovery phone change||Each time a user changes an account recovery phone number|
|Account recovery secret question/answer change||Each time a user changes an account recovery secret question and answer.|
When and how long is data available?
Go to Data retention and lag times.