User accounts audit log

View user activity across their accounts

As your organization's administrator, you can check critical actions carried out by users on their own accounts. These actions include changes to passwords, account recovery details (telephone numbers, email addresses), and 2-Step Verification enrollment.

Open the User accounts audit log

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Reports.
  3. On the left, under Audit, click User Accounts.
  4. (Optional) To customize what you review, on the right, click Manage columns Manage columns, select the columns that you want to see or hide, and click Save.

Data you can view

Data type Description
Event description

Summary of the event

Examples:

Account password changeUsername has changed Account password

Account recovery email changeUsername changed Account recovery email

Date

Date and time the event occurred (browser default time zone).

IP address IP address associated with the logged action. The address can reflect the user’s physical location, a proxy server, or a Virtual Private Network (VPN) address.

Event names

Event name Description
2-step verification disable Each time a user disables 2-Step Verification.
2-step verification enroll Each time a user enrolls for 2-Step Verification.
Account password change Each time a user changes an account password.
Account recovery email change Each time a user changes a recovery email address.
Account recovery phone change Each time a user changes an account recovery phone number.
Account recovery secret question/answer change Each time a user changes an account recovery secret question and answer.

When and how long is data available?

See Data retention and lag times.

Related topics

Was this helpful?
How can we improve it?