Question regarding Google Workspace

Hey all!

So I've been trying to figure this out for the last 2 days, and I seem to be running out of ideas. Figured I can ask here, perhaps someone has had a similar experience, and can point me in the right direction.

So I am an admin for a fairly large Google Workspace organization, and I was asked by my boss to locate some Google Drive files, from an employee, that might be doing some naughty things.

I used the investigation tool and found the ID of said file. Now I am asked to retrieve the file, so they can further investigate it.

My question is - can I, as a super admin, retrieve the file from a users google drive, without changing the users password, logging in, and taking it out this way?

Is there any other alternative that you have done in the past?

Because I personally don't feel comfortable going the nuclear way of logging into their account, but I will if that is the only option.

I am sure there is a different, more appropriate way, but I am seriously running out of ideas.

Thanks to anyone who can help me with some ideas and pointers.

Comments

  • vyasvyas OGContent Writer
    edited April 7

    Were you asked to “take a peek” in writing by your boss? Or their boss? If not, stay away till its in writing.

    Actions are generally Depending on some factors:
    Law of the land (employee/data privacy policies)
    Company policy (who owns device/pays for storage solution etc)
    Organisational ethics
    Severity of the naughtiness
    !
    Generally speaking,
    1. Nuklear is never a good option - potentially exposes you and organization to libel
    2. If the google account is a company provided one, and if the organisation has a policy something like “all of your data belongs to us”
    then many organizations have SOP in place for re setting data or deleting files remotely.
    3. An organisation I worked for had introduced a Bring Your Own Device policy in 2013, at first only for iOs devices, and they required employees to install a “remote managament” app that came with a “remote wipe”
    I did not opt for it

    Best wishes of your project

    ———-

    Above nuggets to be read as learnings from experience and not advice

    VPS reviews | | MicroLXC | English is my nth language.

  • rootroot OG
    edited April 7

    Do not login into another person's account. It is their privacy. Privacy is a right, not a privilege granted by a company.

    If you decide to access, copy, manipulate, or view, another person's files without their consent, you are exposed to court orders. Do not do this without owner's written explicit consent, or without a written order from the leaders of your organization which needs to be addressed to employee as information at least, prior to accessing their files.

    It is much easier to simply ask the employee to delete the files and clear their space, by offering some lame excuse, instead of being involved in legal problems. This way you will satisfy everybody, and boss can rest and sleep well at night, knowing that files were removed.

    EDIT: Oh, I forgot to mention: stop trusting Google with your data or your company's information. Create your own self-hosted storage.

    Thanked by (2)NobodyInteresting Tin
  • @vyas said:
    Were you asked to “take a peek” in writing by your boss? Or boss of the boss? Or a peer?? If not, stay away.
    Or reach out to employees boss and let them know.
    “During our routine data audit we found…. Yada yadaa..”

    I was asked by a C level executive, in regards to an official internal investigation into 4 employees selling company data

    Actions are Depending on
    Law of the land
    Company policy
    Organisational ethics
    Severity of the naughtiness

    Generally speaking,
    1. Nuklear is never a good option - potentially exposes you and organization to libel

    I agree, hence why I am trying to find an alternative way on accessing and downloading the google drive files from these 4 employees google drives.

    1. If the google account is a company provided one, and if the organisation has a policy something like “all of your data belongs to us”
      then many organizations have SOP in place for re setting data or deleting files remotely.

    We have that "all data stored on company gdrive and emails belongs to us.

    However, no ways of gaining access to said data is in place. It's my 2nd week there, so I would be responsible for future security and policies.

    1. An organisation I worked for had introduced a Bring Your Own Device policy in 2013, at first only for iOs devices, and they required employees to install a “remote managament” app that came with a “remote wipe”
      I did not opt for it

    Not interested in a remote wipe, instead I am looking to retrieve a certain file

    Best wishes of your project

    ———-

    Above nuggets to be read as learnings from experience and not advice

    Thank you for your input! I highly appreciate it.

  • edited April 7

    @root said:
    Do not login into another person's account. It is their privacy. Privacy is a right, not a privilege granted by a company.

    If we are talking about their own google drive - I 100% agree.
    Not when it is provided and managed by the company though. It is property of the company.

    If you decide to access, copy, manipulate, or view, another person's files without their consent, you are exposed to court orders. Do not do this without owner's written explicit consent, or without a written order from the leaders of your organization which needs to be addressed to employee as information at least, prior to accessing their files.

    I have written request by my superior. The employee has a written consent, saying that these files, drives and emails belong to the company, not the user.

    It is much easier to simply ask the employee to delete the files and clear their space, by offering some lame excuse, instead of being involved in legal problems. This way you will satisfy everybody, and boss can rest and sleep well at night, knowing that files were removed.

    We need to gain access to the file, so we can investigate if its some BS or if it contains sensitive information, which might have been sold.

    EDIT: Oh, I forgot to mention: stop trusting Google with your data or your company's information. Create your own self-hosted storage.

    I have grandfathered the setup, so won't be changing it any time soon.

    Bottom line - I need technical advice on how to perform the task, not a legal advice on if I am allowed to or not :-) That side is already covered.

    Thanked by (1)ialexpw
  • I am not sure about this - but does google provide a ticketing service for questions like this? Perhaps there's a feature that allows administrators exactly this option.

    Thanked by (1)NobodyInteresting
  • @caracal said:
    I am not sure about this - but does google provide a ticketing service for questions like this? Perhaps there's a feature that allows administrators exactly this option.

    Doh, I completely forgot that I can ask them 😂
    I am so used to Google not providing customer support for most of their products, I forgot that this product actually comes (I think) with support.

    I'll give that a shot, thanks for reminding me about that!

  • @NobodyInteresting said: I am so used to Google not providing customer support for most of their products

    That mindset permeates to their paid products, just read some of the Google horror stories on Hacker News.

  • vyasvyas OGContent Writer
    edited April 7

    @NobodyInteresting

    You are getting into some tricky waters to steer. I wish you well.

    Be careful of the “if it goes wrong, blame it on the new guy” pitfall.

    Cheers

    Thanked by (1)NobodyInteresting

    VPS reviews | | MicroLXC | English is my nth language.

  • @NobodyInteresting said:

    @caracal said:
    I am not sure about this - but does google provide a ticketing service for questions like this? Perhaps there's a feature that allows administrators exactly this option.

    Doh, I completely forgot that I can ask them 😂
    I am so used to Google not providing customer support for most of their products, I forgot that this product actually comes (I think) with support.

    I'll give that a shot, thanks for reminding me about that!

    Do update us :P

    Thanked by (1)NobodyInteresting
  • As admin, I'm pretty sure you can do a google takeout / backup / whatever they call it. Whether you should ... I don't know.

    Thanked by (1)NobodyInteresting
  • edited April 7

    I wanted to update this and thank everyone, who pointed on the legality of such an action. So I have raised my concerns with the legal dept and will await formal written approval by them.

    Better safe than sorry. 🤷🏻‍♂️

    Thanks again to everyone who pointed me in this direction and likely saved me from future headaches.

    Thanked by (2)yoursunny Logano
  • @NobodyInteresting said:
    I wanted to update this and thank everyone, who pointed on the legality of such an action. So I have raised my concerns with the legal dept and will await formal written approval by them.

    Better safe than sorry. 🤷🏻‍♂️

    Thanks again to everyone who pointed me in this direction and likely saved me from future headaches.

    To make matters even more complicated:
    even with a written request/boss-order/legal-dept.-approval, you may not be legally allowed to infringe a person's privacy - double-check with a competent lawyer.

    Thanked by (1)NobodyInteresting

    BikeGremlin I/O
    Mostly WordPress ™

  • MasonMason AdministratorOG
    edited April 7

    You can do this discretely using the Drive API by creating a service account with Domain-wide Delegation (DwD) according to some mysterious Reddit user.

    Humble janitor of LES
    Proud papa of YABS

  • Last update on the matter:

    Apparently google Workspace investigation tool has an option to share the file with someone else from the organization, so that was how I proceeded, and it works like a charm.

    Happy days :-)

  • rootroot OG
    edited April 8

    @NobodyInteresting said:
    Last update on the matter:

    Apparently google Workspace investigation tool has an option to share the file with someone else from the organization, so that was how I proceeded, and it works like a charm.

    Happy days :-)

    Now the curiosity: was the employee evil or nasty? Or maybe was said employee innocent?

  • @root said: EDIT: Oh, I forgot to mention: stop trusting Google with your data or your company's information. Create your own self-hosted storage.

    Why creating extra workload and possible data lose...

    Action and Reaction in history

  • @elliotc said:

    @root said: EDIT: Oh, I forgot to mention: stop trusting Google with your data or your company's information. Create your own self-hosted storage.

    Why creating extra workload and possible data lose...

    Privacy. Confidentiality. Security.

  • @root said:

    @elliotc said:

    @root said: EDIT: Oh, I forgot to mention: stop trusting Google with your data or your company's information. Create your own self-hosted storage.

    Why creating extra workload and possible data lose...

    Privacy. Confidentiality. Security.

    The problem is, it is not my data, and if anything unexperted happen, I will be the one who takes the responbility. By using Google, I can outsource the responbility and keep myself safe. Moreover, my man cost is much higher than the price paid to Google.

    Action and Reaction in history

  • edited April 8

    @root said:

    @NobodyInteresting said:
    Last update on the matter:

    Apparently google Workspace investigation tool has an option to share the file with someone else from the organization, so that was how I proceeded, and it works like a charm.

    Happy days :-)

    Now the curiosity: was the employee evil or nasty? Or maybe was said employee innocent?

    Employees were definitely selling IP, and have been removed, and will be facing legal challenges in their near future.

Sign In or Register to comment.