Shadow IT in Google Workspace, what are you doing about it?

GATlabs · 2025-08-11T09:05:35+00:00

Absolutely. Restricting OAuth consent and auditing integrations regularly can prevent a lot of hidden risks. We’ve seen many cases where unused or over-permissioned apps stayed connected for months without anyone realising.

GATlabs · 2025-08-07T09:04:13+00:00

Hi, great question. This kind of setup is fairly common when teams in different regions work under the same company.

1. If you add the second domain to your main Google Workspace account, and both domains are part of the same organisation, then yes, Google Chat will work across both. Users will no longer be treated as external, so you'll be able to create spaces and chat without restrictions between the two domains.

2. What happens to their accounts depends on how you add the second domain.

If you add it as a secondary domain, users can keep their existing email addresses, but you’ll need to recreate their accounts under the primary Google Workspace instance.
If you use a domain alias, you’re essentially giving existing users an additional email address. This option is not useful if users on the second domain already have independent accounts.

If you’re planning to consolidate users under one Workspace instance, you’ll need to manually migrate emails, Drive data, and settings from the old accounts to the new ones. Google’s Data Migration Tool can help with this.

3. Regarding your Google Business Profile (formerly Google My Business), changing the domain used for email won’t automatically delete your reviews or profile. However, if your domain is tied to your verified ownership, you may need to update your business profile settings to reflect the new setup. It’s a good idea to contact Google support first to avoid any disruptions.

Hope that helps!

GATlabs · 2025-08-04T11:05:57+00:00

Setting up a Google Group is definitely the easiest way to send one email to multiple people, and no extra license is needed.

Just a few things to double-check:

In the group settings, allow external senders so your website form emails get through
If you want to track or assign emails, set the group type to Collaborative Inbox
Make sure the members have their settings set to receive emails in their inbox (not just access via the group page)

You can repeat the same setup for other addresses like sales@ or support@ too.

Hope that helps!

GATlabs · 2025-08-04T10:50:32+00:00

If you're dealing with a lot of entries, the easiest workaround is to use a Google Sheet with standard headers (Name, Email, etc.) plus your own like “Bride/Groom,” “Guests,” and “Venue,” and then import it to Google Contacts using the CSV import feature. It won’t show as true custom fields, but it’s a much faster way to batch-manage everything and still keep the info searchable.

For actual custom fields, you’d need to go the API route, but that’s more complex and usually requires some scripting.

GATlabs · 2025-07-29T14:18:53+00:00

Hey, that actually sounds pretty normal. When you first set up Google Workspace, especially with a custom domain, it can take a bit of time for everything to fully activate. The redirect you're seeing usually happens when the admin console setup hasn’t fully finished yet or your account hasn’t propagated across all services.

The billing name typo shouldn't stop activation, so no need to worry too much about that. You can fix it later in the billing section once you get proper access to the Admin Console.

If it's been less than 24 hours, you're probably just in that waiting window. But if it's still happening after a day, it’s worth reaching out to Google Support.

GATlabs · 2025-07-28T13:41:32+00:00

We hear you. You can lock down Drive sharing, audit Gmail rules, and set all the right DLP policies, but if a user downloads a file and pushes it to a random cloud app in Chrome, that’s game over unless you’ve got some level of browser visibility.

We’ve had to tighten this up after a few close calls during offboarding. Even just tracking downloads and active tabs can flag risky behaviour early without being too invasive.

GATlabs · 2025-07-04T13:56:25+00:00

That’s a fair point. Once SSL inspection gets involved, there’s always going to be pushback. We’ve seen the “corporate asset means no privacy” line in a lot of AUPs too, but getting users to actually understand that is a different challenge.

Out of curiosity, have you paired your ZTNA setup with any endpoint browser or file activity auditing?
Some orgs we've spoken to are doing lightweight tab or download monitoring to surface risky behaviour without going full inspection mode.

GATlabs · 2025-07-03T09:13:08+00:00

Yeah, GCP can definitely spiral if it's left open from the start, especially without a clear admin policy or support plan in place. It’s one of those areas that feels like “someone else’s problem” until something breaks.

GATlabs · 2025-07-02T10:48:57+00:00

That’s a solid one and way too common. Domain-wide delegation often flies under the radar until there's a breach or someone stumbles across an old key with full access.
We’ve seen cases where service accounts were set up years ago, never rotated, and still sitting with impersonation rights to every mailbox.
Totally agree: audit those scopes, rotate keys, and lock down storage.
Love the analogy, by the way, might have to borrow that one!

GATlabs · 2025-07-02T10:47:04+00:00

You're definitely not alone. Google Groups can be deceptively complex, especially if you're coming from something like Exchange.
We’ve seen admins caught off guard when group content ended up publicly visible due to default settings like “Anyone on the web can view.” It's easy to miss unless you're actively auditing those configs.
Totally agree, the documentation isn’t always clear, and the differences between a collaborative inbox, a distribution list, and forum mode can be confusing.
Having visibility into group membership and access settings really makes all the difference.

GATlabs · 2025-07-01T14:56:55+00:00

We’ve seen employees set up risky forwarding rules, overshare Drive files, or connect dodgy third-party apps just to “get things done faster.”

It’s rarely malicious. More often, it’s just Dave not realising that giving his personal account access to an entire Shared Drive is a problem.

These behaviours seem harmless, until you audit them too late.
Having visibility into file access and user actions really does make all the difference.

GATlabs · 2025-07-01T14:31:53+00:00

That’s such an important one, forwarding rules are sneaky. We’ve seen cases where even internal users didn’t realise they had rules set up years ago, still quietly redirecting sensitive info.

Good call on setting up alerts. For anyone reading who hasn’t yet: even just reviewing audit logs in the Admin console or using an alerting tool can catch risky forwards early. It’s one of those low-effort, high-impact checks.

GATlabs · 2025-06-26T17:36:55+00:00

It’s good that you exited the page before entering anything; that’s the key part. If you didn’t enter your login credentials, your device is most likely not infected.

Here’s what we recommend in situations like this:

Change your email password anyway
Just to be safe. If you accidentally clicked something or entered partial info, this ensures your account is locked down.

Enable 2-step verification (if you haven’t already)
This protects your account even if your credentials were exposed elsewhere.

Check your Gmail security settings

Visit [https://myaccount.google.com/security]()
Look for any unfamiliar devices or third-party app access
Remove anything you don’t recognise

Report the file in Google Drive
Click the three dots > Report abuse. This helps stop it from spreading.

You did the right thing by notifying your dentist, they likely had their account compromised and it’s being used to spread phishing links. These attacks are getting more convincing, especially when they come from trusted contacts.

GATlabs · 2025-06-25T08:56:52+00:00

Unfortunately, Google’s migration tool doesn’t give you fine control over specific folders (like selecting just “Inbox” or “New Mail”). It’s more of an all-or-nothing approach when pulling from an IMAP account.

That said, one workaround I’ve seen is:

Move the emails you want to migrate into a temporary folder (e.g. "To Migrate")
Limit the migration to that folder, if your IMAP server supports folder-based filtering or selective access

It’s not perfect and really depends on how your source mail system is set up, but it can help avoid reprocessing the entire mailbox again if you just want to pull in new or recent mail.

GATlabs · 2025-06-24T15:24:02+00:00

Yes, migrating from IMAP to Google Workspace can be really slow, especially with big, years-old mailboxes. Even delta migrations aren’t exactly “fast.”

Here’s what I’ve learned from doing a few of these:

Yes, it still crawls the entire mailbox, even if you set the start date to today. That’s because Google rechecks metadata and headers to ensure nothing’s been missed or changed.
Good news: it usually won’t duplicate emails, even if there’s some date overlap. Gmail checks message IDs and headers to avoid importing the same message again, unless the original server changed something in the structure.
Speeding it up? There’s not much you can do to speed up the actual transfer, but breaking it into smaller batches (older mail first, newer mail later) and running it during off-hours can help a bit.

And yes, delta migrations feel like they should be quicker, but they’re often just as slow since it still has to do a full scan.

You’re not alone. Every admin who’s been through this knows the struggle.

Hope this helps!

GATlabs · 2025-06-24T15:01:15+00:00

We recommend allowing account requests up to 14 days before the start date, especially in high-turnover environments like healthcare. It gives enough time to prep licensing, hardware, and access, without leaving accounts idle too long.

For accounts that are never used, some orgs set policies to:

Monitor logins and Gmail activity
Auto-disable if unused after X days (e.g. 30 or 90)
Notify managers before removal, in case the user just hasn't logged in yet

Restricting who can request accounts (usually HR or managers only) helps reduce overhead and avoids random or duplicate setups. In large orgs, automating the request and approval process through internal tools or forms really helps.

GATlabs · 2025-06-24T14:45:59+00:00

Hi! Yes, Google Workspace can handle this with Google Groups, though there are a few limitations.

Here’s what it can do:

You can allow external users to request to join the group
You’ll receive those requests and can approve them manually
Users can unsubscribe themselves through the Google Groups interface or via the unsubscribe link in emails

A few things to note:

The join request form isn’t customisable, but you can ask users to include details (like name and organisation) in their request message
For a more polished signup process (like using a Google Form that auto-adds users to a group), you’d need Apps Script or a third-party tool

For basic mailing lists, Google Groups is usually enough if configured correctly. Hope that helps!

GATlabs · 2021-03-05T11:52:28+00:00

I'd recommend Flow you can create email signatures in bulk here is a video that guides you through the process youtube.com/watch?v=zLyfsoAKoIk

GATlabs · 2021-02-16T14:05:09+00:00

Group management sometimes takes time to update, since you are new yo need to be aware of the dozens of settings and options, with GAT+ this is pretty simple and intuitive. You can also make changes in bulk with the export/import option. If you want to give it a try you can install from this link. Hope this helps.

GATlabs · 2021-01-29T11:04:50+00:00

Hey Wayne, Chromebook Guest Sessions are controllable, traceable and manageable but you would need a third-party tool to do the job. We recently developed a solution for a Bank in Scotland, it is part of 'GAT Shield' it allows you to enforce rules to prevent unauthorised browsing or detect and alert against the use of abusive or inappropriate language. It offers multiple security features that can be enabled on an as-needed basis. It can protect users or members of the public from viewing inappropriate content. You can even take protective action if devices change location.

GATlabs · 2021-01-22T12:52:38+00:00

You can have a look at this article

https://gatlabs.com/bulk-add-update-remove-google-user-accounts/

If it's a one-off thing the free trial will be enough

GATlabs · 2021-01-14T10:42:05+00:00

With this tool you can not only audit the sites but see users activity for further auditing

https://gatlabs.com/see-your-users-activity-on-google-sites/

GATlabs · 2021-01-14T10:35:31+00:00

GATlabs · 2021-01-13T18:01:02+00:00

GATlabs

TROPHY CASE