[devy]

> I can always reset a password and gain full and instant access.

AFAIK, resetting an individual GSuite account's password is the only way GSuite Admin can access individual account's emails. Is there any other way to get access?

[iokanuon]

That's exactly what the article is about.

[neonate]

In this article you will see how being a G Suite Administrator you can get a copy of your users sent and received emails without knowing their passwords or putting forwarding in their mailboxes

[devy]

Got it now. Getting a copy of incoming + outgoing via BCC for an individual account's emails is not quite the same as accessing individual account's emails though.

For GSuite basic subscriptions, there is a 30GB quota per inbox, having BCCs for every account's emails will like exceed the plan allowance. I doubt it would work if you exceed the account quota allowed for the subscription plan.

[plexicle]

With the Vault I can pretty much see and do anything. I can set up hidden forwards and even look at private Hangouts chats between people. I've had to use the Vault before to go into a 1 on 1 Hangouts Chat and delete a message from one of the parties.

[cglace]

Why did you need to delete the message?

[masonhensley]

Imaging Bob from accounting pasted a customer's SSN into a chat thread, group or 1:1... there countless things that shouldn't be posted in chat messages to live for eternity.

Some companies build it into their systems to automatically catch and mask that data, sometimes someone has to rollup their sleeves and do it manually.

I'd wager that 95%+ of orgs have tons of sensitive customer data scattered into chat messages in Slack, Teams, Hangouts, etc that would horrify most of us here.

Check out this: - https://cloud.google.com/dlp - https://www.youtube.com/watch?v=MY3PjFpI3rE

[plexicle]

You pretty much nailed it. My CEO revealed something he wasn't supposed to. Asked my help in removing his own message at his own request. I'm the only one comfortable with this kind of manipulation (I'm CTO here) and I'm happy that there's an audit trail of it as well to keep my position honest too.

[rikroots]

This. One of my less enjoyable jobs, as an admin, would be going into the GSuite jungle to track down and delete emails and messages containing data that clients had sent to us, or one colleague had shared with another, which included personal information that we were not supposed to be storing or processing because GDPR. Or tracking down a former colleague's 1-2-1 email exchanges with a client which included a work spec, or agreement for a change request, which the client later denied ever agreeing to because they didn't want to pay the bill.

My least enjoyable job would be going into the admin to recover emails "deleted" by disgruntled employees who got wind that they were about to be let go. Why they tried to delete their emails - I'll never know. They should've realised that Google hates deleting anything from their clouds.

One of my happiest days at that job was the day I got told I didn't have to be a GSuite admin anymore and could go do some proper coding work instead.

[fragmede]

Not OP but if party A is harassing party B (read: "sending unsolicited dick pics"), I could imagine circumstances under which the sysadmin deletes messages that party B has received. (After HR and lawyers all around have been looped in by all parties, and copies of the messages have been forwards to the lawyers.

Also consider that the first amendment isn't absolute and there is certain material that is highly unsavory, eg child pornography, that party B doesn't even want the potential of possessing.

There are certainly nefarious usages for that level of access as well, but I can imagine legitimate usage exists as well.

[purple-dragon]

In addition to Vault, an administrator can easily set up an SMTP route through the admin interface to copy-and-forward all inbound or outbound mail (delivering copies wherever they please). Of course, this would only catch messages sent or received after setting up the route.

Edit: an administrator can also create an API token with org-wide credentials, allowing her to read, write, and delete messages from any user's inbox.

[Tomdarkness]

I'm pretty sure you can't do it via the UI but if you use the API you can delegate access to any account in your organisation without confirmation. Once you've delegated access to that account you can then login as that user via the standard user switcher that appears if you have multiple accounts.

[rednet]

My team has written an integration with Google's API[0] to explicitly pull back the full bodies of emails for all users across a whole organisation, to run some analysis on all emails.

Once our service account has been granted access, we can assume the role of any user and access anything we have permission for. So, you should assume your IT administrator can also access all your emails, since they're likely to be the person that grants permission to the service account.

[0]https://developers.google.com/gmail/api/v1/reference/users/m...