When the time comes to remove a user from a G Suite domain, administrators are faced with two apparently mutually exclusive goals:
- Delete the user account to recover the annual seat license fee
- Preserve all the data in the user account in the event that the data is still needed
G Suite domain administrators can square that circle with these simple deprovisioning steps.
Changing the departing user’s password accomplishes two goals. First, it locks the user out of the account, preventing any post-departure access (malicious or otherwise). Second, it allows you, the admin, to log into that account to perform any changes or data transfers not possible from the G Suite Administrator Control Panel. (If the account has 2-Step Verification installed, you’ll need to disable it, too.)
You can change the user’s password from the Users & Organization Tab in your Control Panel. After selecting a new password, be sure to click the Reset Sign-In Cookies link to end any logged-in sessions the departing user may still be running.
2. Download a Snapshot of the User Account for Safekeeping
Downloading the complete contents of a user account to an offline file is a best practice before altering or deleting the account. This preserves the data in the user’s core G Suite—Gmail, Contacts, Calendar, Drive and Sites— as it was before the deprovisioning process, maintaining records-retention compliance and ensuring no vital data is lost.
To export your user’s data, Google recommends the following:
- Open the data export tool.
- Tip: To do this from the Google Admin console: at the top right, click Open, and under Tools, click data export.
- Click Start export.
3. Identify an Account “Executor”
Someone at your organization is going to inherit the departing user’s responsibilities, and thus their data—at least in the short run. Identify that employee, as he or she will become the Executor of the data in the departed account, transferring or responding to it as needed. (In many cases, the Domain Administrator and the Executor are one in the same, so you may be giving all these permissions to yourself.)
Log into the departing user’s account with the new password, then set up the vacation auto-responder to inform correspondents that the user is no longer with your organization, and to identify to whom they should direct all future inquiries. (Likely this will be the aforementioned Executor). Be sure to enable the auto-responder for recipients both inside and outside your domain.
The account Executor will need access to any pending correspondence in the departing user’s mailbox, especially if the departure was sudden or occurred on less than friendly terms. Fortunately, you can designate access to a G Suite mail account to anyone else on your domain.
The delegate—who, again, will likely be the Executor—won’t be able to change account permissions, passwords or chat on the original user’s behalf, but the delegate can send and receive mail from the account until it is suspended or deleted. To delegate mail access, log into Gmail as the departed user and follow the delegation instructions in the Mail Settings menu.
When the account that owns a Google Doc, Google Sheet or Google Slide is deleted, that document is deleted as well—even if it was shared with other domain users. Put more simply, deleting a user deletes every critical document that user ever created.
Fortunately, the G Suite Administrator Control Panel offers a method to bulk-transfer ownership of all a user’s Google Drive documents to another domain user’s account. In other words, you can make the Executor the owner of all Docs from a departing user, in a matter of seconds, ensuring that this data stays online and accessible even after the original owner is de-provisioned. The Executor can then transfer individual document ownership on a case-by-case basis.
If you have enabled contact sharing to create a common G Suite Directory of business-oriented contacts for your domain, you may want to add at least some of the departing user’s Contacts to the Directory. If the departing user was the exclusive point of reference for a key customer or partner, you may want to make that external contact’s address available to everyone. There is no native functionality for adding external contacts to the Directory, but the free version of SherpaTools allows administrators to import contacts in bulk to the Directory, and for individual users to share contacts with the Directory.
If the departing user managed a shared calendar, or simply had a series of company appointments that the Executor must now manage, it is important to transfer control of those calendars. Simply log in as the departing user, and then follow the Share With Specific Users instructions to give the Executor the Edit Events And Manage Sharing access level for the appropriate calendars. The Executor can then dole out calendar permissions as needed.
From the G Suite Administrator Control Panel, select Users, select the departing user’s account, then select Groups to see a list of all groups of which the departing user is a member. Then click the Edit Group Membership link. Add the Executor as a member to each of these groups and, if the departing user is the Owner of the group, elevate the Executor to Owner status. The Executor can then later assign Ownership to the appropriate employee(s).
While G Suite domains directly control a user’s Gmail, Docs, Contacts, Calendars and Sites, a G Suite domain account can be used to access dozens of non-core G Suite services, including AdWords, Google Analytics, Blogger, Feedburner, Google Voice and YouTube. When you finally delete the departing user, his or her non-core accounts will also be deleted—along with all the content in those accounts. You don’t want your website’s Feedburner RSS feed or Google Analytics account to disappear when you delete the departing user.
Most of these non-core services have straightforward methods for transferring ownership of, or access to, an account. Virtually all of them enable adequate data export via Google’s Takeout. Log into every non-core Google service your organization uses with the departing user’s credentials, then assess whether key data needs to be transferred before you delete the departing user.
You should perform the same steps for any G Suite Marketplace products installed on your domain to ensure no critical functionality or data is lost when you remove the departing user’s account. All the Marketplace Apps installed on your domain are listed in the G Suite Administrator Control Panel.
11. Set a Calendar Reminder For Yourself to Delete the Departing User In 90 Days
While you’re probably anxious to delete an account and immediately recover the $50 annual seat license fee, it’s a smart idea to keep the account around for a few months just to make sure that
- The departing employee isn’t reinstated
- No critical data is placed out of easy access while your organization adjusts to the departure
- Your non-core services audit was accurate and complete
Here are the steps:
- Sign in to your Google Admin console.
- From the Admin console Home page, go to Users.
- In the Users list, find the user. For details, see find a user account.
- Point to the user you want to delete and click More and then Delete user.
- If you’re a delegated admin, check the boxes to confirm that you understand the impact of deleting the account.
To transfer ownership of user content, you must be a super admin:
- Check the boxes next to each option that you want.
- In the Transfer to box, enter the first few characters of the user’s name or email address that you want to transfer the files to. When you see the account you want, select it.
- Click Delete User or Delete Users.
When the data is transferred and the account deleted, Google will email the contacts you set up in “Company profile” and then “Profile” and then “Contact information”.
Just because you deleted a departing user doesn’t mean people outside your organization will stop sending him or her important emails.
While your domain’s catch-all email address can handle these misdirected emails, you may not want the catch-all recipient to be the only person dealing with the departed user’s correspondence. Instead, set up a Group with the same email address as the one formerly used by the deleted user, and then add the Executor and any other relevant recipients to the Group. This will ensure that anyone who didn’t receive the auto-responder has his or her mails routed to the appropriate recipient.
Follow these steps and you can remove a G Suite user from your domain with minimal risk to your data and your business. Setting up and editing external mail servers in conjunction with adding or removing users can be a complex process.
Want to learn more about simplifying this process with an automated backup tool? An easy to use G Suite backup tool can help streamline your deprovisioning process, cut costs and ensure critical company data is safe every step of the way. Get a free, personalized demo of Backupify for G Suite.