Before you get started, the very first step in safely deleting a Google Apps account from your domain is to confirm the risk identity of the user. It seems obvious but in most cases, this step is overlooked. Begin by understanding how “risky” the departing user is to your company. For example, if the user left on good terms then they are most likely a low security risk and the steps taken to remove them from your Google Apps domain will differ compared to a high risk user who may have been terminated under unfortunate circumstances.
As we sat down to compile this complete guide to deleting a Google Apps account, we spoke with Google Apps expert Justin Gale to talk through the various necessary steps a company would need to complete in order to safely and securely delete a user. (We previously wrote about this topic back in a post “The 11 Steps to Take Before you Delete a User from a Google Apps Domain”.) In our new eBook “How to Delete a Google Apps Account” we walk through three scenarios: deleting a low-risk Google Apps user account, deleting a moderate-risk Google Apps user account, and deleting a high-risk Google Apps user account.
Below are the 14 steps to deleting a low-risk Google Apps user from your company domain.
1. Change User Password
By changing the user’s password, you prevent the departing employee from logging in again (to steal data, inflict damage or simply muddy up the deprovisioning process). Be sure to retain the password for your records.
2. Reset Login Cookies
The departing user may already be logged in on multiple devices, some of which your organization doesn’t own.
3. Disable Two-Factor Authentication
Two-Step Verification requires you have possession of the user’s phone to log in and impersonate the user, which will interfere with other steps in this process. Disabling it is necessary.
4. Download All Account Data
Before you make any changes to an account, you’ll want to preserve all the data in it for safe keeping. You can get a quick, easy bundle of all the core Google Apps data with Backupify Snapshot.
5. Identify Account “Executor”
Someone needs to take on the responsibility for dispersing all the vital organizational data hidden in the departing user’s account. This “Executor” of the departing user’s account will be responsible for the account until it is ultimately deleted.
6. Set Up Departing User’s Vacation Autoresponder
Until the account is deleted, it can receive email. You don’t want employees or customers expecting a response from someone who is no longer with your organization, so best practice is to set up an autoresponder that notifies correspondents that the departing employee has departed, and to whom all inquiries should now be directed (likely, the account Executor).
7. Assess/Redirect Third-Party Account Ownership
Determine which of the many Google services the departing user employed on behalf of your organization, then make sure another user has equal or greater permissions on those services.
8. Delegate Access to Departing User’s Email
Delegate access to the departing user’s Google Apps mail account to the account Executor, who can then search the account’s contents as needed and forward or reply to any outstanding messages.
9. Transfer Ownership of Departing User’s Google Drive Files
To prevent all the Google Drive files owned by a departed user from being deleted along with the user’s account — even (or especially) the ones shared with and used by other employees — you must transfer ownership of those files to the Executor, who can then selectively assign ownership to the appropriate individuals in your organization.
10. Delegate Access to Departing User’s Shared Calendars
If the departing user has shared any calendars with other domain members (for example, a list of company training sessions), those calendars will only survive if the person with whom it is shared can view and change events on the calendar. You should delegate the account Executor to manage the calendar until all of the persons who should have the view and change permissions are identified.
11. Transfer Ownership of Departing User’s Groups
If a departing user owns a Google Group, it will not survive deletion of the user’s account unless you first transfer ownership to someone else.
12. Set Calendar Reminder to Delete Departing User in 90 Days
Set a reminder on your (the domain administrator, not the departing user) calendar to delete the departing user account in 90 days. Be sure to include instructions to check with the account Executor that all necessary data has been transferred or reassigned.
13. Delete Departing User
At long last. But you’re not done yet.
14. Divert Departed User’s Incoming Email
Now that the departed user’s account has been removed, any attempts to email that account will bounce — which is not good policy. Google Apps offers several ways of intercepting emails for departed accounts, each with their own pros and cons.
A. Divert with Catch-All Address
You can (and, in general, should) set up a Catch-All Email address which will intercept any mail sent to your domain, but to a user account that does not exists. This Catch-All address will receive every mistyped email address intended for real users, every “war-dialed” address that get past your spam filter, and emails for all departed users.
B. Divert with Google Group
Once the departed user is deleted, you can then create a Google Group with the same email address as the deprovisioned account. You can then assign one or more people to receive any mails sent to that address.
C. Divert with User Alias
Once the departed user is deleted, any other user on your domain can have the deleted email address as an email alias. Thus, if the Executor needs to continue receiving the departed user’s email, he can.
DONE! For more specific information on how to delete a Google Apps account, download our the eBook below.