One of the worst case scenarios for Google Apps admins is when an account has been compromised by hackers. There’s no guarantee that it won’t pose a persistent threat to your domain and same day deletion is an option. So, what are the steps you need to take to ensure you safely and securely delete a high-risk Google apps account?
Below we outline seven steps. Follow these instructions carefully in order to ensure you successfully delete the account from your domain.
1. Change User Password
By changing the user’s password, you prevent the departing employee (or anyone that stole the account password) from logging in again to steal data, inflict damage or simply thwart the deprovisioning process. Just be sure to retain the password for your records, as you’ll need it to log in and perform many of the subsequent steps in the process.
2. Reset Login Cookies
The departing user may already be logged in on multiple devices, some of which your organization doesn’t own. (The point of Google Apps is that you can use it anywhere.) Resetting the user’s sign-in cookies will end all those sessions and ensure that only persons with the new account password can in fact access the account.
3. Disable Two-Factor Authentication
Two-Step Verification requires you have possession of the user’s phone to log in and impersonate the user, which will interfere with other steps in this process. Disabling it is necessary.
4. Download All Account Data
Before you eliminate an account, you’ll want to preserve all the data in it for safe keeping. You can get a quick, easy bundle of all the core Google Apps (Gmail, Drive, Calendar, Contacts and Sites) data with Backupify Snapshot. If you need or want data from additional services, you can download them with Google Takeout.
It should be noted that services like Google Takeout and Backupify Snapshot may require several hours or even days to compile an export of large Google Apps accounts. During this export process, you cannot purge the user without losing vital account data. If you are committed to a policy of same-day deletions for high-risk accounts, you are best served to employ an automatic, daily backup of all Google Apps domain accounts.
5. Assess/Redirect Third-Party Account Ownership
Determine which of the many Google services the departing user employed on behalf of your organization, then make sure another user has equal or greater permissions on those services. You don’t want to delete the sole user who controls the company YouTube account, for example, as that will delete the YouTube account, too. If you don’t have a confirmed list of all services in use at your company (and you should), you’ll need to attempt to log into each service as the departing user to see if the account is recognized.
6. Delete Departing User
7. Divert Departed User’s Incoming Email
Now that the departed user’s account has been removed, any attempts to email that account will bounce—which is not good policy. Google Apps offers several ways of intercepting emails for departed accounts, each with their own pros and cons.
a. Divert with Catch-All Address
You can (and, in general, should) set up a Catch-All Email address which will intercept any mail sent to your domain, but to a user account that does not exists. This Catch-All address will receive every mistyped email address intended for real users, every “war-dialed” address that get past your spam filter, and emails for all departed users. Be sure whomever you assign to get all these emails knows how to deal with each of these use cases.
b. Divert with Google Group
Once the departed user is deleted, you can then create a Google Group with the same email address as the deprovisioned account. You can then assign one or more people to receive any mails sent to that address. This is the most flexible and manageable solution for departed email addresses.
c. Divert with User Alias
Once the departed user is deleted, any other user on your domain can have the deleted email address as an email alias. Thus, if the Executor needs to continue receiving the departed user’s email, he can.
There you have it – 7 steps to successfully deleting a high-risk Google Apps user account. If interested in learning more about how to delete Google Apps users at a range of “security risk” levels (from very low risk to high risk situations like the one above) download the eBook below on “How to Delete a Google Apps Account” – good luck!