Deprovisioning a Google Apps User

Deprovisioning or Deleting a Google Apps Account

Below are the steps to consider when deleting a Google Apps user from your company domain.

By changing the user’s password, you remove the former User's access to your system. Note this password for access to the account going forward. You've now taken over control of this account. 

This "kicks off" any devices authorized to the account. Resetting the password does this as well but resetting the sign-in cookies forces this action immediately. 

  • Disable Two-Step Verification

If you do not disable Two-Step Verification and attempt to access the account, a Google verification code will be delivered to the device listed on the account. This is likely the former employee's smartphone. This won't grant them access to the account but you will not be able to access the account either. This can be an awkward situation as well depending on circumstances and timing. 

  • Download a copy of the account data

If you want to retain a copy of all the data in the account, you can do so via Google TakeOut when signed in as the user. This will download the data currently in their account. You can store this copy on a computer or a drive, but you'll need to rely on the local tools (Outlook, Thunderbird, etc) to do searches of that data.

  • Identify someone to take ownership of the User Account going forward for a specified period of time

This person becomes responsible for the account until it is ultimately deleted.

  • Set Up Departing User’s Vacation Autoresponder

The account will continue to receive email until it is Deleted or Suspended. The autoresponder can make others aware of the change and let them know the person they should contact going forward. "Thank you for your email Old Guy is no longer with Acme. A copy of your message has been sent to New Guy at New Guy will give your message the attention it deserves."

  • Consider Administration of other Services and Apps

Determine which of the many Google services the departing user employed on behalf of your organization, then make sure another user has equal or greater permissions on those services. Consider services like Google Analytics and a Google Plus page for example. 

This can be done to provide quick and easy access to this account for any User(s) responsible for the former employee's tasks going forward. 

To prevent all the Google Drive files owned by a departed user from being deleted along with the user’s account — even (or especially) the ones shared with and used by other employees — you must transfer ownership of those files to another User, who can then selectively assign ownership to the appropriate individuals in your organization.

If the departing user has shared any secondary calendars they created with other domain members (for example, a list of company training sessions), those calendars will only survive if the person with whom it is shared can view and change events on the calendar. You should delegate another User to manage the calendar until everyone who should have calendar view and change permissions are identified.

If a departing user owns a Google Group, it will not survive deletion of the user’s account unless you first transfer ownership to someone else.

  • Set Calendar Reminder to Delete Departing User's Account

Set a policy to delete the User account in a specific amount of time, 60 days for example. This will keep your Google Apps environment from becoming cluttered with former employee accounts (and the required subscriptions). This also forces the former employee's tasks to be transitioned quickly to other team members, potentially reducing the disruption of the change. 

Once you've reviewed the above, you can confidently delete the User. 

  • Divert Departed User’s Incoming Email

Now that the departed user’s account has been removed, any attempts to email that account will bounce. This is a good public message that this address no longer exist. If this is not desirable, you can route mail for that address a few different ways.

A. User Alias

Once the departed user is deleted, you can add the deleted email address as an email alias for the User that will be responsible for this role going forward. 

B. Divert with Google Group

Once the departed user is deleted, you can then create a Google Group with the same email address as the deleted account. You can then assign one or more stewards to receive any mails sent to that address.

C. Default Mail Route

Gmail's default routing rules can be used to rewrite the message to deliver to another address on the domain or to an external service.