12 Essential Steps for Deprovisioning Users in Google Apps
August 4, 2016
4 minute read
If you’re not organized, the process of offboarding departing employees can frazzle even the most seasoned IT professional.
Deprovisioning is often time-consuming and tedious, and it’s all too easy to overlook a critical step here or there. Miss a step, and you might find yourself staring down the barrel of data loss, business interruption, and/or security vulnerabilities.
Here’s a Google Apps deprovisioning checklist with best practices to help mitigate risk, avoid critical errors, and ensure a smooth, hiccup-free transition.
1. Find a new owner
You’ll need to find an account executor to become the owner of the user’s digital property (e.g., documents, calendars, groups owned). Usually this is the user’s manager, a trusted supervisor, or a new account owner.
2. Reset password/sign-in cookies
Reset the user’s password to prevent them from logging into their account. This is a crucial security step, as a disgruntled former employee could potentially tamper with files or send inappropriate emails. It’s also a good idea to reset their sign-in cookies and/or require a password change on the next sign-in. This way, you’ll log them out of any current sessions and also prevent further access.
3. Hide user from the directory
When you hide someone from the directory, their contact information will no longer appear when employees type their email address into services like Gmail and Calendar. The user’s profile also will no longer appear in Contact Manager. If you use messaging apps like Slack, hide the user in those as well.
4. Set up an autoreply email
Set up an automatic response to people who are trying to send emails to the user, and provide information on who should be contacted instead. Here’s an example:
Please be advised that Dwight Schrute is no longer with Dunder Mifflin. If you have any inquiries, please direct them to Michael Scott at mscott@dundermifflin.com.
Note that not all companies may want to set up an autoresponder, so check with your HR department and/or company policy on this step.
5. Delegate the user’s inbox
Delegate the user’s inbox to the account executor.
6. Transfer ownership of critical files
Overlooking this step can mean significant data loss. Don’t forget to transfer ownership of important files such as Drive files, Sites, and Calendars. Of course, if you plan on deleting these files, you can skip this step.
7. Transfer group ownership & membership
If the user owns (or is a member of) any important groups, you can transfer these assignments to someone else.
Again, some organizations may prefer not to delegate an inbox or transfer ownership of assets, so check with your HR department and/or company policy on these steps.
8. Terminate access to other software accounts
Check which software the departing employee had access to (perform an audit if needed), and terminate, suspend, or reset access to any necessary software (e.g., chat programs, password management tools, VPN, CRM tools, etc).
9. Take care of the offline stuff
Don’t forget to collect items like laptops, keys/keycards, and other company property before the user leaves. Additionally, remember to revoke keycard access.
10. Archive everything
If you plan on deleting a user, creating an archive for your records can be a useful step in case you need to access anything later. If you want to have a copy of all the user’s files, you can download and export the data from Google. Some companies have certain limits on how long data can be archived, so check what your IT department’s data retention/lifecycle policy says.
11. Suspend the user’s account
If the user’s account has information that you’d like to save, you can suspend their account until you’ve transferred the information to another person. By suspending the account, you keep it preserved but inactive.
12. Delete the user or assign a VFE license
You can delete the user, or you can set a reminder to take more decisive action in the future (for example, in 30 days). If you do delete the user permanently from your domain, you will lose all of their Drive files, emails, and secondary Calendars. It will also free up a Google Apps account license to use on new users. If you want to hold on to data in Vault for inactive user accounts, look into Vault Former Employee Licenses. They’ll allow administrators to search, export, and retain data in Vault.
Additional tips:
-
- Make sure all the necessary departments are talking. “One of the really important things with deprovisioning is communication,” says Nick Church, IT Specialist at BetterCloud. Remember, IT isn’t the only department involved in offboarding users. Any departments that have a hand in the process—whether it’s IT, operations, facilities, HR, etc.—should be communicating to ensure that everyone knows what’s happening and all steps have been completed. To facilitate this communication and reduce the risk of overlooking a critical step, consider creating an exit group/distribution list that includes the necessary departments.
- Always have a checklist. “Don’t count on yourself to remember everything, even if you’ve done it 100 times,” says Church. “Pilots make hundreds of flights, and they still go through a physical checklist. No matter how much you trust yourself, you’re much less likely to skip a step if you have a checklist in front of you.” It’s never too late to start documenting all the steps. This is especially important as your company grows and deprovisioning becomes a more complex process.
Deprovisioning, with all of its steps and tasks, is a process highly susceptible to human error. In fact, research shows that human error accounts for over 95% of security incidents. But with a powerful tool like BetterCloud Workflows, you can automate the entire process and deprovision users in minutes, not hours spread across multiple days. Sound interesting? Check out BetterCloud Workflows for more information.
Do you have any additional steps that you include in your deprovisioning process? Share in the comments below.
