Set account suspension or deletion date. Is this possible?

[Bairam Hadzovic]

Hi Everyone,

I am curious if anyone has dabbled with or worked on or if it is even possible to set an account deletion/suspension date. Very similar to how you are able to set out of office start and end dates. A former colleague of mine provided me a termination script and I have added an out of office portion, but would like to continue working on the script and end an end date as it can become a bit tedious to go back in for each user and manually suspend or delete the account.

Termination script looks like:

#!/bin/sh

echo "Input the email address of the user to be deprovisioned from G Suite, followed by [ENTER]"

read termed_email_address

echo "Input the email address of the receiving Manager, followed by [ENTER]"

read receiving_email_address

~/bin/gam/gam update user $termed_email_address password random gal off

~/bin/gam/gam user $termed_email_address deprovision

~/bin/gam/gam user $termed_email_address add forwardingaddress $receiving_email_address

~/bin/gam/gam user $termed_email_address forward on $receiving_email_address delete

gam user us...@domain.com vacation on subject "Out of Office" message "Please note that user is currently out of the office. In their absence, please contact our Customer Service Department at 123456789 for immediate assistance.\n\n" startdate 2018-01-02 enddate 2018-03-01~/bin/gam/gam user $termed_email_address delete groups

~/bin/gam/gam user $termed_email_address transfer drive $receiving_email_address

~/bin/gam/gam calendar $termed_email_address add owner $receiving_email_address

echo "G Suite deprovisioning for ${termed_email_address} complete"

Let me know your thoughts!

[Eric Dannewitz]

I think if you have something like GCDS with AD you can do the date part. But when you suspend a google account, you don't get the option to do forwarding or anything I believe.

https://support.google.com/a/answer/33312?hl=en 

You would be better off maybe changing the password to the account and then setting the other stuff you want like forwarding and vacation responder.

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/463179b6-a33a-4a07-a865-bcc461d632ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Eric Dannewitz 

Technology Assistant

Acalanes Union High School District

District Office Technology Department

925-280-3980 x4309

edann...@auhsdschools.org

[k.melillo]

When we off-board a user, we rename the user.  Example..

t.j...@domain.com becomes t.jones_depa...@domain.com

We also use delegation instead of forwarding, as well as a vacation responder, letting them know who they should be emailing...  the manager, as well as the managers phone number.

We randomize the password, remove all tokens, remove them from all groups, and change their ORG as well.

We maintain this for 3 months (hence why the date is needed)  After the 3 months, we suspend the user, which terminates the delegation.  

every month we run a report of all users with _departed_

we then compare dates, and suspend if needed

The ORG change is mainly for Vault purposes...  we retain all email for 3 years, except for legal and HR staff, which we retain for 7 years.

[+KimNilsson]

How do you know how an account is reaching three years?

You can't pull any info about the account later than six months since last activity.

You could push a custom attribute, or anything in the regular User Profile with the date of the suspension event, else there's no record anywhere when it was suspended.

[k.melillo]

We pull a report of all users with the _DEPARTED_ in their username, and do some fancy spreadsheet filtering...  then we sort by date.. and BLAMMO!  It is a pseudo manual process...  but it works.

On Tuesday, January 23, 2018 at 12:33:25 PM UTC-5, Bairam Hadz wrote:

[Kim Nilsson]

Cool, but I don't see how that would be possible after the six-month mark.

You do of course get those tagged users, but you have no date reference.  <= that's my question

[✉ Kevin Melillo]

The date reference is in the rename...  we include the departed date...  20180123....  01/23/2018....

On Wed, Jan 24, 2018 at 9:17 AM, Kim Nilsson <there.is.no...@gmail.com> wrote:

Cool, but I don't see how that would be possible after the six-month mark.

You do of course get those tagged users, but you have no date reference.  <= that's my question

--

You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFuZLuLJH%2BQg9jjkLMR7_q%2BezKYYfYNinEJNHL7sFq7rfA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Kevin Melillo

Electronic Communications Analyst

Information Technology

445 Hoes Lane

Piscataway, NJ 08854

Phone:732-465-6609 | Mobile: 732-609-4331

E-mail: k.me...@ieee.org

[Kim Nilsson]

Ahhh, now we're talking!

Yes, that's the cool bit I was missing. 

Yup, there you have a persistent reference to the suspension/rename date. 

[Bri Hatch]

The way we handle this is by having an offboarding script that accepts username/manager name as options and runs gam commands. We then maintain a crontab file with these commands for each person, ala

0 14  01 05 *  /path/to/offboarding/script -u username -m managername

Would offboard username at 14:00 on May 1st.

Cron has various issues (no 'year' component, awful time/date formatting option, if the machine was off it will not run the missed jobs) but you could probably shoehorn something similar for your situation.

Another option would be to set an 'at' job at the end, ala

  $ echo 'gam delete user blah'  | at now + 6 months

which may be sufficient for your use case.

On Wed, Jan 24, 2018 at 6:20 AM, ✉ Kevin Melillo <k.me...@ieee.org> wrote:

The date reference is in the rename...  we include the departed date...  20180123....  01/23/2018....

On Wed, Jan 24, 2018 at 9:17 AM, Kim Nilsson <there.is.no.substitute@gmail.com> wrote:

Cool, but I don't see how that would be possible after the six-month mark.

You do of course get those tagged users, but you have no date reference.  <= that's my question

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.

To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsubscribe...@googlegroups.com.

To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAGPzzFuZLuLJH%2BQg9jjkLMR7_q%2BezKYYfYNinEJNHL7sFq7rfA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Kevin Melillo

Electronic Communications Analyst

Information Technology

445 Hoes Lane

Piscataway, NJ 08854

Phone:732-465-6609 | Mobile: 732-609-4331

E-mail: k.me...@ieee.org

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAKM%3DboaFvFNgJEdQ%2BNPhjBnCd-QBN%3Dd5ywv5GO%3D%3DnrsSBFguGQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Bri Hatch, Systems and Security Engineer. http://www.ifokr.org/bri/

The sooner you fall behind, the more time you'll have to catch up.

[k.melillo]

A cron job is an interesting idea...  but since I run GAM from Google Cloud Shell, I am not sure if this would be allowed...  and on Linux for Windows subsystem...  I know it would not work.

On Tuesday, January 23, 2018 at 12:33:25 PM UTC-5, Bairam Hadz wrote:

[Graham Ingleby]

You could use GAM to put an entry in a calendar reminding you to delete the user - manual but it would work. You could even put the command in the body of the calendar appointment, or attach a file containing the command to run

 

Graham Ingleby	|	Google Cloud Consultant	|	+44 1344 203395	|	ging...@ancoris.com

Subscribe to our blog and receive our latest articles straight to your inbox

Powered by Ancoris Signatures

--
You received this message because you are subscribed to the Google Groups "GAM for G Suite" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-manager+unsub...@googlegroups.com.
To post to this group, send email to google-apps-manager@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/fdd76256-60dd-4378-ac83-8ab0888cb36c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

This message is for the named person's use only.  If you receive this message in error, please delete it and notify the sender.  Ancoris reserves the right to monitor all e-mail communications through its networks. Ancoris Limited, Registered in England Number: 04830784, Registered address: 5a Frascati Way, Maidenhead, Berkshire SL6 4UY. Trading Address: Lily Hill House, Lily Hill Road, Bracknell, Berkshire RG12 2SJ