Dealing with 90k suspended users (87TB)

[Role Jason Shuck]

I've been reading through several posts on here trying to see how others deal with it, and am afraid the scale of my situation makes previous approaches untenable, but want to be proven wrong.

I have ~90k suspended accounts in my tenant, using ~87 TB of stuff, and content shared with thousands of unique email addresses.

In a perfect world, I'd just turn off sharing and be done with it, but I'm not sure how exactly to do that. Is it using the commands to run through a list of files and remove ACLs? I was originally planning to move the accounts to a Shared Drive and force a break in sharing, but now reading about the limits with folder depth, I'm afraid that won't work. I also tried to use the gam user move drivefile root teamdriveparentid command, but it keeps erroring out saying my target doesn't exist.

I found some old posts saying the person being moved has to have access to the shared drive, but they're suspended and I can't grant access to suspended, let alone consider it plausible for ~90k suspended accounts.

How do others deal with these scale of issues?

[Jay Lee]

I would create trust rules, block external sharing for a given group/OrgUnit with a trust rule and then add all these users to the group/OU.

The cool thing about trust rules is it breaks the share WITHOUT removing the ACL.

https://support.google.com/a/answer/10621317?hl=en

Jay Lee

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/b19daf25-7126-422e-91f1-37ab6a1d66a0n%40googlegroups.com.

[Ian Crew]

At our peak, UC Berkeley had 400K accounts, about 200K of which were suspended.

Re. Jay Lee’s suggestion, note that there’s a longstanding nasty bug with Trust Rules: moving someone out of the OU where trust rules blocks sharing does indeed restore others’ ability to access that content, BUT the content doesn’t reappear in “shared with me” or other parts of the UI. 

What we’ve done here, instead, is move those suspended accounts into an OU where sharing outside the domain is blocked. We then create a new blank account corresponding to each suspended account and use the Google transfer API (see 

https://github.com/GAM-team/GAM/wiki/Google-Data-Transfers) to transfer ONLY the shared data out of the original accounts, allowing us to get rid of the rest (not-shared files; mail; photos) which saves a bunch of space. 

Also, another tip: Google’s BigQuery-based Drive Inventory (

https://support.google.com/a/answer/15141054?hl=en) can be extraordinarily helpful as you work to understand which accounts are using what and sharing with who at that scale. 

Hope that helps, at least a little,

Ian

--

Ian Crew

Architect, Communication and Collaboration Services
Productivity & Collaboration Services
Berkeley IT

University of California, Berkeley

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/CA%2BVVBp-DgKoc%3DA_cMiVk7q%2BFMdpq8EYgsdW8wS9d2zmaq89rQg%40mail.gmail.com.

[Role Jason Shuck]

Thank you! 

If I didn't care about any of the data, could I use trust rules to block ALL sharing? I just started reading that page about them, so apologies if it's a basic question that I haven't gotten to yet.

I may have to fall back to keeping shared data so Ian, your idea is good to have in my back pocket!

[Jay Lee]

Yes, trust rules can block internal and external sharing.

Jay Lee

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/74bc324b-515e-42f4-b58f-4781aaf0d0ban%40googlegroups.com.

[Aston Wooller]

Hey Jason

The way I deal with terminated staff is to make the OU I put terminated staff in immediately block all internal and external sharing. That way it's at the top of people's minds when if they lose access to any files. I get tickets come through like "John Doe left the business yesterday and now I can't see xyz, did he own that?" and that can raise the question of whether John Does' files need to be transferred to anyone despite their manager saying not to on the exit form.

If you need to transfer all the files of the terminated user, then that can still be done by the usual transfer tool in Google Admin. But if you need to transfer out a single file using GAM, you need to put the specific user into another OU, transfer the file, then put the user back in the terminated OU.

The big warning I would say about putting all of these files into the unshareable zone, is it does unfortunately make everything invisible to end users. That can lead to whole folder structures disappearing and people scratching their heads because they didn't realise that the folder structure was owned by some person that left the business 2 years ago, even if they didn't own any of the files within the structure. Same caveat for deleting files; sometimes the user doesn't own any files that have been recently modified, but they own the folders that other people put their files in.

If you do want to eventually delete these suspended users to save on archive license fees and Google Drive is the only thing preventing you from doing so, there is the option of creating an archive user that houses all the data of all these suspended users and transferring everything to that user. (Similar to Ian's option, but instead of an account per exstaff, just have one account that owns everything.)

Aston

[Role Jason Shuck]

AI is telling me the trust policies aren't retroactive. If I make an OU, apply trust policy to it, and move people into that OU, are you seeing it actually apply retroactively? I don't know if the robot is lying to me or not.

[Jay Lee]

Best not to trust ai when the actual community is telling you something different.

Trust rules block existing ACLs without removing the actual ACL.

Jay Lee

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/dcea0a34-0d14-4792-8557-4ae91ce70feen%40googlegroups.com.

[Role Jason Shuck]

Thanks! Of course I just realized since we have the free Education tier I can't access any of that. Sigh. Given that, I'm thinking my best option is to setup the horrible process to run through every single file and remove permissions. Kick it off on some server and let it run for a month through 25 millions rows.

Anyone have any better ideas knowing my school only has the free tier? I don't have access to trust rules, don't have access to BigQuery report mentioned earlier, don't even have Security Center to see sharing report :(

[Scott Mayo]

Where is that Internal Block setting at?

Scott

The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Stuff Limited does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Stuff Limited does not accept legal responsibility for the contents of this message or attached files.

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/1f959d9e-65c3-429b-bdb2-ec9695d82664n%40googlegroups.com.

--

Scott Mayo
Mayo's Pioneer Seeds

[Aston Wooller]

Hey Scott

They're under Rules in Google Admin. Create a Trust Rule here: https://admin.google.com/ac/ax

Cheers

Aston

[Scott Mayo]

Thanks you very much

Scott

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/2abbb00a-2de1-4707-9903-cd331cbd94fen%40googlegroups.com.

[Scott Mayo]

One more question on this.  Has anyone actually enabled that later on after the fact?  It says that it disables existing drive sharing rules, but will convert them.  That looks like a scary thing to do if something goes wrong.

Thanks.

Scott

[Aston Wooller]

Trust Rules were only introduced a few years ago, so most customers who use them will have enabled them on existing tenants. 

I didn't have any issues with turning Trust Rules on for Drive. But if you have issues, you can turn off Trust Rules for Drive and it'll revert back to what it was before.

[Ian Crew]

The problem with Trust Rules is that the items don’t reappear in Shared With Me when you move stuff back out of being blocked by a trust rule, so unless your users know the URL of the specific file/folder they need to get access to again, they’re out of luck.

And yes, that’s a real bug with Trust Rules that I’ve been hammering on Google about for years (with no progress, unfortunately). Sigh. It could be such a wonderful feature. 

Cheers,

Ian

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/711fbb6e-4e25-4e6d-a87f-1b83b57afb93n%40googlegroups.com.

[Jay Lee]

Shared with me is really meant more as a "recently shared directly with me" view though that's a mouth full.

Content discovery ina large organization is always a challenge and needs to be thought through with Sites, links, etc 

Jay Lee

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/CAD2sLFsL89xWEpD6KQ_oUR27s9t2ALWtdpOPq_yKUbCBiz5L7g%40mail.gmail.com.