Deleting users

[Ian Bevan]

What processes do people go through when deleting users from the Workspace?

Do you run checks for shared file ownership etc, what do you do if you find that there are shared files?

How do you avoid orphaning files/classrooms etc?

I have a list of many users that I need to remove, but need to understand the pitfalls of just deleting the users.
I need to add, I am required not to transfer the data to another user but if the data is a shared document then I'll need to address that instead.

[Ian Crew]

Well, here at UC Berkeley, where we are working on getting rid of a couple hundred thousand older accounts with much the same concerns, what we’re doing is:

1) When the user leaves the university and loses eligibility, we disable the account, use DLP rules to label any files owned by that account as “WILL BE DELETED” (so that their collaborators can see/search for those files), and rename the account from us...@example.edu to expire...@example.edu. Expired (and deleted—see below) accounts are also blocked from sharing outside our Workspace instance. 

2) After a year, we create a new account, delete...@example.edu, use GAM to transfer just the shared drive content from expired_user to that account, and delete the expired_user account (which saves the space used by mail, photos, and not-shared drive content). 

3) We’re engaging with our community on two fronts:

A) Encouraging people to look for content shared with them by expired and deleted accounts and move it to a Shared Drive if they still need it. We’re evaluating a product called Folgo that might make this a bit easier for folks, but haven’t made the decision yet.

B) Teaching people that anything that should stick around beyond the tenure of any one person in the organization belongs in a Shared Drive, not My Drive. 

In the future, the plan is to eventually fully delete the deleted_ accounts, but not without tons of warning. 

Also, we found that the great majority of space was being used by a really tiny fraction of our population, so using GAM reports to see who those folks are and engage with those accounts first was a huge help.

Hope that helps, and of course there are many other potential solutions out there—this is just what we landed on!

Cheers,

Ian

--

Ian Crew

Architect, Communication and Collaboration Services
Productivity & Collaboration Services
Berkeley IT

University of California, Berkeley

Disclaimer
Please help to protect the environment by not printing emails unnecessarily. The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorised to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
Registered in England and Wales: Castle School Education Trust, CSET Mangotsfield School, Rodway Hill, Bristol. BS16 9LH | Reg. No. 08397975

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/ad5a571e-0fe1-46c4-aea3-753d35c1b608n%40googlegroups.com.

[Ian Bevan]

Thanks for the reply Ian.

Would you mind sharing your DLP process with me. We've never used Labels before and I'm reading conflicting information stating that Google has removed them from Workspace, although it appears that I can create a Label but can't seem to apply it so not sure how the DLP process would manage it.

[Ian Crew]

See 

https://docs.google.com/document/d/11L93ChUU42_iq9ZLvnJdJSOAhvPAZIbsU-lqiwdfx60/edit

Do note that there are dependencies on which Workspace edition you’ve got in terms of whether labels are available. Here at UC Berkeley, we’re on Google Workspace for Education. The little licensing matrix at the bottom of the write-up above talks about the difference between users with an Education Fundamentals and an Education Plus license. 

I know there are similar distinctions between the different Workspace Essentials/Business/Enterprise offerings, but I’m less familiar with those.

Also, do note that DLP can only label files, not folders. 

Hope that helps!

Ian

--

Ian Crew

Architect, Communication and Collaboration Services
Productivity & Collaboration Services
Berkeley IT

University of California, Berkeley

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/246fb454-54fd-4044-8d40-0a03e3708024n%40googlegroups.com.

[Ian Bevan]

Thanks again for your reply Ian, 

Just checked and it's not available on our plan, so will need to think of another way to manage those shared files whilst we educate the educators...

[Antonio Casado]

Thanks you for share your plan.

Two questions:

a) What is the command GAM for transfer all share files for drive from userA to delete_userA

b) Isn't it easier to delete the files that aren't shared and then rename the account?

Bye.

[Ian Crew]

Thanks you for share your plan.

Two questions:

a) What is the command GAM for transfer all share files for drive from userA to delete_userA

• https://github.com/taers232c/GAMADV-XTD3/wiki/Google-Data-Transfers (The "privacy_level shared" part is the key part here, transferring only the shared data.) 
  
• That GAM command leverages the API at https://developers.google.com/admin-sdk/data-transfer/reference/rest/v1/transfers
  
• More details are at https://support.google.com/a/answer/1247799 (https://github.com/taers232c/GAMADV-XTD3/wiki/Users-Drive-Orphans is a gam command to help with step 5 of the "prepare for transfer" part of that article)

b) Isn't it easier to delete the files that aren't shared and then rename the account?

No—by deleting the original account, we recover the space used by the not-shared files in Drive, the space used by Mail, and the space used by Photos. And for Photos, deleting the account is the only way to get rid of them, because Google refuses to give admin access to that service (even though they charge us for the space used). 

It’s also a lot easier to just make the single call to transfer the shared items than to search for and delete the not-shared items one by one. 

Hope that helps,

Ian

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/b9a4ab77-8366-4c79-baf2-abaafa081e55n%40googlegroups.com.

[Antonio Casado]

Thanks Ian,

If you don't want wait for users looking for LABELS in yours DRIVE, you can search this files for them and send result by email:

$ gam user myuser print filelist query "'labels/mylabel_ID' in labels" anyowner excludetrashed fields id,name,shared fullpath

Bye

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/CAD2sLFvWTVbJOMKmXyTMb3KmPmf-W1qJQqSuQ_XLT554QHbrPw%40mail.gmail.com.

--

		Antonio Casado Rodríguez Jefe de Sección de Servicios de Red y Seguridad TIC Servicio de Comunicaciones del ATIC Despacho 2.22, Edif. CITIC Email: aca...@ual.es Tel. +34 950214223 Universidad de Almería Carretera Sacramento s/n 04120 La Cañada de San Urbano, Almería (España)
Puede consultar la información adicional sobre confidencialidad de este email y protección de datos en nuestra página web: www.ual.es/lopd-email. Responsable del tratamiento: Universidad de Almería. Finalidad: Atender y dar respuesta a su petición o consulta y mantener los contactos y relaciones que se produzcan como consecuencia de la misma. Derechos: Para el ejercicio de derechos de protección de datos diríjase a www.ual.es/lopd-derechos.