How are old, suspended accounts best handled?

[Clinton Foster]

Hello,

we're a K12 school district, and we're wondering how other people  are handling accounts from staff that have left, but they possible have documents that are shared with others and still being used.

We're not currently deleting old accounts, but with the new quota in place it might eventually become an issue.

I'm wondering if there's a way we could transfer all the suspended staff account documents into a shared drive that's only visible to admins.

That way if a file is still needed someone could locate it in there are move it somewhere more appropriate.

Thoughts?

Thank you!

[Danny Dillon - NOAA Affiliate]

Your licenses/quotas may be different from ours, but be aware of the item count limits that shared drives have.  

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/404521d6-c499-4729-8482-c27a877d066cn%40googlegroups.com.

[Ian Crew]

It's not an easy task, honestly, but what we've taken to doing is creating a "holding" account that corresponds to each person that's left the university, and we transfer any shared drive items from the "source" account (that belonged to the now-departed person) to that holding account before deleting the source account.

Those holding accounts are in an OU set to disallow sharing outside the university, so that people who aren't a part of the university can't continue to access the shared files.

Here's a snippet from an example BASH script that I wrote that does this--it covers the critical pieces:

echo

echo `date`

echo "Generate report on source before transferring so can compare with report after transfer from the holding account"

gam user $SOURCE print filelist select query "'me' in owners" fullpath stripcrsfromname allfields todrive tdtitle "$SOURCE All Files $DATE" tduser $HOLDING

echo

echo `date`

echo "Transfer all shared content from source account to a holding account (waiting for completion)"

gam add datatransfer $SOURCE drive $HOLDING privacy_level shared wait 5 600

gam user $HOLDING collect orphans targetuserfoldername $SOURCE

echo

echo `date`

echo "Check progress of transfers (just to show we can, in case we want to make this asynchronous)"

echo "A) All transfers"

gam print datatransfers

echo "B) Transfer from $SOURCE"

gam print datatransfers oldowner $SOURCE

echo

echo `date`

echo "Once complete, generate file report to go along with the transferred data"

gam user $HOLDING print filelist select query "name = '$SOURCE' and 'root' in parents and 'me' in owners" fullpath stripcrsfromname allfields todrive tdtitle "$SOURCE Shared Files $DATE" tduser $HOLDING

One note: We decided not to block access to the holding accounts from other users, because those holding accounts may own folders that others have put stuff into, and we didn't want to risk orphaning those files.

Cheers,

Ian

--

Ian Crew

Architect, Communication and Collaboration Services
Productivity & Collaboration Services
Berkeley IT

University of California, Berkeley

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/CAPt271ZekUrR7pmYrpS7jLbc1HZ11vTn2Sx0zVgtHi7TOhrk6Q%40mail.gmail.com.

[Martin Främke]

Hi,

We have to delete old staff accounts after a while for data protection reasons (we're in the EU).

We move suspended staff account into a "to be deleted in 13 months" OU. That OU has a Trust Rule applied which suspends all their file sharing. Everything they have shared becomes unavailable for the share recipients. This is meant to make people aware which files they still rely on (because they lose access to them), and then that can be dealt with. After 13 months (slightly more than "one cycle") we are confident that the suspended user has no critical files and the user can be deleted.

The good thing about the Trust Rule: Once you move the suspended user out of the OU, all file sharing comes back. So if a staffer tells us they lost access to a critical file owned by former staff, we don't even need to deal with the file itself. We just need to move the suspended user temporarily and tell the staffer to make a copy now.

(Credit where it is due: I learned about this Trust Rule concept from the guys at AppsEvents.)

Cheers,

Ma♪ti♫

[Ian Crew]

The problem with Trust Rules is that the items don’t reappear in Shared With Me when you move stuff back out of the blocked OU, so unless your users know the URL of the specific file/folder they need to get access to again, they’re out of luck. 

And yes, that’s a real bug with Trust Rules that I’ve been hammering on Google about for years (with no progress, unfortunately). 

The better overall solution is to habituate the organization that “stuff that needs to stick around belongs in a shared drive, My Drive is only for personal/temporary things, and will be deleted when you leave the organization.”

Cheers,

Ian

--

Ian Crew

Architect, Communication and Collaboration Services
Productivity & Collaboration Services
Berkeley IT

University of California, Berkeley

International School of Hamburg
Hemmingstedter Weg 130
22609 Hamburg, Germany
+49 (0)40 8000 50 0
www.ishamburg.org

Thank you for not printing this!
This message and any attachments are to be read only by intended recipients. If you are not the intended recipient, please inform the sender and delete this message and its contents from your system. Information in this message may be confidential, privileged, or copyrighted. Unauthorized copying, disclosure, or distribution of any of the contents of this message is prohibited and may be unlawful. Thank you for your understanding. Deutsche Übersetzung

Legal Identity: Internationale Schule Hamburg e.V., in...@ishamburg.org, VR 5935, Amtsgerichts Hamburg, USt.-IdNr.DE118716561. Dr. Alan Knobloch, Head of School. Monica Birkel, Board Chair. Michal Brylinski, Vice Chair.
Privacy Policy

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/85157fbe-46ed-477f-9fa9-73134e608010n%40googlegroups.com.

[Cristina Antonelli]

I am currently deleting accounts after 90 days of suspension and I am creating a manual takeout file for each account so we can keep a copy of the data.

It's time consuming and not ideal if you need to do that to a high number of accounts but is the best we could come up with.

Unfortunately there is no GAM option for this since this is a user initiated action.

Cristina Antonelli
IT Support Specialist - EMEA

--

[✉ Kevin Melillo]

When we offboard someone we do a one-time document transfer to their manager.  In an educational environment, I am not sure if there is an equivalent that can be done.  After a data transfer, there is an admin panel report (which can be exported) that can get you the document IDs and title of all the documents transferred, so you can keep it as reference in case it is needed to move any documents to the relevant people.

To view this discussion visit https://groups.google.com/d/msgid/google-apps-manager/CAKGW95Z1-BWp5Fu4M0C5Aj4wY9XmSZia4KOc6_OSW4M-KeyEsw%40mail.gmail.com.

[Clinton Foster]

Thanks everyone! These are good ideas and I'll share these all with my team and see if we can decide what's best for us.