User Offboarding

The common methodology in Microsoft 365 environments from my experience seems to be to convert a user account into a shared mailbox and deal out access to other users. Google doesn't offer that same functionality and their migration tool isn't great if someone's position/data needs to be split among multiple successors.

Table of Contents

• Table of Contents
• Requirements
• Mailbox Data handling
  • 1. Create a group mailbox
  • 2. Take a copy of the users mail with gyb (ensuring only to take mail less than 25MB in size)
  • 3. Restore a copy to the group mailbox
  • 4. Take a full copy of the user mailbox with gyb (regardless of size)
  • 5. Zip a copy of that mailbox and throw it into a team/shared drive
  • 6. Remove yourself as the Owner from the Group Mailbox
  • 7. Add the relevant users inheriting this data as "Contributors" to the Mailbox
• Drive Data Handling
  • 1. Create a Google Shared Drive for the offboarded user
  • 2. Move Data from the user "My Drive" to the "Share Drive"
  • 3. Set access
• Optional reading

---

Requirements

• Got Your Back (Github) - @GAM-team
  • Be sure to set this up with a service account, follow their guide for more info.
• Google Applications Manager - GAMADV-XTD (Github)
  • This guide is great for installing it on a Google Cloud Shell (50 hour quota / 5GB storage / Unlimited Bandwidth - Free each week). You could probably do the same with Got Your Back.

TIP

This can all be done with the user account suspended.

Mailbox Data handling

1. Create a group mailbox

With these properties you'll establish a good and scalable precedent.

Property	Convention	Example
Name	Offboarded User - [User Full Name] (email_prefix) - YYYY-MM-DD	Offboarded User - John Smith (john.smith) - 2023-01-01
Address	offboarded_[emailprefix]@domain.tld	offboarded_john.smith@domain.tld
Group Owner	You
Permissions	Set everything to "Owner"

2. Take a copy of the users mail with gyb (ensuring only to take mail less than 25MB in size)

Open terminal and run the following command (substituting john.smith with the address of the offboarded user, and you with your address (provided you're a workspace administrator))

gyb --email john.smith@domain.tld --action backup --service-account --search smaller:25M

This will start a backup process which exports each email in the users inbox to .eml format in a nicely structured directory, as well as an SQLite database which keeps track of any relevant attributes.

3. Restore a copy to the group mailbox

We're going to take that backup and import it into the aforementioned group with:

gyb  --action restore-group --email offboarded_john.smith@domain.tld --use-admin you@domain.tld --service-account --local-folder /PATH/TO/BACKUP/DIR

This can be a very slow process, about 1 email per 1.5 seconds, can't be helped.

4. Take a full copy of the user mailbox with gyb (regardless of size)

Now we can take a full sized copy of the mailbox.

gyb --email john.smith@domain.tld --action backup --service-account

5. Zip a copy of that mailbox and throw it into a team/shared drive

If you would like to speed this process up and save a lot of space, feel free to utilise the ZStandard compression format, just be sure to have zstd in your PATH.

tar -acvf john.smith.tar.zst GYB-GMail-Backup-john.smith\@domain.tld/

6. Remove yourself as the Owner from the Group Mailbox

7. Add the relevant users inheriting this data as "Contributors" to the Mailbox

Drive Data Handling

::: important If after this, the users account still shows drive storage quota being used, it's likely they have backed up their computer directories using the gogole drive dekstop app function. I don't have a good methodology for dealing with this at the moment. :::

1. Create a Google Shared Drive for the offboarded user

With these properties you'll establish a good and scalable precedent.

Property	Convention	Example
Name	Offboarded User - [User Full Name] (email_prefix) - YYYY-MM-DD	Offboarded User - John Smith (john.smith) - 2023-01-01
Access	You + Offboarded User added as Managers

This can be easily done with:

gam user you@domain.tld create teamdrive "Offboarded User - John Smith (john.smith) - 2023-01-01" adminmanagedrestrictions true asadmin

::: important Be sure to grab the Teamdrive ID, it's a string of random characters output after the generation. :::

Add the offboarded user as a manager

gam add drivefileacl TEAM_DRIVE_ID_HERE user john.smith@domain.tld role organizer

2. Move Data from the user "My Drive" to the "Share Drive"

WARNING

This will retain all the document level IDs and sharing settings, though you will lose directory based sharing (a la, if the user shared a whole folder, that access will be lost).

gam user john.smith@domain.tld move drivefile root teamdriveparentid TEAM_DRIVE_ID_HERE mergewithparent duplicatefolders merge createshortcutsfornonmovablefiles

3. Set access

Remove yourself and the user from being drive managers. Add users who will need this data as contributors at most, this sets a good precedent that they should be working in shared/team drives and not hoarding critical docs in their private storage.

---

Optional reading

See troubleshooting (transferring ownership of orphaned files) for a fix to a rare scenario where you're still seeing drive storage quota in use even though the offboardee drive is empty.