The 7 Best Practices of a World-class G Suite Admin

The other day, I was chatting with my co-founder Hiten Shah.

Our company has been growing and we realized that someone on our team needed to become our dedicated G Suite admin.

Hiten turned to me and asked, “Why don’t you do it?”

What? I’ve never managed G Suite before. What does that even mean? What will I be responsible for?

Like any growing company, roles are constantly expanding, so I said yes without even realizing what I was getting myself into.

I figured that I should do some research on G Suite administrators to understand the common best practices. Luckily, I’ve worked with some great HR and Operations folks at previous companies and reached out to them. Between my research and some operations projects that I’ve been involved in previously, I put together this list of seven best practices so that I didn’t miss anything.

Here are the 7 best practices of a world-class G Suite Admin:

  1. Onboard new users efficiently
  2. Offboard users immediately
  3. Maintain clear differences between employees and contractors
  4. Enforce two-factor authentication
  5. Regularly check for suspicious behavior
  6. Audit users annually
  7. Audit integrations annually

G Suite Admin Best Practices

Let’s go through each.

Onboard New Users Efficiently

When we first step into the G Suite Admin role, new user requests start hitting us right away. We couldn’t dodge these requests even if we wanted to.

Before we know it, we’re getting user requests during meetings, in email, in Slack, and everywhere else.

If we don’t control the requests, we constantly get interrupted and have a difficult time getting our other work done. These requests never include all the info that we need either. How would they? The rest of the team doesn’t know which info we need to create a G Suite account. We then spend way too much time chasing everything down.

The trick to making all this more efficient is to use a new employee form. Since you’re using G Suite, you have full access to Google Forms so it’s easy to create one. Create a new form that requests:

  • First name
  • Last name
  • Personal email (use this as the secondary email address when creating a new G Suite user)
  • Start date
  • Department

G Suite Admin - New Employee Form

Whenever someone completes the form, set it up so you get an email. Google Forms also creates a Google Sheet with all the form submissions so you’ll be able to go to the same Google Sheet each time you onboard a new user. All the info will be waiting for you.

Whenever someone asks you to create a new user on G Suite, tell them to fill out the form. Eventually, everyone will stop asking and go straight to the form. But it takes some time to build that organizational habit. Don’t get discouraged when you have to remind the same people multiple times, that’s totally normal.

By the way, we put together a set of guides to onboarding here if you want to dig deeper.

Offboard Users Immediately

This is probably the most critical task as a G Suite Admin. When folks leave your team, accounts need to get shut down right away. There are too many security risks if the accounts are open longer than necessary. Depending on how the employee is parting, there are a few best practices for how to handle this:

  • If the employee leaves voluntarily and gives notice, shut down their G Suite login at the end of their last day of work. Right about 4pm or 5pm is ideal.
  • If there are layoffs, shut down the G Suite login at the end of the last day for each employee. Be careful about shutting down access before the announcement, otherwise rumors will start to circulate quickly.
  • If the employee is being let go for performance reasons, also shut down the login at the end of the day. If this one happens slightly earlier, that’s okay. Don’t let it happen later though, some employees become disgruntled and can lash out. And if you suspect there will be issues or if there’s a sizable security risk with that person’s role, you can close access as the new is being given.

Coordinate timing with the hiring manager and HR to guarantee that this happens smoothly. Be more paranoid about this task than any other.

There two options on how to shut down G Suite logins.

Suspend a user. This keeps all the documents and emails available but you’ll still be charged for the user on your G Suite account. If an employee leaves and there are a bunch of sensitive documents that you need to transition, this is a good temporary way to close access to the account while you migrate everything.

Delete a user. This permanently removes everything from that user’s account. Documents, email, all of it. Remember that new documents aren’t added to the Team Drive in Google Drive by default so deleting a user destroys every document they’ve created unless they placed it in the Team Drive. It also removes them from your G Suite bill. There are only 20 days to reverse the deletion so make sure you’ve transferred the everything that you want before deleting the account. G Suite doesn’t automatically transfer email or documents when deleting a user, you have to do it yourself using the transfer data features in G Suite.

I also recommend that you take the email of the deleted user and add it as an alias to their hiring manager. Any important email sent to the deleted user will end up in their manager’s inbox. If something is more sensitive, you can always assign the alias to HR or the CEO.

Maintain Clear Differences Between Employees and Contractors

I’ve found this one to sneak up on me a few times.

For any business, it’s really important to keep the distinction between employees and contractors super clear. The IRS has massive penalties for businesses that misclassify employees as contractors.

One of the ways this distinction can get blurred is through G Suite logins. If a contractor has an email account at your company, are they truly a contractor? You might still have a strong case depending on the circumstances but it does add more uncertainty. As a general rule, I prefer to only give employees an email address. I’ll only give contractors an email if there’s a compelling reason.

The bigger the company gets, the more important it is to maintain a completely clear line between employee and contractor. As the G Suite admin, the access that you give to users can impact how people are classified at your company.

Lots of startups will utilize contractors in the early days. Without realizing it, the scope of role and duties expands into a gray area between employee and contractor. Or people move from employee to contractor without having their G Suite login removed. It’s shockingly easy to blur the roles.

Before you know it, you could have a bunch of contractors with G Suite accounts that really shouldn’t have access.

Sit down with your HR and executive teams to define an airtight policy on who gets a G Suite account and under what circumstances. Avoid making exceptions if at all possible. The less that’s up for interpretation later, the better.

Enforce Two-factor Authentication

Out of all the security protocols to adopt, two-factor authentication probably gives you the most security for the least amount of effort.

As the G Suite admin, you have the power to require that all G Suite users use two-factor authentication on their accounts.

I prefer to force two-factor authentication across the company. I’ve tried making it optional in the past and, unfortunately, too many people forget to do it even after I beg and plead multiple times. The only real way to get two-factor authentication adopted is to require it on every login.

The best part is that this is a one-and-done task. Once it’s set up, you never have to think about it again.

If you don’t already have this set up for your G Suite, I’d get it implemented within the next week. It really is that important.

Regularly Check for Suspicious Behavior

With how common data breaches have become these days, the last thing any of us want is to be responsible for a breach at our own company.

As G Suite admins, any breach with G Suite is ultimately our responsibility.

Start checking your file storage, sharing volume, and login activity for any suspicious spikes. You’re looking for trend-breaking behavior that doesn’t follow previous patterns. After a few months of checking, you’ll get an intuitive feel for what normal behavior looks like. Then you’ll be able to spot suspicious activity when it does occur. This could be a sign that a security breach occurred.

Obviously, if you suspect nefarious behavior of some kind, get your HR, IT, and legal teams involved before taking any action.

I recommend that you do these checks once per month. And for a larger company, you may want to do them weekly.

Audit Users Annually

Even with tight processes for onboarding and offboarding, some users will still slip through the cracks.

Someone goes from employee to contractor and still has an email, a developer account for integrations was left active longer than it should, support was moved to Zendesk and no longer needs a G Suite login, the list is endless.

You can’t protect against every edge-case.

Once a year, you’ll want to do a G Suite audit of all your logins. Schedule a recurring reminder at the same time, I call mine the Spring G Suite Cleaning and do it every April.

During an audit, pull a complete list of all the G Suite users and get them into a spreadsheet. I find that it’s helpful to sort all the logins into two categories: people and multi-user accounts. The workflow for verifying each will be a bit different.

For all the people logins, go line-by-line and verify that each person is still an employee. For any that aren’t, shut down the login if they don’t fit the email access criteria that you’ve already defined.

For multi-user logins like press@ or developer@, I always make a habit of verifying that the accounts are still in use. Once I have all of them in my list, I go to the primary stakeholder in the company for the account. For example, I’ll verify with the VP of Marketing that the press@ login still has value. If they say yes for any reason, I mark the login as active and leave it be.

I also like to double confirm the shutdown of multi-user accounts. While the primary stakeholder might not need the account anymore, someone else in the company might be using it. Once I have the full list of all the multi-user accounts that are planned to get shutdown, I compile them into a single list. Then I go to a core group of stakeholders at the company (use your best judgment on who to include) and tell them this:

“I’ve identified the following accounts in G Suite as not in use. Unless I hear otherwise, I’m going to shut them down in 30 days. Please review the list and let me know if you’d like to keep the account active for any reason. The shutdown date will be on [Month, Date, Year]. The full list is here.”

Rarely have I ever had someone raise a fuss at this stage, I usually end up removing all the accounts that I originally identified. It’s a good “last check” though and gives the rest of the team visibility into what’s about to happen.

Audit Integrations Annually

After hearing about a bunch of the Facebook privacy scandals, it occurred to me that I should probably check which applications I had given permission to access my personal Facebook.

I hadn’t checked which applications had access for years.

What I found was a little embarrassing.

Weird quiz apps, a couple of contest apps I must have given permission when I was bored, dating apps that I hadn’t used in ages, and a bunch of other apps that really shouldn’t have access to my personal Facebook data.

Naturally, I shut all those integrations down.

For a business, the exact same thing happens with G Suite.

And it becomes a serious security liability.

Not only is your data vulnerable to your security weaknesses, but it’s also available to anyone that attacks the companies that you’ve integrated with. Keeping security tight internally is hard enough. There’s no reason to make it even more difficult by leaving integrations open that you no longer use. On a regular basis, you’ll want to review all the active integrations to your G Suite account:

G Suite Admin - Audit Integrations

Some teams fight things like this by going overboard. They implement an arduous approval process that prevents teams from integrating anything with G Suite. If you’re a pretty large company, that might be a good idea. But for smaller companies, try to find the sweet spot between control and flexibility.

A good way to balance the two is by giving teams a bit more autonomy while doing regular audits to catch integrations that are no longer being used.

At the very least, audit all your G Suite integrations once per year. Quarterly is even better if you have the bandwidth.