The question I ask business owners in almost every audit: "When was the last time someone left the company?" And then: "What happened to their Google account?"
The answers are almost always the same. Someone left six, eight, twelve months ago. Their account is probably still active. Their Shared Drive access was never reviewed. Nobody checked whether their phone was signed out. And there may be email forwarding rules in place — rules that quietly send a copy of all incoming mail to a personal address — that were never found and removed.
This isn't carelessness. It's that offboarding is logistically busy, emotionally complicated, and nobody has a clear checklist to follow. This article is that checklist.
What actually happens to a Google Workspace account when someone leaves
Nothing — unless you take action. The account stays active, the password stays valid, the sessions on their devices stay open, and their access to every Shared Drive and group they were a member of remains unchanged. If they took their work laptop, they may still be able to log in. If they connected Gmail to their personal phone, that device still has access.
"The average small business has at least one active Workspace account belonging to someone who no longer works there. In most cases, neither party knows it's still open."
The offboarding checklist: what to do and in what order
1 On their last day: suspend the account immediately
Suspension is the right first step — not deletion. Suspending the account blocks all access instantly: email, Drive, Calendar, every connected app. It does not delete any data. All their files, emails, and content remain intact and accessible to admins.
Admin Console → Directory → Users → click their name → More options → Suspend user. Do this at the agreed time on their last day — ideally at the end of their working hours, not while they're still mid-handover.
2 Reset their password and revoke app access
Even while suspended, reset their password. This ensures that if you ever re-activate the account for data transfer purposes, they cannot log in with a password they might still remember. Also go to their account → Security → Apps with access to account → review and revoke any connected third-party apps.
3 Check for email forwarding rules
This is the step most businesses miss. Before suspending or after (while you still have admin access to their account), check their Gmail settings for forwarding rules. In the Admin Console, you can view Gmail settings for any user. Look under Forwarding and POP/IMAP. If there's an active forwarding rule sending mail to a personal address, remove it immediately.
Reports → Audit and investigation → Gmail log events. Search for "forwarding" to see whether any forwarding rules exist on the account. You can also access their Gmail settings directly if you use domain-wide delegation.
4 Transfer their files and email ownership
Google gives you a built-in data transfer tool. In the Admin Console: Data → Data transfer. Select the departing user as the source and a current employee (usually their manager or a designated admin account) as the destination. This transfers ownership of their Drive files and can archive their Gmail.
Don't skip this step. When you eventually delete the account — which you should do after a retention period of 30–60 days — any files still owned by that account and not in a Shared Drive will be permanently deleted with it.
5 Remove them from Shared Drives and Groups
Suspended accounts cannot access Shared Drives, but cleaning up membership now means you don't have a long list of ghost users in your Shared Drive member lists. Go through each Shared Drive → Manage members → remove the departed user. Do the same for Google Groups.
Want onboarding and offboarding handled as part of managed IT?
Every GetBulwark managed client has this checklist run on every joiner and leaver — same steps, every time, nothing falls through the gaps.
See what's included6 Sign out all active sessions
In the Admin Console, under the user's account, you can sign them out of all active sessions across every device. This is particularly important if they used a personal phone or laptop that you cannot physically retrieve. Do this as part of the suspension process on their last day.
7 After 30–60 days: delete the account
Once you're satisfied the data transfer is complete and there are no outstanding items tied to the account, delete it. Keep a record of when accounts are deleted — this is relevant to GDPR compliance, as you should not retain personal data longer than necessary.
What to do right now if you've never done this properly
Go to your Admin Console → Directory → Users. Look at the full user list. Are there accounts for people who no longer work there? Check their status — are they active or suspended?
For any former employee with an active account: suspend them now. Today. You can do the rest of the checklist at your own pace, but access should be revoked immediately. Every day an active account exists for someone who no longer works for you is an unnecessary risk — particularly if the departure wasn't on good terms.
