The Google Workspace Offboarding Master Checklist
A 25-minute Google Workspace offboarding checklist with real GAM commands. Hour-zero to day-30 actions to stop data loss, token leaks, and empty seats.
TL;DR
A clean Google Workspace offboarding takes about 25 minutes if you have the checklist. A botched one costs you legal exposure, missing data, and sometimes a personal Drive holding the only copy of a strategy document nobody else has seen. Most offboardings get botched because they’re done by HR in a rush on someone’s last afternoon. This is the operator’s checklist we run at OSH, with the GAM commands that make it repeatable.
Setting up rather than tearing down? The Google Workspace onboarding checklist is the sister piece: same operator’s-eye view, applied to day one instead of day last.
Why offboarding goes wrong
The same reasons every time. None of them are technical.
HR is doing it instead of IT. HR’s job is to revoke the door card, get the laptop back, and process the final salary. They don’t know what 2SV recovery codes are, they don’t know what an OAuth grant is, and they shouldn’t have to. When HR handles the Workspace side, the obvious things get done (account suspended, password changed) and the silent things get missed: active sessions still live on a personal phone, an OAuth grant to Zapier still pulling data, mail delegation to a former colleague still active.
It’s also usually rushed. Standard pattern: exit interview at 4pm on a Friday, somebody emails IT at 4:45pm asking to “shut down their account please”, IT clicks suspend and goes home. Monday morning, calendar invites are bouncing because nobody set forwarding, the manager realises the customer-renewal sheet was on the user’s My Drive, and the laptop hasn’t been wiped because nobody told the MDM.
And there’s rarely a checklist. Each leaver is handled differently depending on who’s on duty. Some get a clean Drive ownership transfer. Some get archived to a Vault-only licence. Some get fully deleted, along with the only copy of a contract draft. The audit trail is whatever Slack messages someone can find six months later.
The fix is not complicated. It is a checklist, run the same way every time, with GAM doing the parts that don’t scale through clicks.
The 25-minute checklist
Work across four time windows. Hour zero is the moment HR confirms the departure (which might be days before the last day in a friendly leaver scenario, or right now in a fired-on-the-spot scenario). Day 1, day 7, day 30 catch the things hour zero can’t.
Hour zero: lock the door
Before the user has a chance to do anything regrettable, or before someone else does it on a stolen session: do these in order. The whole block takes under ten minutes if GAM is ready.
Sign out every active session. The most important step, and the one HR-driven offboardings always skip. A password reset doesn’t kill active sessions. The user’s laptop, phone, and any browser they left logged in at home still hold valid session cookies.
gam user user@domain signout
That command revokes all active web sessions across every Google service. Combined with a password reset, they cannot get back in.
Reset the password to a long random string.
gam update user user@domain password random
The random keyword tells GAM to generate a long random password and apply it. Nobody, including IT, can now log in as this user.
Revoke 2SV backup codes and remove security keys. A leaver with a printed sheet of backup codes is a future incident.
gam user user@domain turnoff2sv
gam user user@domain delete backupcodes
Set the calendar out-of-office. Inbound meeting invites to a defunct address need to go somewhere informative. Set it now, while the calendar is still live, before you suspend.
gam user user@domain update calendar primary timezone "Africa/Johannesburg" \
vacationsettings starttime today endtime "2099-01-01T00:00:00Z" \
responsesubject "I have left the company" \
responsebody "I am no longer with the company. Please contact manager@domain for any matters previously handled by me."
(Check gam help calendar against your install version for exact syntax.)
Wipe corporate data from mobile. If the user has Workspace mobile management, Hexnode, or Intune over the same fleet, push the corporate wipe command now, before the suspend, while the device can still authenticate to the management server.
gam user user@domain wipe device
If you also run Hexnode or Intune, push the corporate wipe from there too.
Revoke all OAuth grants. Every “Sign in with Google” the user ever used (Slack, Trello, Asana, that AI summariser someone installed last year) holds a token that survives a password change and a session signout. The token is the back door.
gam user user@domain show oauth
gam user user@domain delete oauth all
Run the first command and save the output before running the second. You may need it for later auditing. The second command revokes all grants.
Check shared drive manager roles. Anything in a shared drive doesn’t technically belong to the user, but the user may be the only manager of a shared drive. Demote yourself in their place before you suspend.
gam user user@domain show drivefileacl all role manager
gam create transfer src_user user@domain dest_user manager@domain category drive
Audit delegations, filters and forwarding. The user might have any of:
- A mail-forwarding rule pointing at a personal Gmail (rip it out; that’s a privacy risk)
- A mail-routing rule sending supplier confirmations to a shared inbox (preserve it; that’s an operational dependency)
- A Gmail delegation giving an EA access to their inbox (decide: drop or migrate)
- A calendar share with their PA (decide: drop or migrate)
gam user user@domain show forward
gam user user@domain show filters
gam user user@domain show delegates
gam user user@domain print sendas
Read the output. Decide what to keep, what to kill. Document the decision in the offboarding ticket. We’ve lost weeks recovering from a deleted “send-as alias” that turned out to be the address every supplier invoiced.
Day 1: tag, transfer, redirect
Hour-zero damage control is done. Time for the orderly transitions.
Suspend the account. Suspension keeps the licence consumed but blocks login. It’s the right state for a user you’re about to transfer Drive content from. Do not delete yet.
gam update user user@domain suspended on
gam update user user@domain ou "/Suspended Users"
Move the user into a dedicated OU (/Suspended Users) so policy applies in one place: no sharing, no creation, receive-only.
Transfer My Drive content. The user’s My Drive is owned only by them. When the account is deleted, that content is gone unless you transfer it first. This is where the strategy document on the personal Drive gets rescued or lost forever.
gam create transfer src_user user@domain dest_user manager@domain category drive
Check the transfer status before you proceed:
gam show transfers
We’ve hit this failure mode: the offboarding script ran before the Drive transfer completed. The user got deleted, the transfer bombed because the source no longer existed, and the My Drive was orphaned. Confirm done before you go further.
Set inbound mail handling. Auto-reply alone isn’t enough. A calendar invite six months later lands in the void if there’s no forwarding. Pair the auto-reply (already set at hour zero) with a forwarding rule.
gam user user@domain add forwardingaddress manager@domain
gam user user@domain forward on manager@domain keep
The keep action preserves the original message in the leaver’s mailbox: suspended and unread, but searchable via Vault.
Transfer calendar ownership.
gam user user@domain show calendars
gam calendar user@domain add owner manager@domain
Confirm OAuth revocation held. Re-check that no third-party app silently re-authenticated overnight.
gam user user@domain show oauth
Output should be empty.
Day 7: catch the ones you missed
Check Vault retention applied. If the user’s mail or Drive falls under any retention rule, confirm Vault is holding that content. If a litigation hold is pending or possible, place it now, before deletion. Once deleted, content outside Vault retention is gone.
gam user user@domain print vaultholds
Re-run the delegation scan. Anything that reappeared (because a delegated user re-delegated back, or a synced filter restored from a stale device) should be killed.
gam user user@domain show forward
gam user user@domain show filters
gam user user@domain show delegates
Audit the suspended-user licence cost. A suspended user still consumes a paid Workspace licence. If you leave suspended accounts hanging “just in case” for months, you’re paying full Business Standard or Plus rates for an empty mailbox.
gam print users suspended true
For tenants that need to retain ex-staff mail but don’t need active access, drop the user to an Archived User licence (cheaper, mail-only, no active sign-in). Business Plus and Enterprise support this.
gam update user user@domain license workspacearchived
Confirm Drive transfer completed.
gam show transfers
Day 30: final disposition
Thirty days is long enough for “wait, where’s the X file?” panics to surface. After that, the risk of deleting too early drops sharply.
Two choices for final state:
- Delete the user. Account gone, licence freed, mail and Drive purged subject to Vault retention. Right for users with no compliance retention requirement and a clean Drive transfer.
- Keep on archived licence. Account remains, no active login, mail and Drive frozen, much cheaper. Right when retention rules require keeping mail accessible for a defined period.
gam delete user user@domain
If you already moved to the archive licence on day 7, nothing more to do.
Clear remaining shared assets. Calendar resources the user owned, group memberships where they were the only owner, third-party app admin rights where they were the named contact.
gam print groups member user@domain
gam user user@domain show calendars
Run a final verification sweep.
gam info user user@domain
gam print users query "email:user@domain"
If the user is fully deleted, the second command returns empty. That’s the goal state. Document it in the offboarding ticket. Close the ticket.
The failure modes we see in the wild
Three patterns recur. All are preventable with the checklist.
The Drive transfer that didn’t run. Engineer suspends the user, schedules deletion in 30 days, but the Drive transfer either silently failed or was never queued. On day 30 the user gets deleted and the My Drive evaporates. Confirm transfer status with gam show transfers before deletion.
The calendar invite still bouncing six months later. Vacation responder was set at hour zero but no forwarding rule. Customers send meeting invites, get the “I have left” auto-reply, assume their counterparty got the message. The manager never sees the invite. Always pair the auto-reply with a forwarding rule to the manager.
The OAuth grant nobody revoked. User leaves, account suspended, password reset, but the user installed a third-party Drive backup app three years ago with a long-lived OAuth token. The app continues syncing their old Drive content (now the manager’s, post-transfer) to the user’s personal Dropbox. We’ve seen this surface six months later when the Dropbox got hacked and the data leaked. Run gam user user@domain delete oauth all at hour zero, no exceptions.
Where this fits in the broader Workspace operation
Offboarding is one of several quarterly hygiene checks alongside DMARC drift, OAuth audit, and SKU rightsizing. Before scripted offboardings run cleanly, the tenant has to be modelled correctly: OUs aligned to your org, shared drives owned by the right team, retention rules that actually fire.
If you’re on the wrong SKU and don’t have Vault, the offboarding story is worse. No retention safety net, and the “delete on day 30” decision is one-way. Our Google Workspace SKUs guide covers the licence-tier choice in detail. Vault sits at Business Plus and above: it’s the difference between a regulator-friendly offboarding and a regulator-hostile one.
For the GAM tooling itself, the Taming GAM and GAMADV-XTD3 course on Taming.Tech is the structured curriculum. The commands above are a working subset; the course covers install, OAuth setup, error handling, scripting patterns and bulk operations.
Get OSH to run this for you
Most of the SMEs we manage send us a one-line ticket: “user@ has left, please offboard.” We run the 25-minute checklist, confirm the Drive transfer, set forwarding to the named manager, archive or delete on the schedule that matches your retention policy, and close the ticket with an audit log of what was done.
Your manager-of-record gets the leaver’s Drive content and inbound mail. Your auditor gets a paper trail.
If your current offboarding process is “HR pings IT, IT clicks suspend, everyone hopes for the best”, we should talk.
Book a Workspace fit assessment or browse the full OSH service catalogue.
