Automatically Suspend Inactive Users in Google Workspace

Jason Huang
Last update: May 10, 2023
No Comments

Suspending inactive users is an important step in maintaining the security, compliance, and cost-effectiveness of your Google Workspace environment. In your massive corporate user list, it's not uncommon to find "zombie" user accounts once a while. You may not remember who they are and why they aren't active. These inactive user accounts exposes your IT administration in risk.

Definition of Inactive User

An Inactive User in this article is a user who didn't sign in for a set amount of time, e.g. 30 days. It's a concept from this article, not from Google. Not to confuse with Admin Console's user status, which is one of 3 states, Active, Suspended and Archived.

Inactive Users in G Suite — Inactive Users in Google Workspace

Google automatically signed any Google Workspace user out of Google service after two weeks, aka control session length, that more or less protects your organization's data. In Google Workspace Business, Enterprise, Education and Cloud Identity Premium tiers, the control session length is configurable from 1 hr to 30 days or never expires, see Set session length for Google services.

Google session control in Admin Console > Security

Having that said, this article's main focus is beyond the session control.

On one hand, these inactive users is a security concern. Although the sessions expire, those inactive users are still accessible with correct login credentials. If the user left the company and the account associated was not terminated, the corporate data is at risk.

On the other hand, taking care of these inactive user accounts is manual and time consuming. You have no time to track and clear these zombie accounts. Deleting hundreds or thousands inactive accounts manually is not fun.

Foresight, an automation building tool for Google Workspace, has the capability to address this IT security issue.

Demo

In this demo, we create an automation rule that watches inactive users whose last login time is exact 30 days ago. For example, if today is 2020/09/01 then any users who most recently signed in at 2020/08/02 will be suspended. The rule also appends an Email action so you receive an email notification for such change.

Instructions

The automation rule is easy to build. Follow these steps,

Sign into Foresight.
Go to Rules.
Click button at the bottom right to initiate a new automation rule.
In the Select a trigger page, click the User turned inactive trigger.
Click Sign in with Google button to grant Foresight permission to connect with your Google service. You also need to be an admin role that have privileges to manage users.
In Inactivity timeout field, input the days after which users are regarded as inactive. 30 days? 60 days? 6 months? It's up to you.
Click NEXT.
In the Select an action page, click the Suspend user action.
Click Sign in with Google button to grant another permission for this action.
In the Primary email field, type {{ to populate the variable menu. Select User Primary Email variable. This variable is the primary email of inactive user passed from the User turned inactive trigger.
(Optional) Add an Email action to notify yourself for such user status change.
1. Click ADD NEXT ACTION in the Suspend user action
2. Choose Email action
3. Specify your own email or any parties who shall be informed.
4. Fill in the email content.
Click REVIEW.
Input a name for this automation rule.
Click CREATE.
You are all set. The rule looks like
Foresight is actively watching your user directory and automatically suspends inactive users for you.

Notes

You may not immediately see any notifications from Foresight because there were no one who signed in exactly 30 days ago. But someone signed in 29 days ago will trigger the rule tomorrow if s/he still does not sign in by then.
Those users who already passed the inactivity timeout before you set up the rule will never trigger the rule. In another words, if you set the timeout as 30 days, users who last signed in at 31 days ago or 45 days ago would never knock the door.
Ensure inactivity timeout is longer than session length. That a user signed in 1 month ago does not mean s/he was not using Google services, if you set the session length as never expire.
Another use case: Automatically delete inactive users. If you intend to delete inactive users instead, replace the Suspend user action with a Delete user action. The configuration remains the same.
Suspend existing inactive users whose last sign-in time is more than X days. Since Foresight version 4.1.0, we added an Also include existing inactive users (not recommended) option in User turned inactive to accommodate this. The downsize is those existing inactive users will be reported and trigger every day if they are not suspended or deleted.

What's more?

This is one of many time-saving techniques Foresight help you with. You may also like Suspend Google Workspace users by Schedule, Delete Google Workspace users by schedule or Automated Welcome Email to Google Workspace New Users.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments

Inline Feedbacks

View all comments

Unleash the power of automation and shape the future of intelligent digital workspace.

Products & Services

Company

Contact

xFanatical, Inc.

8780 19th St

Ste 458

Rancho Cucamonga, CA 91701

United States

[email protected]

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. This cookie is installed the first time a visitor enters the website through a browser. When the visitor comes back to the website through the same browser, the cookie will consider them to be the same visitor. Only in the event that the visitor changes browser, will they be deemed to be a different visitor.
_gat_gtag-###	1 minute	This cookie is installed by Google Analytics. It is used to analyze visitor browsing habits, flow, source and other information.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected includes the number of visitors, the source where they have come from, and the pages visited in an anonymous form.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
__Secure-1PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising
__Secure-1PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PAPISID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
__Secure-3PSID	2 years	Used by for targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalized Google advertising.
_gcl_au	3 months	This cookie is set by Google Analytics to take information in advert clicks and store it in a 1st party cookie so that conversions can be attributed outside of the landing page.
1P_JAR	1 month	This cookie is installed by Google Ads. This cookie is used to collect site statistics and track conversion rates.
APISID	2 years	This cookie is used by Google to store user preferences and information while viewing Youtube videos on this site.
HSID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
LOGIN_INFO	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
PREF	2 years	This cookie is used by YouTube (Google) for storing user preferences and other unspecified purposes.
SID	2 years	This cookie contains digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. Google uses security cookies to authenticate users, prevent fraudulent use of login credentials, and protect user data from unauthorized parties.
SIDCC	1 year	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
SSID	2 years	This cookie is used to save the user's preferences and other information.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	This cookie is used by YouTube to remember user input and associate a user’s actions. This cookie lasts for as long as the user keeps their browser open.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.