So you are a Google Workspace admin and have found out that some of your users have unmanaged Google accounts that are using your managed Google Workspace domain name. This can happen for a few reasons:
- The user had a free Google account before you switched your domain over to Google Workspace.
- You have split delivery of email and not all your users are on Google Workspace. To allow for users that are not on Google Workspace to interact with users on Google Workspace they need to have an unmanaged Google account.
- The user took advantage of a feature in Gmail that lets a user use the ‘+’ chr after their user name to create more email addresses. To explain, If my email address on Gmail is steve@domain.com, I have unlimited email address that I can use by just adding on a ‘+’ to the end of my email address. For example I could sign up for Facebook using the email address “steve+facebook@domain.com” and all emails to this address will be delivered to my steve@domain.com Gmail inbox. The user can then create rules that specifically target this email address with absolute certainty that it came from Facebook. It is a very useful feature but wise users within your managed domain could use this feature to sign up for unmanaged Google account.
Explanation of Reasons
Reason 1
The first reason is the most common way your managed domain may have unmanaged Google accounts in it. When you signed up for Google Workspace for user@domain.com, if they have an existing unmanaged Google account, their unmanaged Google account would get changed to user%domain.com@gtempaccount.com. Google does this to preserve the data in the unmanaged Google account and give the user a chance to move that data to a new Gmail address or to migrate your data out and delete the account. When these users login for the fist time after creating their managed account they should get a prompt like so:
If they choose Organizational G Suite account they will go into their managed Google Workspace account. If they choose Individual Google Account they will be taken to their user%domain.com@gtempaccount.com unmanaged Google account and presented with this screen:
You will need to have each user make sure they have no data that is important in their account and delete it. Have the user select “Do this Later” and have a look at their account to see what data is there. Once you are happy there is no data that is impart in Drive or other Google services you can delete the account.
Reason 2
Like most small orgs, you are trying to cut costs. There is no way to managed unmanaged Google accounts in this fashion except after a user leaves you can get access to the account to delete it.
Reason 3
Could be by accident or by a malicious user in your organization. If user user@domain.com is departed from the organization you would normally delete or revoke access to their account. Problem is if the user created an unmanaged Google account using user+anythign@domain.com the departed user would still have access to this unmanaged account. If this happens there is only one way to manage these unmanaged accounts:
Taking Control of an Unmanaged Google Account
Because you own the domain and you are an admin you can use the Unmanaged Users Tool https://admin.google.com/ac/unmanaged
This page will give you a list of all the unmanaged users the exist that have your domain name. Once you find a user that should be deleted:
- Add their email address to yours as an alias (only the part before the +)
- Open an incognito window and go to https://accounts.google.com and log in as them with the full user+anything@domain.com
- Choose forgot password, it might ask for an old one. Just choose another way. It should ask if you want to send an email. Say yes to this option
- You should receive the code in your inbox. Type it in and continue
- If it asks for a telephone number just put your own in to get the SMS code and verify that.
- You should now have access to the account and you can now access it and look for org data and delete it when finished.
© Caspan 2021