This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Google Vault OU Matter

Go to solution
alexgrutza
Contributor III

‎07-14-2023 10:41 AM

Trying to set up an accidental deletion Vault policy on an OU (for the Gmail service), and it's giving me an unidentified error. Has anyone else set up an OU-based "Hold"?

alexgrutza_0-1689356419954.png

I have a similar accidental deletion Vault policy+hold for specific user accounts that don't reside within the above mentioned OU, that works as expected.

Just having an issue when I want to protect the deletion of accounts within a specific OU that's giving an issue

--
CISSP | LinkedIn | @Phyxiis
Topics:
0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
alexgrutza
Contributor III

‎07-24-2023 08:41 AM

Incognito fixed the issue 

--
CISSP | LinkedIn | @Phyxiis

View solution in original post

Reply
5 REPLIES 5

Go to solution
Kim_Nilsson
Admin Moderator

‎07-14-2023 12:08 PM

Hi Alex,

First off, you should not set up "holds" for something like this. A Hold is only supposed to be temporary, for some legal incident, relevant for only a short period of time.

What you are trying to accomplish is part of Default and Custom Retention rules, which are supposed to be permanent.

Default Retention is used to set up a basic fail-safe for accidental deletions, where Custom Retention is where you really decide how long user content should be available, even after voluntary deletion.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Go to solution
alexgrutza
Contributor III
In response to Kim_Nilsson

‎07-14-2023 12:32 PM - edited ‎07-14-2023 12:33 PM

We have default retention set up for all services as Indefinite. Deleting an account within an OU (that we want to not allow accounts to be deleted from) deletes it's associated Vault data as well, so the default retention rule doesn't work.

The goal is to remove the ability of all Admins (or DWD services/provisioning) to delete accounts from Google that A) are of specific accounts as listed and B) protect the entire OU where our "service accounts" are housed.

If you have a solution to both A and B, I'd be glad to know how to remove the ability of accidental deletion of accounts. Note that the solution would require even the Super Admin(s) not to be able to delete accounts within specific OUs or specific individual users.

Edit: the only way to protect an account from deletion as far as I'm aware is to put a Hold on it

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

Go to solution
Kim_Nilsson
Admin Moderator
In response to alexgrutza

‎07-14-2023 01:04 PM

Aha, now I get it!

Accidental deletion of users!

Well, then you are already doing the right thing, as that is the consequence of a legal Hold.

A user affected by a Hold should be blocked from deletion.

If you need to block an entire OU, then you need to configure the Hold so it catches the content of all users in that OU.

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Go to solution
alexgrutza
Contributor III
In response to Kim_Nilsson

‎07-14-2023 01:08 PM

Yeah sorry about that! I will open a case with Google because it gives an error when trying to put a hold on an entire OU.

--
CISSP | LinkedIn | @Phyxiis
0 Kudos
Reply

Go to solution
alexgrutza
Contributor III

‎07-24-2023 08:41 AM

Incognito fixed the issue 

--
CISSP | LinkedIn | @Phyxiis
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines