TO DELETE OR NOT TO DELETE

How to manage student's accounts after they leave the district. One of the conversations that I have been having with schools lately is what to do with student accounts once the students have graduated (or left the district). There is not a simple answer to this question, but there are elements to consider in making your final decision. Ultimately, there should be a board policy established to define this and then you as the administrator should put procedures in place to implement that policy.

First, you must decide what your end goal is for the student. Most districts want to give the student an opportunity to transfer their email and their data from their school account to a personal account. Google provides a mechanism for doing this. See this support article titled “Allow graduating students to transfer their data.”

Some districts want to allow a graduating senior to continue to have access to their email after graduation because they may have used their school email on their college applications and need to have access to this to communicate with the colleges and universities that they have applied to attend. This is reasonable, but it may be better to help the student transition to their own personal Gmail account to eliminate any opportunity for misuse of the account after the student has no connection with the district other than as an alumnus.

There can be a challenge to keeping the account after graduation that is driven by what happens to the student data within the student information system. Many districts handle this differently, but here is what I see most frequently. Within two weeks after graduation, the student’s status changes in some way. Some mark the student as withdrawn, some change their enrollment status to GR for Graduate, while others change their grade from 12 to 13. This grade 13 option can be beneficial with automation because we can then move the student account into a different OU in the local directory that then drives the user to be moved into a different OU in Google. This Graduate OU can be configured to only have access to Gmail and Drive and have all other applications turned off.

If the students are kept in the system for any time after state reporting is no longer needed, they are very likely purged from the system when the “rollup” to the next school year is done. For example, in Ohio, this is typically done in the first two weeks of August. Again, if you are using an automated process to manage your student accounts, it should be disabling any account that is no longer enrolled or no longer present in your student information system.

Disabling the accounts in your local directory and then having them suspend in Google when the student no longer needs them is a good first step. Then the question becomes, how long do you keep them and do you ever delete them entirely from your system. This is where we need to understand some consequences of different ways to handle this.

First, an account that is deleted from Google is only recoverable for 20 days after deletion. After 20 days, nothing can be done to recover it, but the data associated with the account could still be retrieved from the vault. There are some caveats to the 20 days. The data is still recoverable if the email hasn’t been given to someone else as a primary address, email alias or been assigned to a group.

Second, an account that is suspended can stay suspended for any amount of time. Email, documents, calendars and other data are not deleted, but Google+ posts and comments might be deleted after 30 days. See more information here. 

If you choose to keep the account suspended in Google for an indefinite period of time and you are using Google Cloud Directory Sync to synchronize your local directory with Google, you need to consider keeping the account present but disabled in your local directory. This accomplishes two things.

First, it makes sure that if this is not a graduating student, if the student returns, the data associated with the Google account stays connected to the proper account in your local directory. Your student automation process should be able to ensure that it has a way to track this back to the studentID so that if the studentID remains the same, everything goes back to normal if the student re-enrolls in school.

Second, this ensures that another student with the same name doesn’t inherit someone else’s data when they enroll in school. If the account was suspended in Google, it doesn’t show active. If a new local directory account was created with the same name, it has the potential to connect with an old Google account with the same email address. This shouldn’t happen because GCDS uses an index file with a .tsv extension to store the objectGUID from the local directory to connect the account in Google, but if this file is deleted and allowed to recreate, it can reconnect accounts that should not be attached.

The means that you should keep the local directory account as long as you keep the Google account. If you want to delete, you should do it from both systems at the same time. There is not a simple way to multi-select accounts in Google and delete them, but you can use the open source command line tool named GAM to automate the deletion process from Google (or at least perform this in one large batch process). 

You should not keep accounts around forever unless you have a naming standard that is guaranteed never to repeat or duplicate. Otherwise, if you are using an automated process for creating your student accounts, you will start experiencing more and more tie-breakers as you accumulate a longer history of students in your system. This would never be an issue with a naming standard like Larson12345 (where 12345 is my studentID) as long as your studentID’s are never recycled or reused. Many of the districts that I work with use something like 18Klarson as a naming standard (where 18 is my graduation year, K is my first initial and Larson is my lastname). Repeated occurrences of this name might not be as frequent but Miller, Smith or Jones may encounter this much more often. This can be hard enough with currently enrolled students; we don’t want to have to factor in the last 10 years of students that have been enrolled.

Finally, choose a timeframe for suspending accounts that are no longer associated with a currently enrolled student. Then determine how long you will keep that account before it is permanently deleted, but you must eventually delete it.

For more information, check out our blog posts on Google OU's and Automation and Sync’ing AD (Active Directory) groups with Google

Looking to take the hassle out of Student Provisioning?