Home / Playbook / Access

Playbook · Access

Logins that don't come back to bite you.

How to let someone go without losing their emails. What to do when an ex-employee still knows the passwords. And how to make sure you never get locked out of your own accounts. No scare tactics — just straight answers.

Quick reason to trust me here: adding and removing people the clean way is a big part of my day job — I run the logins for a large company, from someone's first day to their last. I've seen every way this goes sideways, including the outage that taught me to always check what breaks before you touch a shared password. This is that same know-how, shrunk down to what a business your size actually needs.

How do I remove an employee from Google Workspace without losing their emails?

Don't hit delete. The admin panel makes "delete" the big obvious button — but delete wipes out the person's Gmail and Drive for good, about 20 days later. Do it in this order instead:

  • Suspend the account first — locks them out, keeps everything
  • Sign them out of every device and change the password
  • Move their files off their Drive, and forward their email (or hand it to someone else)
  • Take them out of any groups and shared tools
  • Then, once the data's safely moved, delete the account and stop paying for the seat

Microsoft 365 works the same way — its files (OneDrive) get wiped about 30 days after you delete.

The catch: "delete" is the button they show you. It's also the one that eats your data.

Should I delete or suspend when someone leaves?

Suspend first. Every time. Suspending shuts the person out the same minute, but keeps all their stuff safe — the only downside is you're still paying for their seat for a bit. Deleting stops the bill, but it also erases their email and files for good once the grace window runs out.

So on day one, suspend to cut off access. Then grab anything the business needs. Only delete once you're sure there's nothing left to lose.

The catch: most people don't know "suspend" is even a choice.

My ex-employee still has our passwords — what do I change first?

Change every shared password they knew. Start with the ones that touch money, email, and customer info — and any account whose password hasn't changed since they walked out the door.

The real fix is to stop sharing passwords in the first place. Give each person their own login, and keep the shared ones in a team password manager. Then cutting someone off is one click, not a scramble to change a dozen passwords.

Study after study finds a scary number of ex-employees can still log in — for the dumbest reason: nobody ever changed the password.

The catch: shared passwords, and no step that changes them when someone leaves.

A former employee has our 2FA on their phone.

If your account asks for a code after the password — that's two-factor — and their phone is where that code shows up, you're not stuck. An admin can reset it from the Google Admin or Microsoft (Entra) settings — that kicks their phone off as the second factor, and you set up a new one.

This is exactly why you never let one person's personal phone be the only thing standing between you and your account. And why the owner keeps a set of backup codes somewhere safe.

The catch: the second login step lived on one personal phone, and nobody else could touch it.

I'm the only admin and I got locked out of 2FA.

Honest answer: getting back in is slow, and it might not work at all. So the real fix is to never be in this spot.

Every business should have at least two admins — two people who can get into the account. Plus a "break-glass" account: a spare admin login you only crack open in an emergency, with its own strong password and its backup codes printed and stored offline. Google and Microsoft both tell you to do this.

Set it up now, while you can. Once the phone's lost and you're the only admin, all that's left is a support line and a lot of waiting.

The catch: one admin, no backup way in.

An ex-employee owns our Google listing and won't hand it over.

This happens when someone sets up a business account under their own personal login, and they're the only owner. To get it back, use the platform's "request ownership" process — heads up, it kicks off a waiting period — and be ready to prove the business is really yours.

The fix so this never happens again: every business account — your Google listing, Facebook and Instagram pages, your domain, your socials — should be owned by an account the company controls, with at least two owners. Never one employee's personal login. (More on that over on ownership.)

The catch: a business account built on one person's personal login.

Everyone logs into the same info@ email — is that bad?

Yeah, it is. When everybody uses one login, there's no way to tell who did what — and anyone who leaves still has the keys until you change the password.

Both Google Workspace and Microsoft 365 have a better way: a shared mailbox. The whole team can send from that one info@ address, but everyone signs in as themselves. Now you can see who sent what, and losing one person is a clean, one-step removal.

The catch: one shared login means you can't tell who's who. It also breaks your automations the moment someone changes the password.

Should we share passwords — and what's the best way?

Try not to. Texting a password around, or keeping them in a spreadsheet, means you can't cut off one person, and you can't tell who used what.

The clean way is a team password manager — think shared folders, one for each part of the business (a couple bucks a person). You hand out access and take it back in a click, and one person leaving doesn't put everything at risk.

And when a login truly has to be shared, use the platform's own shared mailbox feature instead, so each person still signs in as themselves.

The catch: passwords passed around by hand — nothing to revoke, no record of who did what.

How I'd approach it

One person, one account. Two admins, always. A simple list for hello and goodbye.

Here's the small-team version of how the big companies keep this clean. Everybody gets their own login, and only the access they actually need — your bookkeeper doesn't need the keys to everything. Passwords live in a team password manager, not a shared spreadsheet. That second login step goes on every account, but never tied to just one person's phone. You keep a backup admin so you're never locked out. And team files live in team folders, so they don't walk out the door when someone quits. Your automations get their own logins too, not a real person's.

Then two short lists carry the load: a goodbye list (suspend → sign out → move their files → take them off everything → change shared passwords → then delete) and a hello list for new folks. Plus a one-page map of who holds which keys — so before you ever change a shared password, you already know what it'll break.

Sleep easier

Worried about who still has access to what?

Just tell me who's left lately, or which logins you're all sharing, and I'll walk you through cleaning it up — so nobody, current or former, can lock you out or walk off with your accounts.

Help me lock it down →