Most frequent questions and answers about Google Workspace Archive User License SKU
As of today, Google does not provide option to assign (or unassign) Google Workspace Archive license via Google Cloud Directory Sync (GCDS).
However, You may consider following as a prospective solution for now-:
- Exclude your “Archived_Users” Org Unit from GCDS.
- Create a cron job which calls Directory API to list users in your Archive_Users Org Unit.
- Search within this list to find users who are still active.
- Make a patch API call with archived=true to archive these active users.
Please watch the video above where I show how you can exactly do that with Google Apps Script (I have provided the script as well for you to copy and use).
It is not, and unless am missing something, it does not make sense either.
Why would you create a user with archive state?
You can only assign Google Workspace Archive User license to an active Google Workspace Business OR Google Workspace Enterprise user.
If the concerned user is part of an Organizational Unit which has automated license assignment turned on, then yes, license will be assigned automatically upon unarchiving the user, otherwise not.
Your requirement -: Our user has left, we have assigned him Google Workspace archive license, but we want to migrate his data to some other Google Workspace user in our domain, how can do that?
You can do that, but let me explain it a bit.
IMAP stops working (even if it is enabled) for archived user, so to migrate archived user’s data, you have 2 options-:
1. Migration Option One-:
(i) Change user’s password.
(ii) Migrate the data via data migration service (available within Google admin console for free or other migration services offered by Google)
(iii) Assign Archive user license once migration in completed.
2. Migration Option Two-:
(i) Assign Archive User License
(ii) Use any 3rd party migration tool which migrates via GMAIL API instead of IMAP, prominent ones are Migrationwiz and Cloudmigrator.
Detailed Question asked in Ok Goldy FB group-:
I would like to know what is the difference between VFE (Vault Former Employee) license and Google Workspace Archive User (AU) license apart from the point that AU costs the company.
Like what more does AU offers which VFE doesn’t? Anything special in terms of vault retention and auditing?
Also, when we migrate a user from VFE to AU, what are the changes we see?
I think VFE was more like an adjustment, but AU is a well planned SKU.
AU allows you to do a bit more, like running DLP scans which you can’t do with VFE.
No difference between the retention policies as they are still controlled by Vault on both.
You would need to manually assign AU licenses to users when migrating from VFE, though AU can’t be handled with Directory Sync for now, but Directory API has a property called isArchived = true or false which you can leverage to do this in bulk (script is provided in this post above).
VFE would also be going away, and AU would be streamlined to manage leaving users data, so it can also be considered as an upgraded version of VFE.
I tested this, I SSHed into my GCP linux instance, and then archived this Google Workspace user, in less than couple of minutes I lost connection to the instance.
I started seeing this message then and couldn’t reconnect to the instance-:
Transferring SSH keys to the VM.
The key transfer to project metadata is taking an unusually long time. Transferring instead to instance metadata may be faster, but will transfer the keys only to this VM. If you wish to SSH into other VMs from this VM, you will need to transfer the keys accordingly.
Click here to transfer the key to instance metadata. Note that this setting is persistent and needs to be disabled in the Instance Details page once enabled.
You can drastically improve your key transfer times by migrating to OS Login.
Also, ideally I think recommendation would be leverage os login to give ssh
Ask it in the comments below, and I would try to answer it (if i can) as soon as I get time.