A Google Workspace tenant can operate for years with inherited defaults, old exceptions, former administrators, unused applications, and unclear sharing rules unless the business performs a structured review.
Use a Structured Review
Do not review the Admin console by clicking random menus. Create a checklist, assign owners, record current settings, identify risks, approve changes, test outcomes, and document the final configuration.
Complete a formal review at least annually, with higher-risk access, administrators, security, and sharing reviewed more frequently.
1. Organization Profile and Contacts
Review the organization name, support contacts, time zone, language, administrator notifications, and company information.
Confirm that alerts, billing notices, renewals, domain notices, and support communications do not go only to a former employee or unattended mailbox.
2. Domains and DNS Ownership
Review the primary domain, secondary domains, domain aliases, verification status, and unused domains.
Confirm access to the registrar and DNS provider, renewal settings, recovery contacts, and strong authentication outside Google Workspace.
Google Workspace access does not replace domain ownership access
Maintain independent control of the domain registrar and DNS account so the organization can recover from tenant or email problems.
3. Super Administrators
Inventory every Super Admin account, owner, purpose, 2-Step Verification method, recovery information, and last use.
Maintain enough protected Super Admin accounts for redundancy while assigning narrower delegated roles for routine work.
4. Delegated Administrator Roles
Review predefined and custom roles, organizational-unit scope, vendor access, reseller access, inactive administrators, and excessive privileges.
Remove temporary roles and document every retained assignment.
5. User Accounts
Review active, suspended, archived, and recently deleted users. Confirm manager, department, organizational unit, aliases, licenses, and employment status.
Investigate unknown accounts, generic shared identities, test accounts, and accounts without an active owner.
6. Organizational Units
Review the hierarchy, parent-child structure, inherited settings, overrides, inactive organizational units, and users placed at the wrong level.
Simplify unnecessary layers and document the purpose of each retained unit.
7. Configuration and Access Groups
Review configuration-group priority, access groups, membership, owners, nested groups, expired pilots, and exceptions.
Confirm which settings or services each group controls.
8. Licensing
Review automatic licensing, manually assigned licenses, unused subscriptions, suspended users, additional storage, security add-ons, and reseller-managed products.
Confirm that licensing supports the features the organization depends on and that users are not receiving unnecessary editions.
9. Password and 2-Step Verification
Review whether users can enroll, which organizational units are enforced, the enrollment period, approved methods, administrator requirements, backup codes, and recovery procedures.
Investigate unenrolled users, exceptions, application passwords, and outdated methods.
Do not enforce a sign-in change without recovery planning
Protect administrators, test a pilot group, communicate the deadline, and prepare lost-device support before broad enforcement.
10. Gmail Authentication
Review SPF, DKIM, and DMARC for every sending domain. Inventory websites, marketing platforms, customer systems, payroll, scanners, and vendors that send as the organization.
Correct unknown or retired senders and increase DMARC enforcement carefully.
11. Gmail Safety and Spam Settings
Review protections for spoofing, authentication, attachments, links, external images, spam, bulk mail, blocked senders, and approved senders.
Remove broad allow rules that bypass normal filtering without a current technical justification.
12. Gmail Routing and Compliance
Inventory routing, default routing, inbound gateways, outbound gateways, recipient maps, compliance rules, journaling, archiving, and migration settings.
Assign an owner and business purpose to every rule. Remove obsolete vendor and migration configurations.
13. Gmail Forwarding and Delegation
Review automatic forwarding, filters, delegated mailbox access, send-as addresses, and group-based mail workflows.
External forwarding should require documented approval and periodic review.
14. Google Groups
Review group owners, managers, members, external users, aliases, posting permissions, conversation visibility, collaborative inboxes, dynamic groups, and security groups.
Identify groups that grant access to shared drives, calendars, applications, or sensitive communication.
15. Drive External Sharing
Review organization-wide sharing, allowlisted domains, visitor sharing, link sharing, warnings, ownership transfer, and user ability to publish content.
Apply stricter rules to sensitive populations through supported organizational-unit or configuration-group settings.
16. Shared Drives
Inventory shared drives, managers, members, external users, content managers, business owners, and inactive drives.
Confirm that organizational documents are stored in the correct shared drive rather than depending on one employee's My Drive.
17. Drive Applications and Offline Access
Review desktop synchronization, offline access, third-party Drive applications, file creation, download controls, and endpoint requirements.
Confirm how data is protected on personal and unmanaged devices.
18. Calendar
Review internal and external sharing defaults, event-detail visibility, resource calendars, appointment schedules, shared calendars, and former owners.
Limit broad public or external visibility when it is not required.
19. Google Meet
Review recording, transcription, attendance, external participants, joining restrictions, dial-in, live streaming, safety controls, and storage according to edition.
Apply settings that match the organization's meeting, privacy, and retention requirements.
20. Google Chat and Spaces
Review external chat, spaces, history, file sharing, applications, retention, and organizational-unit service status.
Confirm whether contractors and external users can join spaces containing sensitive information.
21. Additional Google Services
Review services outside the core Google Workspace applications, such as YouTube, Google Ads, Google Cloud, and other Google products.
Turn off services that the organization does not approve or manage access through documented organizational units and access groups.
22. Marketplace Applications
Inventory administrator-installed and user-installed Marketplace applications. Review vendor, owner, users, scopes, data access, support, and current need.
Remove abandoned or duplicate applications and review domain-wide installations.
23. OAuth and API Controls
Review trusted, limited, blocked, and unconfigured applications, sensitive scopes, restricted scopes, domain-wide delegation, service accounts, and tokens.
Assign owners and remove applications without a current business purpose.
24. Single Sign-On
Review third-party identity-provider configuration, certificates, domains, user scope, recovery access, and administrator bypass or recovery procedures.
Test the process for identity-provider outage and certificate expiration.
25. Mobile and Endpoint Management
Review enrolled devices, ownership, operating systems, screen locks, encryption, account access, lost-device actions, endpoint verification, and inactive devices.
Remove devices belonging to former employees and unsupported systems.
26. Chrome Management
When used, review managed browsers, extensions, policies, sign-in restrictions, updates, organizational units, and approved applications.
Remove unauthorized or abandoned extensions with broad access.
27. Context-Aware Access
For supported editions, review access levels, device requirements, internet addresses, geographic conditions, application assignments, administrator access, and exceptions.
Test the recovery path before changing high-impact policies.
28. Audit Logs and Investigation
Review login, administrator, Drive, Gmail, OAuth, device, group, and application events according to edition.
Confirm retention, search capability, export needs, investigation roles, and documented triage procedures.
29. Alerts and Notification Rules
Review the Alert Center, email notifications, security rules, administrator alerts, device alerts, phishing alerts, and escalation destinations.
Assign primary and backup owners and test delivery.
30. Data Retention and Recovery
Review Google Vault where licensed, service retention, deleted-user procedures, Drive restoration, Gmail restoration, shared-drive recovery, and independent backup requirements.
Test recovery rather than assuming retention settings provide a complete backup.
31. Support and Reseller Information
Record the customer identifier, reseller, billing contact, support process, authorized contacts, and subscription ownership.
Store critical recovery information securely outside Google Workspace.
32. Documentation and Change Management
Maintain a settings register with the service, setting, current value, scope, owner, reason, approval, implementation date, validation, and next review.
Document emergency changes and remove temporary exceptions after the incident.
Google Workspace Settings Review Checklist
- Review organization, domain, billing, and support contacts.
- Inventory Super Admin and delegated administrator access.
- Review users, organizational units, groups, and licenses.
- Review passwords, 2-Step Verification, and recovery.
- Validate Gmail authentication, safety, routing, and forwarding.
- Review Drive sharing and shared drives.
- Review Calendar, Meet, Chat, and additional services.
- Review Marketplace, OAuth, API, and single sign-on access.
- Review devices, endpoints, Chrome, and Context-Aware Access.
- Review logs, alerts, retention, backup, and recovery.
- Assign owners and remove expired exceptions.
- Document changes and the next review date.
Frequently Asked Questions
How often should Google Workspace settings be reviewed?
Review administrators, high-risk access, alerts, and sharing at least quarterly. Complete a comprehensive formal review at least annually and after major changes or incidents.
Should every default setting be changed?
No. Change settings only to meet a documented business, security, privacy, legal, or operational requirement.
What should be reviewed first?
Start with Super Admins, 2-Step Verification, users, Gmail authentication, forwarding, Drive sharing, OAuth applications, alerts, and recovery.
When Professional Support Helps
Professional support can perform a structured Google Workspace review, identify high-risk settings, document the environment, implement approved corrections, and establish recurring administration checks.
Need help applying this?
Manage Google Workspace with confidence.
J3 Systems Group LLC can configure the Admin console, administrator roles, users, organizational units, groups, licensing, service settings, and supporting administration procedures.