Manage a user's security settings

If you have the legacy free edition of G Suite, upgrade to G Suite Basic to get this feature. 

As an administrator for your organization's G Suite or Cloud Identity service, you can view and manage security settings for a user. For example, you can reset a user's password, view and revoke security keys for 2-Step Verification, and reset a user's sign-in cookies.

Open a user's security settings

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Users.
  3. In the Users list, find the user. If you need help, see Find a user account.
  4. (Optional) To check whether the user is enrolled in 2-Step Verification, view the real-time status in the 2-Step Verification enrollment column.

    Tip: If you don't see this column, click More Settings and then Select columns.

  5. Click the user’s name to open their account page.
  6. Click Security


    Find the security section close to the top of the details

  7. View or manage the user's security settings by following the steps below.

View and manage a user's security settings

Reset the user's password
  1. Click Password and then Reset Password.
  2. Choose to automatically generate the password or enter a password.

    By default, password minimum length is 8 characters. You can change password requirements for your organization.

  3. (Optional) To view the password, click Preview Preview .
  4. (Optional) To require the user to change the password, ensure that Ask for a password change at the next sign-in is On On.
  5. Click Reset.
  6. (Optional) To paste the password somewhere, such as in a Hangouts Chat conversation with the user, click Click to copy password.
  7. Choose to email the password to the user, or click Done.
Determine if 2-Step Verification is in use

Only the user can turn on 2-Step Verification.

  1. Go to the 2-Step Verification section to see if it's on.
  2. (Optional) click 2-Step Verification and then Turn off Turn off.
  3. (Optional) To view the user's backup verification codes, click 2-Step Verification and then Get backup verification codes.
  4. If the user doesn't have backup codes, tell them to follow the instructions in Sign in using backup codes.

If the user is required to use only a security key, you'll see the grace period that's left before they need to use their security key to sign in.

View and revoke security key access to the user's Google Account

A security key is a small device that lets you sign in to a Google Account using 2-Step Verification. It plugs into your computer's USB port or connects to your mobile device using Bluetooth®Learn more

Tip: You can order a discounted security keyusing your Google Account.

To view the security keys enrolled for the user, click Security keys.

To enroll a security key for 2-Step Verification, choose an option:

  • Tell the user to add the key by following the instructions in Add a security key to your Google Account.
  • Add the key for the user:
    1. Click Add Security Key
    2. Follow the on-screen instructions.
    3. Click Done.

    If you add a key for a user, they don't need to register their phone number to enroll the key.

Note: You can require users to use security keys with 2-Step Verification.

To prevent a user from using a security key for 2-Step Verification, unenroll the key:

  1. Point to the key in the table.
  2. Click Revoke Remove and then Remove.
  3. Click Done.

    The Admin audit log adds an entry each time you revoke a security key.

Require the user to change their password

If you suspect that the user's password has been stolen, you can force the user to reset their password when they next sign in.

  1. Click Require password change and then Turn on Off.
  2. Click Done.

After the user resets their password, this setting is automatically set to Off.

Temporarily turn off a login challenge

If Google suspects an unauthorized attempt to sign in to a user's account, a login challenge appears before access to the account is granted. The user must enter a verification code that Google sends to their phone. Or, the user can choose to answer another challenge that only the account owner can solve.

If the authorized user can't verify their identity, you can briefly turn off the login challenge to allow the user to sign in:

  1. Click Login Challenge and then Turn off for 10 mins.
  2. Click Done.
Reset the user's sign-in cookies

If a user loses their computer or mobile device, you can help prevent unauthorized access to their Google Account by resetting their sign-in cookies. This signs the user out from all HTTP sessions, including G Suite.

To reset the user's cookies:

  1. Click Sign-in cookies and then Reset
  2. Click Done.

It can take up to an hour to sign the user out of current Gmail HTTP sessions. The time for other applications can vary.

View and revoke application-specific passwords

To see application-specific passwords (app passwords) the user created, click Application-specific passwords

To remove a password:

  1. Click Revoke Revoke and then Revoke.
  2. Click Done.

If needed, you can tell users to set up and remove their own app passwords.

View and revoke third-party applications connected to the user's Google Account

To see the third-party applications that have authorized access to the user's Google Account, click Connected applications. Learn how authorized access works.

Under the Application column, you can see the applications that the user has granted access to their Google data. Under the Access level column, you can see the user data that the service can access. A user can grant full or partial access to Google data.

To revoke access to a service:

  1. Click Remove Remove and then Remove.
  2. Click Done.

Note: You can revoke service access only after it's been granted. You can't preemptively block users from granting access to specific apps.

Was this article helpful?
How can we improve it?