Security best practices for administrator accounts

Follow these best practices to improve the security of your administrator accounts and by extension, of your business as a whole.

Protect admin accounts

Require a second authentication factor for admin accounts

If someone manages to get the admin password, 2-Step Verification (2SV) helps protect the account from unauthorized access. It’s especially important for super admins to use 2SV because their accounts control access to all business and employee data in the organization.

Use security keys for 2-Step Verification

There are several 2SV methods, including security keys, Google prompt, Google Authenticator, and backup codes. Security keys are small hardware devices that are used for second factor authentication. They help to resist phishing threats and are the most secure form of 2SV.

Don’t use a super admin account for daily activities

Super admins can manage all aspects of your company’s account and can reset another’s password.

Super admins should use a separate user account for day-to-day activities. They should only sign in to their super admin account when they need to perform specific super admin duties, such as configuring 2SV or helping another admin recover their account.

Don’t stay signed in to a super admin account

Staying signed in to a super admin account when you aren’t doing specific administrative tasks can increase exposure to phishing attacks. Super admins should sign in as needed to do specific tasks and then sign out.

Manage super admin accounts

Set up multiple super admin accounts

A business should have more than one super admin account, each managed by a separate individual. If one account is lost or compromised, another super admin can perform critical tasks while the other account is recovered.

Create per-user super admin role accounts

If there are multiple super admins and each uses to sign in, you can’t see which super admin is responsible for activities in the audit log. Each super admin should have an identifiable admin account.

For example, if Maria and James are super admins, they should have per-user super admin role accounts and user accounts:

Set admin privileges to protect user privacy

By default, administrator accounts in your organization have access to user content and activity records for Google Workspace services—for example, Gmail and Chat activity records in audit logs. As a super admin, you can help protect your users’ security and privacy by limiting admins only to those privileges that are required for regular use.

For example, you might want to limit the number of admins in your organization who have access to reports and audit logs, the investigation tool, the security dashboard, and the Meet quality tool. For instructions on turning privileges on or off for these services, see Set admin privileges to protect user privacy.

Delegate daily admin tasks to user accounts

To encourage using a super admin account only when needed, delegate normal day-to-day administrative operations to user accounts. For example, you could delegate a frequent activity such as resetting passwords to a user account but allow only super admins to delete an account.

When delegating admin privileges, use the model of least privilege. In a model of least privilege each admin has access only to the resources and tools they need for their typical tasks in the day-to-day account.

Monitor activity on admin accounts

Set up admin email alerts

Monitor admin activity and track potential security risks by setting up admin email alerts for certain events, such as suspicious sign-in attempts, compromised mobile devices, or changes by another admin.

When you turn on an alert for an activity, you receive an email each time that activity happens.

Review the Admin audit log

The Admin audit log is another tool to monitor admin activity. The Admin audit log shows a history of every task performed in the Google Admin console, which admin performed the task, the date, and the IP address where the admin signed in.

Activity from the super admin appears in the Event Description column as _SEED_ADMIN_ROLE, followed by the username.

Prepare for admin account recovery

Add recovery options to admin accounts

Admins should add recovery options to their admin account.

If an admin forgets their password, they can click the Forgot password? link on the sign-in page and Google will send a new password via phone, text, or email. To do that, Google needs a recovery phone number and email address for the account.

Gather information for password reset

If a super admin can’t reset their password using email or phone recovery options, and another super admin isn’t available to reset the password, they can contact Google Support.

To verify identity, Google asks questions about the organization’s account:

  • The date the account was created.
  • Original secondary email address associated with the account (email used to sign up).
  • Google order number associated with the account (if applicable).
  • Number of user accounts created.
  • Billing address linked to the account.
  • Type of credit card used and its last 4 digits.

Google also asks the admin to verify the DNS ownership of the domain, so the admin needs to have the credentials to edit the domain DNS settings with their registrar.

Enroll a spare security key

Admins should enroll more than one security key for their admin account and store it in a safe place. If their primary security key is lost or stolen, they can still sign in to their account.

Save backup codes ahead of time

If an admin loses their security key or phone (where they receive a 2SV verification code or Google prompt), they can use a backup code to sign in.

Admins should generate and print backup codes in case they’re needed. Keep backup codes in a secure location.

Set up an additional admin

If an admin can’t sign in to their admin account, another admin can generate a backup code for them so they can sign in using 2SV.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue