Get started: Vault administrators

Welcome to Google Vault! This guide will walk you through the steps to get Vault up and running for your organization.

Important: Vault won't preserve data until you complete these steps. You must choose a default retention rule and/or custom retention rule as described in Step 5 in order for Vault to retain your data.

Before continuing, make sure that:

  • You are a G Suite super administrator for your organization; only super administrators can complete the steps in this guide.
  • You have G Suite, G Suite for Education, or Google Drive Enterprise.
  • Vault has been purchased for your organization (G Suite Basic only).

Click each step below to learn how to complete it.

1. Assign Vault licenses (G Suite Basic only)

Vault is included with most G Suite editions, but it's an add-on for G Suite Basic customers. You can assign licenses to everyone (full-domain licensing) or to just a subset of people (partial-domain licensing).

  1. Consult with people in your organization who understand its business and legal requirements to decide who needs a Vault license.
  2. Follow the steps in the full-domain or partial-domain licensing article.
2. Control who can sign in to Vault

You can control who in your organization sees the Vault service in their account. Keep the following in mind:

  • Turning Vault on or off has no effect on which accounts are archived by Vault. All user accounts with Vault licenses can be archived.
  • This setting has no effect on which accounts can change retention rules, search for data, or perform other Vault functions. Users must have appropriate Vault privileges to work with Vault.
  • If you choose ON for everyone, the Vault icon appears in everyone’s list of apps. Some users may be confused by the presence of an app that appears to be nonfunctional. If your domain has organizational units, we recommend you restrict access to organizational units that have Vault privileges.

To allow users to sign in to Vault:

  1. Sign in to the Admin console.
  2. On the dashboard, click Apps, then click G Suite.
  3. Click Vault and choose one of the following options:
    • ON for everyone: everyone in your organization can access Vault.
    • ON for some organizations: only organizational units that you specify can access Vault. Learn more about creating OUs.
    • OFF: no one in your organization can access Vault.
3. Grant privileges to authorized employees

Grant privileges to employees who you want to create retention rules, place litigation holds, or perform investigations. This step is not mandatory for the initial setup of Vault.

  1. Understand the various privileges that you can grant users.
  2. Follow the steps in the Grant administrator privileges article.
4. Sign in to Vault
After purchasing Vault or starting the 30-day trial, we recommend that you wait 30 to 60 minutes before signing in to If you sign in immediately after purchase, you might not see all the areas of Vault that you have access to.

Now that Google Vault is enabled and licenses have been assigned in the Admin console, sign in to Vault by doing the following:

  1. Go to
  2. Sign in with your G Suite username and password.

Other authorized employees in your domain will sign in to Vault the same way after you've given them access.

5. Set your organization's default retention period for archiving

Set default retention policies to control how long data is archived before being permanently expunged from user accounts and all Google systems. Your organization should have policies to cover the amount of time data should be retained. We recommend that you consult your organization's legal team when you set up retention rules.

Learn how retention works.

  1. In Vault, click Retention in the left navigation.
  2. Under Default retention rule, click a product.

    Note: Drive Enterprise customers can't set retention rules for products other than Drive.
  3. Check the Set a default retention rule box.
  4. Choose how long to keep messages or files:
    • Choose Indefinitely to permanently retain data. Click Save to create the default retention rule. You're done!
    • Enter a number of days, from 0 to 36,500:
      • Mail, Groups, and Chat messages—days from when the message was sent. 
      • Drive—days from when the file was either created or last modified.  
  5. Choose what to do with data past the duration you selected:
    • Choose the first option to expunge just the messages or files that users have already deleted
    • Choose the second option to expunge all messages and files. This includes data that's in users' inboxes and Drives. It also includes data that has already been deleted. 
    Vault immediately starts the process of purging data that exceeds the retention coverage period as soon as you submit a new rule. This can include data users expect to keep. Do not continue to the next step until you're sure the rule is configured correctly. 
  6. Click Continue.

Important notes:

  • What happens after you set default retention rules: Unless a custom rule or hold applies to them, data is preserved according to the default retention rule.
  • What happens when a user deletes a message or file: The message is removed from that user's account. However, when the default retention rule or a custom rule applies, the message or file is still available in Vault for the remainder of the retention period.

Google Vault is now up and running! Vault will preserve your domain's data as specified in the retention rules you configured. Learn more about the default retention rule and custom rules.

Was this article helpful?
How can we improve it?