Get started with Google Vault

Before you make any changes to your Google Vault configuration, read the instructions in this article carefully. You'll need to complete your transition steps and familiarize yourself with Vault settings before you get started.

During your transition from Google Message Discovery (GMD) to Vault, Google automatically transfers your users, messages, retention policies, and more. During this process, your email flow continues without interruption, and you can sign in to GMD to search your archive. When your GMD migration is complete, your Postini administrator will receive a confirmation email message from Google.

Final steps to complete your GMD transition

Before you get started with Vault, you'll need to complete your final GMD transition steps. To complete your transition, do the following:

  • Change your MX records.
  • If you use Exchange journaling, configure your Exchange server to forward journal messages to Vault.
  • Remove the ‘indefinite’ retention policy that was created in Vault during your service transition.
  • Route your outbound email through Google Apps.
  • Remove your Postini inbound gateway.
Sign in to Vault

You can sign in to Vault only if your organization's Google Apps administrator has granted you access to the service. See Understand and grant Vault privileges for more information. You can then give access to other employees in your domain.

Vault administrators without a Vault license may be unable to sign in. As a workaround, have your Google Apps administrator temporarily disable and then re-enable Vault access

To sign in to Vault:

  1. Go to
  2. Sign in with your Google Apps username and password.

    Note: You should be able to use the same username and password that you used for Postini. If your password cannot be transferred during your service transition, we’ll send a new temporary password to your account’s administrator.
Get started: Vault administrators

To get started with Google Vault, see the Vault help center, Get started: Vault administrators, and Vault Investigator Quick Start Guide.

For details about the differences between Postini archiving and Vault, see the sections below.

Get started: Vault users

Your company can allow specific users in your domain to manage matters, place holds, create retention policies, or perform any other functions in Vault. Instead of granting full Vault management privileges to those users, your company can limit what they can do or view in Vault by granting them a subset of privileges.

If you have not done so already, ensure that your Vault users have the required privileges to access Vault. You’ll need to do this from the Google Admin console. For instructions, see Understand and grant Vault privileges.

For help with getting your users started with Vault, see Get started: Vault users.

Apps user accounts, Vault licenses, and Vault privileges

Google Apps user accounts

  • During your service transition, Google will create accounts for users that do not already exist in Google Apps. If you already have Gmail users, those users will keep the same accounts while non-Gmail customers will have accounts created for each user.
  • If a Google Apps user account exists for a Postini user before the transition, then an additional VFE account will be created under certain conditions. See the Former employee accounts section below for more information.

Vault licensesTo use Vault and have their data archived in Vault, your Google Apps users need to have a Vault license. During the GMD service transition, transitioned GMD users are automatically given Vault licenses so that they can use Vault and have their data archived in Vault (see Vault licenses below for more details).

Vault administrator privilegesPostini archiving privileges are also mapped over to Vault. A Google Apps user with a Vault license will have the ability to search Vault, manage matters, and create holds if they are assigned certain Vault privileges (see Vault administrator privileges below for more details).

Former employee accountsAccounts for former employees are created in Google Vault during your transition. These accounts will use the new Vault Former Employee (VFE) license. This is a $0 license, and a Google Apps license is not required. All former employee users will have “VFE.x.” prepended to their user name to signify former employees -- for example:,, and

The VFE account is created because GMD data cannot be mapped to the existing Google Apps account with certainty. Even if a Google Apps user account exists for a Postini user before the transition, then an additional VFE account will be created to archive GMD data if the user’s Postini account is in one of the following states:

  • Postini account is Inactive
  • Postini account is Active, Postini archiving is disabled, and archive data exists
  • Postini account is Deleted
  • Postini account is Suspended
  • Apps account has too much traffic to be able to accept archive traffic
  • Apps account is a group, not a user
  • Apps account is a reserved username (postmaster@, abuse@)
  • Large user mailbox that requires sharding
See the Vault Former Employee licensing FAQ for more information about using and obtaining VFE licenses.
Note: Google Vault does not support catchall archiving, that is, archiving for users who are not provisioned in Google Apps.

To review the users in your account:

  1. Sign in to the Google Admin console.
  2. Click Users.
Vault licenses

Each user whose data you will want to search, hold, export, or retain in Vault must have a Vault license, and each user who will have administrator privileges must also have a Vault license. You can assign Vault licenses to individual users or organizational units (partial-domain licensing) or to all users in a domain (full-domain licensing).

Important: Do not delete or unlicense a user without understanding the results of those actions. If you unlicense a user, that user is no longer searchable in Vault; holds on the user's data will be removed; retention policies will no longer apply to the user's data; and email or chats deleted by the user will be purged from Google's systems. See these FAQs for information about Vault licenses.

To review and/or assign your Vault licenses:

  1. Sign in to the Google Admin console.
  2. Click Billing.
  3. Under Google Vault, click the Manage Licenses icon on the right side of the screen.
  4. Click the Manage Licenses tab, and then assign Vault licenses:
    • To all users in a domain (full-domain licensing):

      Select auto-assign the following license to all currently unassigned users and users subsequently created, then choose Google Vault in the drop-down menu. Click Save changes.
    • To organizational units (partial-domain licensing) or individual users:

      Deselect Auto-assign the following license to all currently unassigned users and users subsequently created, and click Save changes. Then, assign licenses in the Unassigned users tab, filtering by List to assign licenses to individuals, or by Org to assign licenses to the users that are in a specific organizational unit at that time. As new users are added to that OU in the future, ensure you have added a license to their account.
Vault administrator privileges

During your service transition, your Postini archiving privileges are mapped over to Google Vault. If you have not done so already, ensure that your Vault users have the required privileges to access Vault.

Admin roles for Vault are assigned in the Google Admin console, so you’ll need to sign in to the Admin console to review and manage your privileges. There are several default system Admin roles, or you can create a new role. See Assign administrator roles to a user for information about default and custom roles in Google Apps. See also Understand and grant Vault privileges.


  • Users should have the newly assigned role within a few minutes. However, in some cases, assigning the role can take up to 24 hours.
  • You can grant privileges to multiple users at once. See Grant administrator privileges for more information.
  • The default Super Administrator role has full privileges to access Vault.

To manage Vault privileges:

  1. Sign in to the Google Admin console.
  2. Click Users.
  3. Find and click the user account to open up its information page.
  4. Click Show more at the bottom of the page and then click Admin roles and privileges.
  5. Click Manage roles.

During your service transition, Postini privileges map to Vault privileges as shown in the following table. For details about how privileges work in Vault, see Understand and grant Vault privileges.

Postini authorizations/privileges Google Apps and Vault privileges

Organization Management > Advanced Applications > Message Archiving

This is a Postini Admin Console setting that enables a Sys Admin to turn archive on or off and set the Retention duration by OU.

Ensuring that a user’s data is being managed by Vault is done via the Billing menu in the Google Admin console.

Configuring retention policies requires permission to Manage Retention Policies in the Vault UI.

Archive Security Administration

This privilege in Postini granted full access to all the functions of the Archive UI.

The default Super Administrator role has the equivalent full access.

You can also create a custom role that has all eight Vault privileges to include:

  • Manage Matters
  • Manage Holds
  • Manage Searches
  • Manage Exports
  • Manage Audits
  • Manage Retention Policies
  • View Retention Policies
  • View All Matters

Archive search

This privilege granted access to the Email Search and Boolean Search menus on the Discover Tab.

Search, view, print, export as an email attachment or Mbox as well as access to the Reports Tab to see the Storage Overview and Storage Report.

Create a role with Manage Searches, Manage Exports and Manage Audits to gain the following privileges:

  • Perform searches and counts on any content in the Domain
  • View the content of messages in a search result
  • Create/delete saved search queries
  • Create, delete, download export files View audit logs

Note: If a user has the Archive Search privilege in Postini on only a subset of the organizations in the account, then this user will not have the Vault Search privilege after their Postini service transition. You can determine which users this will impact by accessing the Postini Archive Manager UI > Admin menu. Any user that shows values in the Restricted TO column fall into this category.

Archive Discovery

In addition to the Search privileges above, this user can create/manage additional Investigations, put users on Hold, put search results on hold, transfer Investigations to other users and access the Archive Manager Reports Menu.

Create a Role with Manage Matters, Manage Holds, Manage Searches, Manage Exports, Manage Audits, and View All Matters to gain the following privileges:

  • Create Matters and share those matters with others
  • Close, open, modify matters
  • Delete, restore matters
  • View the list of Users on hold
  • Create, remove holds
  • Perform searches and counts on any content in the Domain
  • View the content of messages in a search result
  • Create/delete saved search queries
  • Create, delete, download export files
  • View audit logs
  • View all Matters in the domain

Archive audit

This user can access the Archive Manager Reports Tab to see the Storage Overview, Storage Report, Purge History and Audit Reports.

Create a role with Manage Audits to gain the following privileges:

  • View Audit Logs

Note: At the time of this writing there is not an equivalent to the Storage Overview or Purge History Report. Storage Reports can be pulled using the Admin SDK.

Archive retention

This granted access to the Archive Manager Retention menu where the Auto-Purge option could be toggle on/off, the Purge History report, Message Holds report and User Holds report could be viewed.

This user could not change the retention policies unless they also had access to the Admin Console with Message Archiving privileges.

Create a role with Manage Holds, View Retention Policies, and View All Matters to gain the following privileges:

  • View the list of user accounts on Hold
  • Create/Remove Holds
    Note: this is more than the view only in Postini.
  • View all retention policies for the domain
  • View all Matters in the domain

Archive Investigator security

This granted access to the Archive Manager > Admin tab to set restrictions on other Archive users limiting whose accounts they could search.

No equivalent role in Vault.

The Super Administrator role is the one that can grant access to the Vault privileges.

Limiting a Vault privileged user to a specific OU is on the road map.

Archive Reports

Postini provides a Storage Overview, Storage Report, Purge HIstory, and Audit Reports.

The equivalent in Vault is a combination of the Manage Audits role and access to the Google Apps Admin SDK.

There are currently no reports to show purge history.

How retention works in Vault

Retention rules enable your organization to retain messages for a desired amount of time. After this time, the messages are deleted from Google Vault, and if a user has Gmail, the messages are also deleted from their Gmail mailboxes. This behavior is different from the behavior in Postini GMD -- where messages are removed from the archive at the end of the retention period, but not deleted from the users’ mailboxes.

After messages are no longer in user mailboxes, these messages are marked to be expunged from all Google systems, including Vault. The period before expunge can be up to 30 more days beyond the retention period expiration. After they are expunged, these messages are no longer accessible from anywhere.

If users leave messages in their mailboxes, these messages are removed from those mailboxes when an applicable retention period expires. For 30 more days, Vault admins can search for and find these messages. After the 30 days, these messages are expunged from all Google systems.

For general instructions about changing your retention settings, see Set retention rules and How retention works

Be aware of the following in Google Vault:

  • A legal hold overrides the retention policy.
  • Custom rules override default rules.
  • If there are multiple custom rules, the longest time period is maintained.

Comparison of GMD and Vault retention policies:

  • In Vault, retention applies directly to the users’ Gmail mailbox (if that user is using Gmail).
    GMD does not affect data in a user’s mailbox, while Vault acts directly on the user’s mailbox. In GMD, retention policies only affect Postini archived copies of the original messages, not the actual end user mailbox copies. At the end of the retention period, messages will be deleted both from Vault and your users’ mailboxes.
  • You can set Vault’s retention policy for 1 day to 100 years or indefinitely as long as you have Vault licensed.
    GMD has a retention period limit of 10 years.
  • In Vault, you can configure archive settings that apply to all organizational units when a custom rule or litigation hold does not apply.
    In GMD, you can configure archive settings per organization.
  • In Vault, the default retention period can be set per organizational unit.
    The retention period in Vault is unlimited by default and can be set per organizational unit. You can change this period by modifying the default rule. The retention period is turned OFF by default and can be set for the entire domain or by OU.
  • In Vault, there is no manual purge functionality.
    GMD allowed for both manual and auto-purge modes. Vault is auto-purge only.
  • Purge in Postini is equivalent to expunge in Vault.
    This means the data is expunged from all Google systems and is no longer available in Vault.
  • Changes to retention policies in Vault are retroactive.
    In Postini, if you made any changes to your retention policy it would only apply to email being captured from that point in time forward. In Vault, any change you make will be reapplied against all the email (and on-the-record chats) in all active and suspended and former user accounts. This means messages in a Gmail user's mailbox will be removed due to a retention policy change. 
  • Retention policies can be tested in Vault before you make them active.
    Postini retention policies were configured by OU in the Postini Admin Console -- not in the Archive Manager UI -- and these retention policies did not present you with a way to evaluate what messages would be impacted by any new settings or changes to existing settings. Vault has a preview option that gives you a sampling of the types of messages that will be impacted.

For more details about how retention works after your transition to Vault, see the section below: Timestamp label retention policies.

Timestamp label retention policies

When messages were originally ingested by Postini to the GMD archive they were stamped with a GMD retention months policy per user. As these messages are migrated to the users’ Gmail accounts, a corresponding Gmail custom label with the prefix ^gmd_retention_months_ is attached to specify the original retention period. A corresponding Vault label-based timestamp retention policy for the customer then provides the same retention policy via a query based retention rule on that label, thus affecting identical retention for all messages that have that label.

In addition to the retention policy queries built around these labels, the policies will also include the has_label:^deleted clause so that live Gmail messages will not be affected by migrated retention policies. 

Note: Classic customer Non-Account archived messages that were given a 1 month retention period at some point in the past do not receive a ^gmd_retention_months_ label applied to those messages as the retention period was never explicitly set by the customer.

For example:
The ^gmd_retention_months_120 label would be applied to a message as it is migrated to a user’s mailbox if it had been retained for 120 months for the specific user in GMD. At the customer level, a single Vault retention policy is added for the customer to retain messages with this label for 10 years:
retain all messages newer_than:120m has_label:^gmd_retention_months_120   has_label:^deleted

Note: For messages that involved more than one user in the domain, there could be multiple Postini retention-months policies stamped on that message. Only the ^gmd_retention_months label for the individual user will be added to the message. This means that the longer retention value will still retain the longer retention user’s copy of the message in Vault, even though the shorter retention user’s copy might get deleted post-migration as Gmail retention triggers sooner.


Postini Investigations / Vault matters

During your GMD service transition, each investigation in Postini is mapped to a matter in Google Vault. In Vault, a matter is a container for all of the data related to a specific topic, such as a litigation case or investigation. A matter includes:

  • Any saved search queries
  • A list of accounts with data on litigation hold
  • A list of the accounts that can access the matter
  • Any export sets for the matter that are less than 14 days old An audit trail for the matter

Important: After your transition is completed, we recommend that you review each of your legal holds to ensure that you still want to keep those messages retained indefinitely.

For instructions on managing your matters in Vault, see Organize and create matters.

Postini Saved searches / Vault targeted legal holds

During your GMD service transition, saved searches in GMD will be mapped to targeted legal holds in Vault. A targeted legal hold allows you to indefinitely preserve messages (messages in Gmail and on-the-record chats) based on specific dates or terms to meet legal or preservation obligations.

If a user deletes messages that are on hold, the messages are removed from the user's view, but they are not deleted from Google servers until the hold is removed. As long as the hold is in place, Vault admins and Vault users with appropriate privileges can still search for and discover held messages in Vault.

The criteria for saved searches will not be copied from Postini to Google Vault during your service transition; however, the saved search results will be transitioned.

Differences between Postini and Vault searches:

  • Vault search is multi-year and domain-wide, and multi-byte characters are fully supported.
  • The Vault interface is localized in 28 languages.
  • GMD uses Boolean search, while Vault uses multiple operators.
  • Vault supports saving searches but not search results; instead, share the matter with Vault users in your organization who need to view and export the search results.

Important: After your transition is completed, we recommend that you review each of your legal holds to ensure that you still want to keep those messages retained indefinitely.

To review or create a Hold in Vault:

  1. Sign in to Vault at
  2. Click Matters.
  3. Click a matter that you created for an investigation to open it.
  4. Click Create Hold.
  5. Enter the following hold information for that investigation’s saved search results and Save:

    Hold name
    Enter a unique name for this hold.

    Users to be placed on hold

    • Enter a licensed user account or accounts to place a hold on: This option places a hold on all content in a user's account unless you target specific information by including a sent date range or terms or both.
    • Leave blank: This option places holds on all licensed users’ accounts in the domain (domain hold).

    Sent date
    Enter a start date, end date, or both. If you enter only a start date, the rule applies to content after that date. If you enter only an end date, the rule applies to content before that date.

    Enter any search terms or search operators that would appear in messages that you want to retain.

Was this helpful?
How can we improve it?