Google Ads Remove Access | OpsBlu Docs

Google Ads Remove Access

How to revoke user access and offboard team members from Google Ads. Covers account deletion, API key revocation, partial access removal, and security.

Prerequisites

  • Admin access to the Google Ads account
  • Documented reason for access removal
  • Verification that user no longer requires access
  • (If removing last Admin) Another Admin user already provisioned

Remove User Access

Step 1: Navigate to Access & Security

  1. Sign in to your Google Ads account at ads.google.com
  2. Click the Tools & Settings icon in the top right
  3. Under "Setup," click Access and security

Step 2: Remove User

  1. Locate the user in the access list
  2. Hover over the user row
  3. Click the trash can icon or Remove button
  4. Confirm removal in the popup dialog
  5. Click Remove to confirm

Effect: User immediately loses all access to the account. No notification is sent to the user.

Remove User from Manager Account (MCC)

Step 1: Navigate to MCC Access

  1. Sign in to your Manager account
  2. Click Tools & Settings > Access and security

Step 2: Remove User

  1. Locate user in the access list
  2. Click trash can icon next to user's name
  3. Confirm removal

Effect: User loses access to the MCC and all linked accounts managed through that MCC (unless they have direct access to individual accounts).

Remove User from Multiple Accounts

For users with access to multiple accounts:

Option 1: Remove from MCC (Cascading Removal)

If user was granted access via MCC:

  1. Remove from MCC access list
  2. User automatically loses access to all linked accounts

Option 2: Remove from Individual Accounts

If user has direct access to individual accounts:

  1. Navigate to each account separately
  2. Remove user from each account's Access and security page
  3. Repeat for all accounts

Note: Removing from MCC does not remove direct access to individual accounts granted separately.

Remove Pending Invitations

For users who have not yet accepted their invitation:

Step 1: Navigate to Access & Security

  1. Access the account's Access and security page
  2. Locate pending invitation (shown with "Pending" status)

Step 2: Cancel Invitation

  1. Click trash can icon next to pending invitation
  2. Confirm cancellation

Effect: Invitation is revoked. User can no longer accept the invitation link.

Special Removal Scenarios

Remove Last Admin

Important: Google Ads requires at least one Admin user per account.

Process:

  1. Before removing current Admin, add a new Admin user
  2. New Admin accepts invitation and confirms access
  3. Verify new Admin can access account settings
  4. Only then remove the original Admin

Warning: If you remove the last Admin by mistake, you will need to contact Google Ads support to regain account access.

Remove Account Owner

The Google account that created the Google Ads account is the "owner" and appears with a special designation.

Process:

  1. Add new Admin user
  2. Transfer billing and payment methods to new Admin (if needed)
  3. Remove original owner (same process as removing Admin)
  4. Owner can transfer full ownership via Account settings if preferred

Remove Users with Active API Access

Users with API access may have active OAuth tokens even after account removal.

Process:

  1. Remove user from Access and security (revokes future API calls)
  2. User's existing OAuth tokens will fail authorization on next API call
  3. (Optional) Audit API access via API Center to confirm token invalidation
  4. (If needed) Contact Google Ads support to force-revoke OAuth tokens

Remove Service Account Access

For service accounts used by scripts or automation:

  1. Remove service account email from Access and security
  2. Revoke OAuth tokens in Google Cloud Console:
    • Navigate to Google Cloud Console > APIs & Services > Credentials
    • Revoke relevant OAuth 2.0 Client IDs
  3. Update scripts/applications to use new service account

Offboarding Checklist

When removing user access as part of employee offboarding:

  • Remove from Google Ads account(s)
  • Remove from Manager account (MCC) if applicable
  • Revoke API access tokens
  • Remove from Google Analytics linked properties
  • Remove from Google Tag Manager containers
  • Remove from Google Merchant Center
  • Remove from shared asset libraries
  • Remove from any Google Workspace groups related to ads
  • Document removal in access management log
  • Notify team of access removal
  • Archive user's work (saved reports, custom segments, etc.)

Verification Steps

After removing user access:

  • User no longer appears in Access and security list
  • User cannot log in to the account (ask user to verify)
  • User's API access fails (if applicable)
  • Removal is logged in Change history
  • Access removal is documented in access management log
  • Manager/HR notified of access revocation completion

View Removal History

Check Change History

  1. Navigate to Tools & Settings
  2. Click Change history
  3. Filter by:
    • Type: "Access and security"
    • Date range: Recent period
  4. Review entries showing "User removed"

Information logged:

  • Email of removed user
  • Date and time of removal
  • Admin who performed the removal
  • Previous access level

Restore Access After Removal

Google Ads does not have an "undo" feature for access removal.

To restore access:

  1. Add user access again (treated as new invitation)
  2. User accepts new invitation
  3. Grant appropriate access level

Note: User's previous Change history is preserved and remains associated with their email address.

Common Issues & Solutions

Cannot Remove User (Greyed Out)

Causes:

  • User is the last Admin
  • You do not have Admin access
  • User is the billing owner (rare)

Solutions:

  • Add another Admin before removing current Admin
  • Request Admin access from current Admin
  • Transfer billing ownership first, then remove user

User Still Has Access After Removal

Causes:

  • User has access via different path (e.g., MCC access + direct account access)
  • Browser cache showing stale data
  • Change hasn't propagated (rare)

Solutions:

  • Check if user has MCC access granting indirect access
  • Ask user to sign out and back in
  • Wait a few minutes and verify again

Accidentally Removed Wrong User

Solutions:

  • Immediately re-add user via Add User Access
  • Grant same permission level as before
  • Apologize to user for temporary disruption
  • Document the incident

Removed Last Admin (Account Locked)

Solution:

  • Contact Google Ads support immediately
  • Provide proof of account ownership (billing information, business verification)
  • Google support can restore Admin access to the account owner

Prevention: Always verify at least two Admin users exist before removing any Admin.

Security Best Practices

  • Immediate removal: Revoke access on same day as employee departure
  • Document reasons: Log why access was removed (e.g., "Employee termination," "End of contract")
  • Verify removal: Confirm user cannot access account after removal
  • Audit regularly: Monthly review of active users to identify inactive accounts
  • Revoke API access: Ensure OAuth tokens are invalidated
  • Monitor post-removal: Watch Change history for unexpected activity
  • Secure credentials: Ensure removed users didn't save account passwords in shared systems

Bulk User Removal

For agencies removing multiple users:

from google.ads.googleads.client import GoogleAdsClient

client = GoogleAdsClient.load_from_storage()

# List of user emails to remove
users_to_remove = ['user1@example.com', 'user2@example.com']
account_id = '123-456-7890'

customer_user_access_service = client.get_service("CustomerUserAccessService")

for user_email in users_to_remove:
    # Find user resource name
    query = f"""
        SELECT customer_user_access.resource_name
        FROM customer_user_access
        WHERE customer_user_access.email_address = '{user_email}'
    """

    response = client.get_service("GoogleAdsService").search(
        customer_id=account_id.replace('-', ''),
        query=query
    )

    for row in response:
        # Remove user
        operation = client.get_type("CustomerUserAccessOperation")
        operation.remove = row.customer_user_access.resource_name

        customer_user_access_service.mutate_customer_user_access(
            customer_id=account_id.replace('-', ''),
            operation=operation
        )

        print(f"Removed {user_email} from account {account_id}")

Note: Requires API access and Admin permissions. Test thoroughly before bulk removal.

Communication Template

When removing user access, notify relevant parties:

To Removed User

Subject: Google Ads Access Removed - [Account Name]

Hi [User Name],

Your access to the Google Ads account [Account Name - 123-456-7890] has been removed as of [Date].

Previous Access Level: [Standard]
Removal Reason: [End of project / Role change / etc.]

If you believe this was done in error or have questions, please contact [Admin Name] at [admin@company.com].

Thank you,
[Your Name]

To Team/Manager

Subject: User Access Removed - [Account Name]

The following user access has been removed from Google Ads account [Account Name]:

User Email: [user@example.com]
Previous Access Level: [Admin]
Removal Date: [YYYY-MM-DD]
Removed By: [Your Name]
Reason: [Employee departure]

No further action required. Access removal has been documented in the access management log.

Automation & Monitoring

Automated Access Removal Alerts

Use Google Ads Scripts to monitor and alert on access changes:

function monitorAccessRemovals() {
  var account = AdsApp.currentAccount();
  var accountName = account.getName();

  // Get current users
  var currentUsers = [];
  var users = account.users().get();
  while (users.hasNext()) {
    currentUsers.push(users.next().getEmail());
  }

  // Compare with stored list (from previous run)
  var storedUsers = getStoredUserList(); // Implement storage mechanism

  // Find removed users
  var removedUsers = storedUsers.filter(email => !currentUsers.includes(email));

  if (removedUsers.length > 0) {
    // Send alert
    MailApp.sendEmail({
      to: 'admin@company.com',
      subject: 'Google Ads Access Removal Alert - ' + accountName,
      body: 'The following users were removed from ' + accountName + ':\n' +
            removedUsers.join('\n')
    });
  }

  // Store current user list for next run
  storeUserList(currentUsers);
}

Compliance Considerations

GDPR / Data Privacy

When removing user access:

  • User's personal data (email) remains in Change history
  • User's activity data remains in account
  • If user requests data deletion, contact Google Ads support
  • Document access removal in compliance logs

SOX / Financial Controls

For accounts under financial regulations:

  • Maintain audit trail of all access removals
  • Require manager approval for Admin removals
  • Quarterly access reviews mandatory
  • Document business justification for all access changes

Agency/Client Agreements

  • Review contract terms for access removal procedures
  • Notify client of access changes to their account
  • Archive user's work before removal (reports, strategies)
  • Transfer ownership of assets (shared libraries, labels)
Nach oben