Best Practices Re: Removing users from Policies and Deleting users from Domain Control

SWalsh_2019 Expensify Customer Posts: 3 Expensify Newcomer

I am auditing our database of users that has never been cleanup and I want to proceed correctly. There are numerous termed employees that need to be deactivated.

I really want to understand the difference between the functionality of Domain Control and Policies and what effect removing/ deleting users means under each. Is data lossed?

Any guidance is MOST, MOST appreciated.


  • Sheena Trepanier
    Sheena Trepanier Expensify Team, Approved! Accountant, Expensify Student Ambassador Posts: 1,362 Expensify Team

    Hi @SWalsh_2019, this is a great question and I'm happy to clear things up!

    What's the difference?

    A policy is used to group employee who should all follow the same expense reporting rules. Typically policies are used to separate employees by department or entity if multiple policies are used. An member of a policy has the permissions needed to submit reports on that policy and removing them will block them from submitting on that policy in the future.

    Domain Control on the other hand is used to group employees who have the same domain email, for example, and lock down account creation using those emails. Domain Control also grants a company administrative control over an employee's account but this is limited to account creation, deletion, and assignment of company cards.

    What happens when an employee is removed?

    When you remove an employee from a policy, they can no longer create and submit reports on that policy. As an admin, you retain access to any of their submitted reports that you already have access to, no submitted reports are removed from the policy.

    Deleting an employee from Domain Control can have two different outcomes depending on how the employee has their account set up. If they are only using their work email with no secondary logins, then deleting them from Domain Control will delete their Expensify account entirely. If they have a secondary login, then deleting them from Domain Control simply removes the company email from their account and reverts them to their secondary login.

    If you remove an employee from Domain Control, you still retain access to their submitted reports and won't lose any information there. It's important to confirm that the employee is removed from the company policy as well as Domain Control, especially in the event they have a secondary login. Removing an employee from domain control does not remove them from company policies unless their account is successfully deleted.

    Best way to handle termed employees

    There are two main ways companies handle termed employees. The first is to delete them from the policies and domain. This is typically the cleanest but is also a permanent deletion if removing them from Domain Control.

    The second option is to create a group in the domain that you call "Terminated Employees" or something similar. Termed employees are moved to this group and are effectively locked down based on the group restrictions you select.

    The choice is yours, but if you run into questions before making changes feel free to circle back to this thread and @ my user name to notify me.

  • vme
    vme Expensify Customer Posts: 3 Expensify Newcomer
    This was helpful as I always wondered what the difference was...I wish deleting them from the domain control also deleted them from the policy so admins aren't duplicating efforts. 
  • AndreaB
    AndreaB Expensify Customer Posts: 1 Expensify Newcomer

    I'm trying to delete a termed employee from domain control but I keep getting this message:

    Oops!... It looks like that account has an outstanding balance.

    Please have [email protected] clear their outstanding balance before trying to delete their account again.

    How do I take care of that outstanding balance?

  • Sara Jacobson
    Sara Jacobson Expensify Team, Expensify Student Ambassador Posts: 64 Expensify Team

    Hi @AndreaB

    It sounds like this user created a policy in their own account at one point and they have a balance due. Please reach out to [email protected] so my team can work with you on getting this cleared up.

    Thank you!