Find your content:

Search form

You are here

Best practice for removing former admin user from all records, triggers and workflows?


I'm thinking of using demandtools to find all objects that their account is tied to. Then I was going to test removal and replacement with current admin user in a sandbox environment. Just wondering if anyone has accomplished this and whether they had any advise?

Attribution to: Miklr

Possible Suggestion/Solution #1

Is this a system admin or like an "admin"-istrative assistant? If it is a system admin, it shouldn't matter if they own the records or not, as they'll have access to all records anyway. If you do need to change the owners of records, though, the easiest way to do it is probably the Salesforce data loader or I've heard good things about the free Jitterbit Data loader.

Also, if you want to mass reassign the user on Account Teams or Opportunity Teams, you can do that with "Mass Reassign" under "Data Management" in Setup in your org.

Attribution to: Tom Gersic

Possible Suggestion/Solution #2

Using the dataloader do an export of all the object where OwnerId matches the user. Load this CSV into your favourite editor (excel, vim, etc). Replace the OwnerID with the ID of the new owner and then use the dataloader to run an update on all the records.

Alternatively if you are comfortable with Apex you could do something like this in the developer console (note, I haven't tested this.)

List<Account> accs = [SELECT Id, Owner FROM Account WHERE Owner = 'xxx' LIMIT 1000];
for( Account acc : accs ) {
    acc.Owner = 'new owner id';
update accs;

Attribution to: David Gillen

Possible Suggestion/Solution #3

I would suggest that best practice is typically to not re-assign ownership of all records across the board. The fact that a record is owned by a disabled user is not in itself a problem. If you're using that user as a generic "data admin" type user then I'd suggest you create a user for that sole purpose and re-assign all records to that, then you never have to worry about that user being disabled.

However I think you're asking about default workflow user, default case owner, portal admin, etc type settings whereby you can't disable the system admin user until you've re-pointed all of this configuration. Honestly I've been meaning to write a list of everything you need to change but haven't, so what I typically do is take the brute force approach. First change that user's email address to yourself. Second try to disable the user, you'll be warned that you can't for various reasons, fix each reason. Once disabled let the system do it's thing - since you changed the user's email address to your own you'll get notifications if any and then you can determine what else to change. Hope that helps.

Here's what I can think of off the top of my head:

  1. Default Workflow User
  2. Default Case Owner for Email2Case
  3. Default Case Assignment Rule user (if/as needed)
  4. Admin User for any Partner or Customer Portals
  5. You likely don't want to redeploy all Apex code, but to ensure uncaught Apex exceptions are emailed to the new admin, change the old admin's email address to your own (the last modified by user for Apex is the user that gets the emails)

Attribution to: caleb

Possible Suggestion/Solution #4

You can’t use DemandTools to manipulate workflow rules or other processes (such as Web to Lead, etc...), just the records. For the records though, you can use Reassign Ownership and reassign the selected object and all the sub-objects, but there is no option to find ALL records on ALL objects owned by a single user at one time.

For example you can find all the Accounts owner by “Joe User” and reassign them and the related sub-objects to a new user or users. But you would need a separate pass for Leads and any other objects NOT related to the Accounts. Also, if the user could own Contacts, Tasks, Opps etc. on OTHER users Accounts then additional passes would be needed against those objects to find and reassign those etc.

Here is the link to the Reassign Ownership Help Docs:

Attribution to: E.J. Wilburn

Possible Suggestion/Solution #5

This is a sneaky, lazy approach. Possibly in a situation where an employee who was a SysAdmin left rapidly and ownership must immediately be changed for security reasons.

0) Target User is Active at this point.
1) Change that user's email address to one under your own control.
2) Make sure you activate the new email address before continuing.
3) After verifying you have the email address changed to your control continue.
4) If you do not have control of the target user's email please see step 1
5) Change the user name to a more palatable name. At this point the human who had used this account will effectively be locked out. The new username may be a generic sounding name, like "SystemUser" or something.
6) When new system administrator is identified, change the Username to theirs.

I know it's not elegant, but hey, it works. :-) Vote me down if you don't like it, but it could save your bacon one day.

Attribution to: DaveS
This content is remixed from stackoverflow or stackexchange. Please visit

My Block Status

My Block Content