How to fix Google Workspace Admin lockout

1

This is a frustrating “catch-22” situation. It means you, as the admin, enforced a 2-Step Verification (2SV) policy that your own account no longer meets.

For example, you might have set a policy requiring Security Keys, but your admin account is only set up to use Google Authenticator or SMS. The system is now blocking your non-compliant sign-in.

Here’s how to resolve this, from easiest to most complex.

Solution 1: Use Another Super Admin Account

If you have another Super Admin in your organization, this is the fastest fix.

  1. Ask your other Super Admin to log in to the Google Admin Console.
  2. Have them navigate to Directory > Users and find your locked-out account.
  3. They should click on your name, go to the Security section, and open the 2-Step Verification panel.
  4. From there, they have two main options:
    • Get Backup Codes: They can click “Get Backup Verification Codes” and give one to you. You can then use this code to sign in.
    • Move You: They can temporarily move your user account to an Organizational Unit (OU) or Group that does not have the strict 2SV policy enforced. This will let you sign in.

Once you are in, immediately update your own account’s 2SV methods to comply with the policy before you are moved back or log out.

Solution 2: Use Your Saved Backup Codes

When you first set up 2SV, Google prompted you to save a list of 10 one-time-use 8-digit backup codes. If you saved these, you can use one now.

  1. At the sign-in screen where it asks for your 2SV code, click “Try another way”.
  2. Select the option “Enter one of your 8-digit backup codes”.
  3. Enter one of the codes you saved.

If this works, immediately go to the Admin Console and either fix your account’s 2SV settings or adjust the organization’s 2SV policy.

Solution 3: The “Last Resort” Admin Recovery

If you are the only Super Admin and you do not have your backup codes, you must use the official admin account recovery process. This involves proving to Google that you own the domain.

  1. Go to the official Google Admin recovery form: https://toolbox.googleapps.com/apps/recovery/form
  2. Enter the domain name you use for Google Workspace and a contact email address that you can access.
  3. Google will provide you with instructions to verify your domain ownership. This usually requires you to add a specific CNAME or TXT record to your domain’s DNS settings (at your domain registrar, like GoDaddy, Cloudflare, etc.).
  4. After you add the DNS record, you submit the form. It can take 24-72 hours for Google to review the request and get back to you at your contact email address with instructions to regain access.