If you received an email from Google Search Console stating that a new owner has been identified for your property, but you can’t find this user in the Users and Permissions section, don’t panic! This situation is often due to the way Google Search Console handles property verification across different levels.
This guide explains why this happens, how to identify the unknown owner, and steps to secure your property.
Why Can’t You See the New Owner in Search Console?
1️⃣ The ‘Users and Permissions’ Screen Only Shows Users for a Specific Property
In Google Search Console, each property (Domain Property or URL-Prefix Property) has its own list of verified users. If someone verifies a different but related property, you may receive an email notification but won’t see them in your user list unless you access the exact property they verified.
Understanding How Google Search Console Properties Work
Google Search Console allows verification at different levels:
1️⃣ Domain Property – Covers the entire domain and all subdomains (example.com, www.example.com, blog.example.com).
2️⃣ URL-Prefix Property – Covers only a specific URL path (https://example.com/folder/).
The issue arises when:
- You have a Domain Property verified, but someone verifies a sub-property (such as a subdomain or a URL-Prefix Property).
- You get an email about “New Owners Identified” but can’t see them in your user list because they verified a different scope of the site.
🔹 Example:
- You own
example.comas a Domain Property. - Someone verifies
https://ftp.example.com/as a URL-Prefix Property. - You receive an email saying:pgsqlCopyEdit
New owner for https://ftp.example.com/ To the owner of example.com - Since they verified only a sub-property, their user access does not appear in the main example.com Search Console property.
How to Identify the New Owner and Their Property
✅ Step 1: Check the Email Subject for the Exact Verified Property
The email from Google typically contains a line like:
rustCopyEditNew owner for https://ftp.example.com/
This indicates that the verification was for that specific URL-Prefix Property.
✅ Step 2: Create the Same Property in Google Search Console
If you want to see the new owner’s permissions, you need to add the exact property they verified:
🔹 If the email mentions https://ftp.example.com/, create a new property with the same URL-Prefix in Google Search Console.
🔹 Since you already own the Domain Property, verification will be automatic.
🔹 Now, check the Users and Permissions tab under this newly added property—you should see the unknown owner there.
Common Causes of Unexpected New Owners in Google Search Console
1️⃣ Leftover DNS Records Pointing to Unused Subdomains
Sometimes, a forgotten DNS record might be pointing a subdomain to a server you no longer control. This happens if:
- You migrated your website to a new host but didn’t update all subdomains.
- An old hosting provider reassigned the IP address to someone else.
- The subdomain is still pointing to shared hosting, allowing another person to verify ownership.
🔹 Example Scenario:
1️⃣ Your main site was migrated from oldhosting.com to newhosting.com.
2️⃣ You updated the main www and @ DNS records, but forgot about ftp.example.com.
3️⃣ The old host assigns your previous IP to another client.
4️⃣ The new client sets up a website on that shared IP, causing Google to allow them to verify ownership of ftp.example.com.
🔹 Solution:
✅ Audit your DNS records and remove obsolete subdomains that no longer point to your actual server.
2️⃣ Wildcard DNS Entries Allowing Others to Use Your Subdomains
Some websites use wildcard DNS records (*.example.com) to allow subdomains like www and blog to work without creating individual records.
🔹 The Risk:
- If you’re on a shared hosting plan, wildcard DNS (
*) means that anyone on the server can create a website under your subdomains. - This allows external users to claim ownership of your subdomains in Google Search Console.
🔹 Solution:
✅ Remove wildcard (*) DNS records and manually specify only the subdomains you need.
3️⃣ Possible Security Breach
In rare cases, an unauthorized person may have:
- Gained access to your server and injected verification files.
- Modified your DNS records to create new subdomains.
🔹 Solution:
✅ Scan your server for unauthorized changes to HTML files, meta tags, or DNS records.
✅ Remove any unknown verification methods from your site.
✅ Change hosting passwords and enable two-factor authentication (2FA).
How to Remove an Unwanted Verified Owner?
✅ Step 1: Check Google Search Console for Verification Methods
- Go to Users and Permissions (for the affected property).
- Check which verification methods were used (HTML file, meta tag, DNS record, Google Tag Manager, etc.).
✅ Step 2: Remove the Verification Method
Once you identify how the unauthorized owner got verified:
- If they used an HTML file, delete the file from your server.
- If they used a meta tag, remove it from the page’s HTML.
- If they verified via Google Tag Manager (GTM), check GTM for any unknown accounts.
- If they used DNS verification, go to your domain registrar and remove the unknown DNS TXT record.
✅ Step 3: Revoke Their Access in Google Search Console
- After removing the verification method, go to Google Search Console → Users and Permissions.
- Select the unwanted owner and click Remove Access.
🔹 Google will automatically revoke their ownership the next time it checks for verification.
Final Thoughts: How to Prevent Unauthorized Verifications
✅ Regularly audit your DNS records and remove unused subdomains.
✅ Avoid using wildcard DNS records (*) unless absolutely necessary.
✅ Check for security vulnerabilities that might allow attackers to inject verification files.
✅ Monitor Google Search Console email notifications to stay aware of new verifications.
If you receive a ‘New Owners Identified’ email and don’t recognize the user, follow the steps outlined above to identify, remove, and prevent unauthorized ownership of your Google Search Console properties.
