How do I request an account?
First, note that you may not need to request one.
If all you need is an enterprise directory (LDAP) account, this is provided automatically.
Google accounts and Active Directory accounts are provided to staff and one type of affiliate (contractors) automatically. If you don't get one automatically and need either one- or another type of service - you (or your sponsor) will have to request one.
Use the Account Request Form to request the following accounts:
- Google Apps
- Windows Active Directory
The form also has links for other services that can be requested
- OTP SSH Gateway (an FAQ will point you to a self help site)
- A UNIX account on ux8 for general scientific computing
- Lawrencium Cluster (Scientific Cluster Computing)
Use this form to request a Google Role Account. Due to the limited number of available Google accounts, Google Role Accounts requests go through an approval process.
About our Enterprise Directory
These accounts are provided to all staff and affiliates
- Are available after the hire date is entered into the HR system and an employee number is assigned.
- Are used to access our business systems (HRIS, FMS, LETS, JHA)
- Are unique - we never assign anyone a username that has been used before (this policy was implemented in 2007)
- Follow guidelines on usernames and change management
- Our current policy requires that we try our standard naming convention which is first initial, middle initial, and last name whenever possible. The progression we follow is
- FMLastname (JBSmith)
- FLastname (JSmith)
- FirstnameLastname (JoeSmith)
- FirstnameMLastname (JoeMSmith)
- FML (JMS)
- FMLastname## (JBSmith02)
- Alternates can be considered (when the original choice has been used or due to reasonable customer preferences)
- Once an username has been selected during the onboarding process with Human Resources, username changes are only performed for legal name changes or when the name was entered incorrectly in the HR system. Even with legal name changes, we cannot always change the original user id because of dependencies on accounts created in various systems. If there is an operational need we will make a change, e.g. removing a dash in a user id because a system the user needs access to does not except dashes.
- We try to minimize email aliases because they use up user ids that could be used for future employees. Once a user id is issued, it cannot be used again even after the employee leaves the lab.
- Our current policy requires that we try our standard naming convention which is first initial, middle initial, and last name whenever possible. The progression we follow is
About Windows Active Directory
These accounts are
- free for lab employees and affiliates (and can not be provided for anyone not associated with Berkeley Lab)
- provide access to Windows File and Print Services
- can also be accessed by Mac Users to access file services
- are created in a disabled state - when you call the Help Desk for your password, the account will be enabled.
More information on Active Directory can be found here.
About Google Apps Accounts
These accounts are:
- Free for Lab employees & affiliates.
- Created automatically for staff and one type of affiliate (contractors)
- Automatically created accounts are available the day after the HR hire action has been taken. For others, one day after the account request is made.
These accounts include:
- Access to all Google Apps services available at Berkeley Lab (e.g. Gmail, Calendar, Docs, Sites, etc.) See http://lbl.gov/google for more information.
- A Berkeley Lab email address, ("[email protected]"), that delivers to a Lab Gmail account
Passwords: New staff and affiliates go through an "activation process" which allows them to choose and different userid, set account notification information and choose their enterprise directory (LDAP) password. Once the account is chosen, they can be changed at password.lbl.gov. There is also a new self help service that allows users to request a reset without Help Desk intervention. Passwords are set to expire every 180 days. Notifications are sent out 28 days before, 14 days before and every day within 7 days of expiration. There is no grace period login - the Help Desk will have to intervene if all notifications are ignored. (Active Directory Passwords also are set to expire after 180 days - notification is provided as part of membership to AD when you login close to the expiration date)