Page tree
Viewable by the world
Skip to end of metadata
Go to start of metadata


What is the Active Directory?

The Active Directory or AD is a Microsoft product that stores computer names, user names, passwords, and other information in a central database so that security access information does not need to be duplicated on every machine.  Accounts on Active Directory can only be created for Berkeley Lab employees and affiliates.   

Return to Top


What services does the AD provide at Berkeley Lab?

At Berkeley Lab everyone gains in the following ways:

  • The AD verifies that people are who they say they are when they attempt to connect to the network or resources on the network (using a complex password that is associated with the user account)
  • The AD checks to ensure users are allowed to do what they are attempting to do, such as deleting a file, before allowing them to do it. (used by groups who have added file servers to AD)
  • The AD ensures computers meet the minimum security requirements for computers on the Berkeley Lab network automatically
  • The AD ensures computers remain up-to-date on security patches

In addition, some groups at the Lab have extended their use of AD to control access to other resources (print servers and file servers).
Return to Top


Why is the AD important?

The AD can be used to control access to resources on the network. This includes computers, printers, devices, folders, files and other items on the network. AD also provides tools to help desktop computers stay protected from unknown users and to remain up-to-date on security patches.

Return to Top


How do I join the AD?

AD user accounts are automatically created (and placed in a disabled state) for staff term and career staff as part of new hire on-boarding. (Affiliates must request an AD account with their sponsor's approval before their AD account will be created.) 

Those with new accounts will get their account activated and initial password from the Help Desk after an identity verification process.

All new accounts must have their identity verified before the Help Desk can activate these accounts and provide initial passwords for the user. Typically, identity verification occurs when an LBL ID is issued, but the Help Desk must use a different process...

The LBL Help Desk verifies a callers identity by the caller being able to correctly answer one of the following questions... Their direct supervisors name, The phone number that they have registered in their LBL emergency contact information, The external email address that they have registered in their LBL emergency contact information. If the user fails all three attempts to identify them, they will be told that they will need to get help from their supervisor. Their supervisor may call the Help Desk on their behalf. However, the supervisors identity will also need to be verified using the same previously cited criteria.

Please call the Help Desk at x4357.

Return to Top


Can my computer belong to AD, even if my user account does not?

Yes. The computer can join AD and benefit from security measures that specifically benefit the computer. The user account is a second object in AD and provides an additional set of benefits. For most people, best practice is to have both of these as part of AD.

Return to Top



How do I add my computer to the AD Domain?

Follow the instructions here: Add Your Computer to Active Directory

Return to Top


Can I still log on with my local account if I add my computer to the AD?

Yes, your local logon names and the personal desktops associated with them are not removed when you join your computer to the AD. Many of the benefits of the AD are available by adding your computer to the AD even if you do not log on to the AD with a user account.

Return to Top


Can I access the Active Directory from home or off site?

Not without adding additional software to your computer. Due to the absence of security on the Internet, users must use a computer that is directly connected to the Berkeley Lab network to log on to the Active Directory. One way to accomplish this is to create a VPN connection before logging on to the AD from off site.

Return to Top


What is the difference between user accounts and computer accounts in the AD?

A user account represents you to the Active Directory. There is an account name and an account ID number associated with your user account. Your user account is checked every time you type your user name and password to verify that you are who you say you are. Your user account is also checked every time you attempt to access a resource on the Berkeley Lab network to verify that you are allowed to do what you are attempting to do. A computer account represents your desktop or laptop computer to the Active Directory. There is an account name and an account ID number associated with your computer account. Your computer account is checked every time you type your user name and password to verify that you are connecting to the Berkeley Lab network from an authorized computer.

Return to Top


What policies have been written to describe the use of AD at the lab?

Additional Active Directory pages provide information on services , roles and responsibilities , and procedures for the AD at Berkeley Lab.

Return to Top


What is the difference between a Domain and an Organization Unit (OU) in AD?

An Organizational Unit or OU is a container that holds user accounts and computer accounts. OUs are used to organize users with common needs or computers with common needs into a single group so they can be supported more easily. At Berkeley Lab it is common to find users who work for the same group located in the same OU but this is not a requirement. A domain is the collection of OUs that all share the same basic security policy, such as password length or how often users have to reset passwords.

Return to Top


What responsibilities does an OU Administrator have?

OU Administrators are responsible for maintaining the user and computer accounts in their OU. They are the ones who make sure you can do what you need to do on the network and others cannot interfere with your work. In many cases the person who provides your desktop support is also your OU Administrator.

Return to Top


If I leave the lab, what happens to my AD account?

AD accounts (just like other centrally provided services) are managed. When an employee's termination is recorded in the HR database, an automatic process takes place that first disables, and then eventually deletes the account. Supervisors are notified of these actions and have the opportunity to ask for short duration exceptions. For example, a termination record must be recorded even if the employee is moving from one status to another (e.g. career to guest). When the process runs its normal course, accounts are disabled 2 business days after termination and deleted 30 business days after termination.

Return to Top