Types of accounts
The IT division provides several types of Accounts:
- Enterprise Directory Accounts (for all staff and affiliates). Automatically created as part of the HR on-boarding process.
- Windows Active Directory (which can also be used by Mac users) to access workstations and shared files on the network. Automatically created for staff (and one type of affiliate) - contractors, others upon request.
- Google Apps Accounts which provide access to Google mail, calendar, sites, and drive/docs. Automatically created for staff (and one type of affiliate) - contractors, others upon request.
- SCS cluster Account. Created upon request
- Unix server account. Created upon request.
Account request information is here
Account termination
Accounts are terminated when you leave the Lab. IT can provide limited access after you leave for two reasons: change of status (e.g. you are a staff member converting to affiliate), or because you need an extra week to clean up your files. This requires supervisor approval (or HR confirmation if due to a status change)
If you are going to be on extended vacation or medical leave, your accounts are not disabled.
Additional Termination information is here.
Access to someone else's account
Access to accounts can not be provided without appropriate approval.
Additional information on Access to an account is here.
A note about passwords
- Enterprise Directory passwords expire annually.
- Active Directory passwords also expire every 6 months, but there is a grace period if logging in from a Windows machine. If you access network resources from a different platform, you will not know when the password expires and will not have a grace period.
| Table of Contents |
|---|
How do I request an account?
Use the Account Request Form to request the following accounts:
- Google Apps
- Windows Active Directory
- OTP SSH Gateway (an FAQ will point you to a self help site)
- Central Unix
- SCS Cluster
About Windows Active Directory
These accounts are
- free for lab employees and affiliates (and can not be provided for anyone not associated with LBL)
- provide access to Windows File and Print Services
- can also be accessed by Mac Users to access file services
More information on Active Directory can be found here.
About Google Apps Accounts
These accounts are:
- Free for Lab employees & affiliates.
- Created only if requested. (Ideally, a new employee or someone in the new employee's department will request an account before a new employee's first day of work.)
- Usually created within 24 hours of the request. (A person must be in the Berkeley Lab Identity/LDAP directory before we can create a Google Apps account. The directory receives information about new employees and affiliates once per day from the Human Resources Data Warehouse.)
These accounts include:
- Access to all Google Apps services available at LBNL (e.g. Gmail, Calendar, Docs, Sites, etc.) See http://lbl.gov/google for more information.
- A Berkeley Lab email address, ("[email protected]"), that delivers to a Lab Gmail account with 25GB of free storage
- An Enterprise Directory (LDAP) username, that is used to sign in to many services at the Lab, including: Gmail, Google Docs, LETS, EH&S Training, etc.
Passwords: New employees typically (ideally) receive their LDAP passwords from the Badge Office when they receive their badges. Some call the Help Desk for a password. Passwords are set to expire every 180 days. Notifications are sent out 28 days before, 14 days before and every day within 7 days of expiration. There is no grace period login - the Help Desk will have to intervene if all notifications are ignored. (Active Directory Passwords also are set to expire after 180 days - notification is provided as part of membership to AD when you login close to the expiration date).
Account Termination FAQ
What happens to accounts when an employee leaves the lab?
We disable the account two days (just counting workdays - not weekends) after termination via an automatic process and delete it 30 days after termination via a manual process. Supervisors can request an exception under specific conditions (a one week delay for "account cleanup" and a one month delay if the individual is changing status (e.g. from career to affiliate).
| Expand | ||
|---|---|---|
| ||
The Termination Notification System (TNS) manages your Berkeley Lab Identity/LDAP, which authenticates to Google Apps ( Gmail, Calendar, etc) , eRoom, Webspace and a variety of business applications (such as JHQ and HR Self-Service). TNS also manages your IT Division Active Directory account. The TNS initiates the following actions based on status code changes in the Human Resources Information System (HRIS):
TNS-process.pdf: TNS Process Flow |
How do you change the default dates for account disable/deletion?
The disable/delete sequence can be delayed for a month - if the person is transitioning between guest and career status and the termination action is an artifact of our HR system processes. (The IT Help Desk can over-ride the automatic disable status).
Two types of people may change the default dates for a Terminee:
- Terminee's Sponsor. The initial Sponsor is the supervisor of record in HRIS. The Sponsor is responsible for the disposition of data and the removal of the Terminee's account. The Sponsor can delegate sponsorship to an active employee, making that employee the new Sponsor.
- Surrogates. Each supervisor can identify a surrogate. . A Surrogate is an employee who is authorized to act on behalf of any Sponsor/Supervisor. The Surrogate can view and update data for any Terminee associated with the Sponsor.
How do you immediately disable an account?
Call the HelpDesk to immediately disable an account (sometimes called Emergency TNS or Expedited TNS). Supervisors working with HR Centers, Security and Emergency Operations, and Computer Security can initiate an Emergency TNS.
Can ex-employees retain accounts?
Former employees may not retain accounts unless a Lab employee sponsors them as an LBNL "affiliate". Being an affiliate ensures that an LBNL employee takes responsibility for use of the account. Berkeley Lab Identity not only provides email or collaboration access, it’s a commitment of institutional resources. As a result, we enforce stricter rules for these accounts.
If you plan to become an affiliate, encourage your supervisor to notify their Administrative and Human Resource Support Staff in advance of the termination. Advance planning will allow the transition to be seamless and to avoid delays incurred because of TNS.
Can I have my email forwarded?
You may request email forwarding for up to one year. Contact the HelpDesk.
What happens when an employee is on leave?
Leave status does not disable institutional accounts or generate a TNS action. However, managers may request removal of specific privileges or account suspension, depending on the situation. For example, the manager of someone with substantial privileges for financial transactions might request suspension of the role if the employee goes on extended leave. To initiate this request, contact the functional owner of the application.
In all cases, the employee's manager may request to deactivate accounts while the person is on leave. To deactivate an account, contact:
- HelpDesk (to deactivate institutional accounts)
- Local system administrator (to deactivate local accounts)
- Functional owners (to suspend particular application roles)
How do I access the account of a terminated employee or someone on extended leave?
...
