Viewable by the world

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 39 Next »

How do I request an account?

Use the Account Request Form to request the following accounts:

  • Google Apps
  • Windows Active Directory
  • OTP SSH Gateway (an FAQ will point you to a self help site)
  • Central Unix
  • SCS Cluster

About Windows Active Directory

These accounts are

  • free for lab employees and affiliates (and can not be provided for anyone not associated with LBL)
  • provide access to Windows File and Print Services
  • can also be accessed by Mac Users to access file services

More information on Active Directory can be found here.

About Google Apps Accounts

These accounts are:

  • Free for Lab employees & affiliates.
  • Created only if requested. (Ideally, a new employee or someone in the new employee's department will request an account before a new employee's first day of work.)
  • Usually created within 24 hours of the request. (A person must be in the Berkeley Lab Identity/LDAP directory before we can create a Google Apps account. The directory receives information about new employees and affiliates once per day from the Human Resources Data Warehouse.)

These accounts include:

  1. Access to all Google Apps services available at LBNL (e.g. Gmail, Calendar, Docs, Sites, etc.) See http://lbl.gov/google for more information.
  2. A Berkeley Lab email address, ("[email protected]"), that delivers to a Lab Gmail account with 25GB of free storage
  3. An Enterprise Directory (LDAP) username, that is used to sign in to many services at the Lab, including: Gmail, Google Docs, LETS, EH&S Training, etc.

Passwords: New employees typically (ideally) receive their LDAP passwords from the Badge Office when they receive their badges. Some call the Help Desk for a password.  Passwords are set to expire every 180 days.  Notifications are sent out 28 days before, 14 days before and every day within 7 days of expiration. There is no grace period login - the  Help Desk will have to intervene if all notifications are ignored.  (Active Directory Passwords also are set to expire after 180 days - notification is provided as part of membership to AD when you login close to the expiration date).

Account Termination FAQ

What happens to accounts when an employee leaves the lab?

We disable the account two days (just counting workdays - not weekends) after termination via an automatic process and delete it 30 days after termination via a manual process.  Supervisors can request an exception under specific conditions (a one week delay for "account cleanup" and a one month delay if the individual is changing status (e.g. from career to affiliate).

The Termination Notification System (TNS) manages your Berkeley Lab Identity/LDAP, which authenticates to Google Apps ( Gmail, Calendar, etc) , eRoom, Webspace and a variety of business applications (such as JHQ and HR Self-Service). TNS also manages your IT Division Active Directory account. The TNS initiates the following actions based on status code changes in the Human Resources Information System (HRIS):

  • An email notifies the following groups that the terminated employee’s account will be disabled two business days and then deleted 30 business days after the effective date of termination in HRIS:
    • Employee’s Supervisor. The supervisor can request a change in the timeline or special handling of data associated with the accounts via a web-based form.
    • Employee
    • Applicable Division termination email list. This is in the form of HRTERM-XX, where XX is the division or department. For example, HRTERM-IC is used for the IT Division. Click here for information on the HRTERM lists.
  • Another email notifies three mail lists: [email protected] (telephone services), [email protected], and [email protected].
  • Generates a Help Desk request to disable account two business days after the effective date of termination in HRIS:
  • Generates a Help Desk request 30 business days after the effective date of termination in HRIS. The ticket goes to each system administrator responsible for various computer services used by the terminated employee. The ticket notifies the administrator that accounts and data associated with the person will be deleted.

TNS-process.pdf: TNS Process Flow

How do you change the default dates for account disable/deletion?

The disable/delete sequence can be delayed for a month - if the person is transitioning between guest and career status and the termination action is an artifact of our HR system processes.  (The IT Help Desk can over-ride the automatic disable status).

Two types of people may change the default dates for a Terminee:

  1. Terminee's Sponsor. The initial Sponsor is the supervisor of record in HRIS. The Sponsor is responsible for the disposition of data and the removal of the Terminee's account. The Sponsor can delegate sponsorship to an active employee, making that employee the new Sponsor.
  2. Surrogates. Each level 1 org code can create a list of one or more Surrogates. A Surrogate is an employee who is authorized to act on behalf of any Sponsor in that level 1 org code. The Surrogate can view and update data for any Terminee belonging to any Sponsor in that level 1.

How do you immediately disable an account?

Call the HelpDesk to immediately disable an account (sometimes called Emergency TNS or Expedited TNS). Supervisors working with HR Centers, Security and Emergency Operations, and Computer Security can initiate an Emergency TNS.

Can ex-employees retain accounts?

Former employees may not retain accounts unless a Lab employee sponsors them as an LBNL "affiliate". Being an affiliate ensures that an LBNL employee takes responsibility for use of the account. Berkeley Lab Identity not only provides email or collaboration access, it’s a commitment of institutional resources. As a result, we enforce stricter rules for these accounts.

If you plan to become an affiliate, encourage your supervisor to notify their Administrative and Human Resource Support Staff in advance of the termination. Advance planning will allow the transition to be seamless and to avoid delays incurred because of TNS.

Can I have my email forwarded?

You may request email forwarding for up to one year. Contact the HelpDesk.

What happens when an employee is on leave?

Leave status does not disable institutional accounts or generate a TNS action. However, managers may request removal of specific privileges or account suspension, depending on the situation. For example, the manager of someone with substantial privileges for financial transactions might request suspension of the role if the employee goes on extended leave. To initiate this request, contact the functional owner of the application.

In all cases, the employee's manager may request to deactivate accounts while the person is on leave. To deactivate an account, contact:

  1. HelpDesk (to deactivate institutional accounts)
  2. Local system administrator (to deactivate local accounts)
  3. Functional owners (to suspend particular application roles)

How do I access the account of a terminated employee or someone on extended leave?

Open a ticket at help.lbl.gov and they will route the request appropriately in compliance with our Privacy, Monitoring, and Access without Consent policy.  Note: a supervisor can authorized the setting of a vacation message in Gmail or access to data used and/or created by the terminated employee if the access is for operational needs. 

  • No labels

Was this site useful for you? Do you have any feedback or suggestions? Please click here to send your comments about this FAQ to IT.