Manage Active Directory synchronization in Project Server 2007
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
Project Server users and resources can be synchronized with the users of the Active Directory directory service across multiple domains and forests. This feature helps administrators with tedious tasks, such as manually adding large numbers of users, updating user metadata such as email addresses, and deactivating users who no longer require system access. Active Directory synchronization can be done manually or on an automated schedule. When Active Directory synchronization occurs, only the Project Server data is changed. Active Directory data is never altered — it is only queried.
Project Server user/resource properties updated during synchronization
When synchronization occurs, Project Server 2007 updates the following Project Server user/resource properties with specific Active Directory user metadata fields:
Active Directory user property | Project Server user/resource property |
---|---|
ADGUID (UserObject.objectGUID) |
Stored in the Project Server Published database (WRES_AD_GUID field in MSP_RESOURCES table). This property is not viewable in the Project Web Access user interface. |
Windows User Account (domain\sAMAccountName) |
Windows User Account |
Display Name (UserObject.displayName) |
Display name/Resource name |
Email Address (UserObject.mail) |
Email address |
Department (UserObject.department) |
Group (resource property only) Note This does not refer to Project Server security groups. |
You can customize Active Directory synchronization to map to additional metadata fields by using server-side handlers. For more information about server-side handlers, see Writing and Debugging Event Handlers for Project Server 2007 (https://go.microsoft.com/fwlink/?LinkId=126633\&clcid=0x409) in the MSDN Library online.
Additional Active Directory fields might be mapped to resource custom fields through the Project Server 2007 AD/Resource Sync Utility (https://go.microsoft.com/fwlink/?LinkId=126634\&clcid=0x409) that is available through CodePlex.
Note
Microsoft does not control, review, revise, endorse or distribute the third-party projects on the CodePlex site. Use these projects at your own risk. Microsoft is hosting the CodePlex site solely as a Web storage site as a service to the developer community.
Best practices for Active Directory synchronization
The following are best practices that Microsoft recommends when managing Active Directory synchronization in Project Server 2007:
Create specific Active Directory groups that correspond to each Project Server security group and the Project Server enterprise resource pool. For example, give the new Active Directory groups names such as “Project Server — ERP”, “Project Server — Project Managers”, “Project Server — Executives”. Nest existing Active Directory groups inside these groups for better organization.
Always synchronize the enterprise resource pool first, and then synchronize Project Server security groups. This ensures enterprise resource properties are set up correctly.
Schedule the synchronization to best suit your business needs. If new users are frequently added, or if users change positions in your organization, you may want to schedule synchronization to occur daily. If not, you may want to schedule it to occur weekly. As a best practice, always schedule synchronization to occur during non-working or off-peak hours. We recommend this because when synchronization occurs, it causes a resynchronization of permissions with Windows SharePoint Services, causing all users to temporarily lose site access.
Troubleshoot synchronization issues by examining the application event log on the farm's application server. You can also use the Unified Logging Service (ULS) logs to get further detail about Active Directory synchronization issues (for example, the ULS log will contain DEADLOCK entries if a user lockout has occurred – see the Caution that follows). You can configure your ULS log settings in the SharePoint Central Administration web site to provide more details about the Active Directory events that you are trying to capture. These settings can be configured on the Operations tab on the Diagnostics Logging page. On this page, you can configure the ULS log settings to capture only Active Directory synchronization information by setting Event Throttling to the Project Server Active Directory Synchronization category. Also, set the Least critical event to report to the trace log to Verbose. For more information about configuring logging options, see Configure diagnostic logging (Project Server).
Warning
Under certain circumstances, synchronizing Project Server users and workspaces with Active Directory can cause a “deadlock” situation in which all users are locked out of a PWA site or the respective workspaces. This causes user synchronization jobs to fail and site permissions to synchronize partially or not at all. Users may not be able to log on to PWA or their workspaces.
A deadlock can occur if the user synchronization process is taking too long to complete. This is due to the synchronization job iterating through many users and workspaces, for example, when large membership changes are being made. A synchronization job remaining in the queue a long time increases the possibility of other jobs starting inadvertently, which can also cause a deadlock.
To reduce the chance of a deadlock, you can do the following:-
Before making large group membership changes, verify that there are no jobs named “User Synchronization for Project Web Access App Root Site and Project WSS Workspaces” currently processing or waiting to be processed in the queue.
-
Run the Project Server Workspace Sync tool on the CodePlex site (https://go.microsoft.com/fwlink/?LinkId=147394). The tool controls what is to be synchronized when the job starts — PWA and workspaces, workspaces only, PWA only, or no synchronization for either PWA or workspaces — and allows the administrator to perform the user synchronization during non-working or off-peak hours when server overhead is lower.
Note that the Project Server Workspace Sync tool does not speed up the synchronization process beyond normal. However, being able to synchronize users when server overhead is lower reduces the possibility of synchronization failures.
-
Ensure that the account specified for the Project Server application Shared Services Provider has permission to read from all Active Directory domains and forests used in synchronization. Note that all Active Directory synchronizations use this account, even if they are manually run through a different user account.
Server-specified list-separator characters in an Active Directory display name may be replaced in Project Web Access through the synchronization process. In Office Project Server 2007, the list-separator character is defined as a comma. Therefore, if an Active Directory display name contains a comma, it will be replaced with a semi-colon. This can be a concern in scenarios in which comma characters are commonly used in display names.
If you are using resource custom fields, verify that these fields are not set to "required." If these fields are set to required and do not contain a value, Active Directory synchronization may fail, as it does not know what value to place in the required field. You can disable the "required" option for the fields. Or you can also implement a server-side event handler to populate required custom fields upon synchronization. For more information about server-side handlers, see Writing and Debugging Event Handlers for Project Server 2007 (https://go.microsoft.com/fwlink/?LinkId=126633\&clcid=0x409) in the MSDN Library online.
When you are adding users to Project Server through Project Web Access, ensure that you are using the same display name (UserObject.displayName) for the user as the one used for the user in Active Directory. If Active Directory synchronization is run and the display names do not match, the conflict with the display names will show partial failures and the account will not be updated.
Task requirements
The following are required to perform the procedures for this task:
Access to Project Server through Project Web Access with an account having the Manage Active Directory Settings and Manage users and groups global settings.
Read access (for the SSP service account for the Project Server instance) to all Active Directory groups and user accounts involved in the synchronization. You can verify this account in the SSP's properties on the Shared Services Administration page on the SharePoint Central Administration Web site.
Note
For more information about the SSP service account, see Plan for administrative and service accounts (Project Server)
To manage Active Directory synchronization in Project Server 2007, you can perform the following procedures. Active Directory synchronization can be configured for the Enterprise Resource Pool or for Project Server security groups. The two procedures are not dependent on each other.