Active Directory Synch

[Mark Stafford]

Hi All,
I am running Project Server 2007 SP1 (with Jul-08 infrastructure update).
We are manually adding users who are resources for projects. This is
working fine. The organisation wants all domain users to be able to have
limited access into PWA. To this end we have created a Project Group with
limited view-only rights and have tied this group to the 'Domain Users' AD
group through PWA 'Manage Groups'. We have synched the group manually and
under a schedule several times. Users who are not specifically listed in
'People and Groups' are still not getting into PWA. They are getting the
'log on as another user' SharePoint error page.

When the AD synch is run I do not see any changes in the people list. The
SharePoint logs report success (note that the time between start and finish
is about one second). I know that the SSP service account has been
delegated the right to read all AD user info because I did it. What am I
missing? Thanks in advance.

Mark

 

[.jussi]

Hi Mark,

You have to set the group that gets pulled to the EPM users from the AD in
the Active Directory Resource Pool Synchronization (Server Settings ->
Operational Policies). It sounds like you have only set the security group
relation.

Hope that helps,
- Jussi

 

[Mark Stafford]

Hi Jussi, Thanks for your reply. Yes, I have only set up the security group
because we do not want all domain users to be project resources. If every
domain user has to be listed in the Project Resource pool then it will be a
nightmare in terms of manually unchecking the 'User can be assigned as a
resource' for each 'read-only' user.

How do I achieve the organisation goal of all users having limit access via
a specific Project Group?

regards Mark

 

[.jussi]

I had to revisit the issue myself to see how things worked - something in the
back of my head told me that the only thing that pulls users from the AD is
the resource synchronization. It seems I was wrong - sorry for the
misinformation in the first post.

To test this I set up a new group in our test environment (patched up to
dec/2008 cu) and synchronized it from the AD. It created all the missing
users without complaint - with the proper user rights and without adding them
as resources. So at least with the most current patches, just setting up the
AD sync in the security group is enough and should result in the behavior you
want.

Now the question is, how updated is your server?

- Jussi

 

[Mark Stafford]

Hi Jussi, Thanks for performing the test. I only have a production instance
for the foreseeable future. Performing tests is something I can only dream
about at this point in time. The Project Server setup is the standard
two-way split config: WFE and App server on one server and the databases on
a clustered dB server. The servers are Win2003 R2 SP2. The Project Server
has had SP1 and the Aug-08 infrastructure applied. SharePoint 2007 runs on
the same server as Project.

Each time the AD synch runs against the Project Group I note that the
following error is logged in Event Viewer of the Project/SharePoint server:

Event Type: Error
Event Source: Office SharePoint Server
Event Category: Project Server Active Directory Synchronization
Event ID: 7718
Date: xxxxxxx
Time: 8:19:55 PM
User: N/A
Computer: xxxxxx
Description:
Standard InformationSI Entry Point:
Project User: domain\xxxxxx
Correlation Id: 97231ce0-c7db-464e-9b23-7e76848484c0
PWA Site URL: http://project/PWA
SSP Name: SharedServices1
PSError: Success (0)
Project Server Active Directory Group Synchronization is initializing
(reading settings and user information from the Project Server database).

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

There are no other errors logged in Event Viewer and the SharePoint logs (on
verbose mode) simply lists the AD synch starting and stopping successfully
(duration is one second). I note that there are quite a few instances of
this error mentioned in various forums but no answers.

Any suggestions?

regards Mark

 

[Mark Stafford]

Ah-Ha! I worked it out.
Cause
If the AD display name field contains a comma in it (eg: smith, john ) then
this will cause the AD synch to fail (without any helpful error message).
The failure occurs because PWA uses the comma as a list separator. The code
is not smart enough to work out that the comma in the display name is part of
the field value.

Fix
Change the List Separator value in Regional Settings on the server from a
comma to a semi-colon. All users in the AD group that is tied to the
Project Group will be imported into Project users with the comma in the
display name replaces with a semi-colon. Everything else works fine.

 

[.jussi]

Oh, wow. That's an ... interesting behavior. Glad you got it worked out and
definitely something that's good to know!

- Jussi