Active Directory Synchronization Problem

S

SMS

Hi,

I have an AD group called Project_Resource which is being used for
Active Directory Synchronization and is used in the Enterprise
Resource Pool Synchronization . We also have different security groups
for Managers and Admins and they contain the users themselves

The group itself contains groups a.k.a the different departments. And
the departmental groups contain the different users.

When we installed the Project Server, we did not have any problem with
synchronization. But last weekend, we had problems with AD and all
the users became inactive. We were able to fix it and do
synchronization. But what happened was all the people who were'nt the
managers or admins, were not able to get in the pwa site. I went into
PWA site permissions and saw that the users did'nt have permission to
site, although they were active and when I made a user inactive and
then active manually, the permissions come up.

Any idea why? Also can the Enterprise Resource Pool Synchronization AD
group contain groups within it.



Thanks
Saiju
 
G

Gary L. Chefetz

SMS:

The way AD synch works is that it literally rebuilds all of the user
permissions, so if it fails, it can leave you in a strange state. Fix the
problem and everything should be correct on the next successful run. You
cannot nest AD groups in the Synch groups.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting: http://www.msprojectexperts.com
Project Server Training: http://www.projectservertraining.com
Project Server FAQS: http://www.projectserverexperts.com
Project Server Help Blog: http://www.projectserverhelp.com
 
S

SMS

SMS:

The way AD synch works is that it literally rebuilds all of the user
permissions, so if it fails, it can leave you in a strange state. Fix the
problem and everything should be correct on the next successful run. You
cannot nest AD groups in the Synch groups.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting:http://www.msprojectexperts.com
Project Server Training:http://www.projectservertraining.com
Project Server FAQS:http://www.projectserverexperts.com
Project Server Help Blog:http://www.projectserverhelp.com











- Show quoted text -
Click to expand...

Thank you Gary for your response.

Regarding nest groups in the sync group, the following article
mentions it being ok.
http://technet.microsoft.com/en-us/library/cc531330.aspx

Is it wrong or am I misinterpreting it?

I was able to sync with AD and all the users became active. But the
problem is, the users did'nt get the WSS permission for the PWA Site.

But if I deactivate the user and reactive him/her, the permissions
come up and it also shows in queue that WSS Synchornization occured.

Thanks

Saiju
 
G

Gary L. Chefetz

Sorry, for some reason I thought you were using 2003.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting: http://www.msprojectexperts.com
Project Server Training: http://www.projectservertraining.com
Project Server FAQS: http://www.projectserverexperts.com
Project Server Help Blog: http://www.projectserverhelp.com


SMS:

The way AD synch works is that it literally rebuilds all of the user
permissions, so if it fails, it can leave you in a strange state. Fix the
problem and everything should be correct on the next successful run. You
cannot nest AD groups in the Synch groups.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting:http://www.msprojectexperts.com
Project Server Training:http://www.projectservertraining.com
Project Server FAQS:http://www.projectserverexperts.com
Project Server Help Blog:http://www.projectserverhelp.com











- Show quoted text -
Click to expand...

Thank you Gary for your response.

Regarding nest groups in the sync group, the following article
mentions it being ok.
http://technet.microsoft.com/en-us/library/cc531330.aspx

Is it wrong or am I misinterpreting it?

I was able to sync with AD and all the users became active. But the
problem is, the users did'nt get the WSS permission for the PWA Site.

But if I deactivate the user and reactive him/her, the permissions
come up and it also shows in queue that WSS Synchornization occured.

Thanks

Saiju
 
S

SMS

Sorry, for some reason I thought you were using 2003.

--
----------
Gary L. Chefetz, MVP
MSProjectExperts
Project Server Consulting:http://www.msprojectexperts.com
Project Server Training:http://www.projectservertraining.com
Project Server FAQS:http://www.projectserverexperts.com
Project Server Help Blog:http://www.projectserverhelp.com








Thank you Gary for your response.

Regarding nest groups in the sync group, the following article
mentions it being ok.http://technet.microsoft.com/en-us/library/cc531330.aspx

Is it wrong or am I misinterpreting it?

I was able to sync with AD and all the users became active. But the
problem is, the users did'nt get the WSS permission for the PWA Site.

But if I deactivate the user and reactive him/her, the permissions
come up and it also shows in queue that WSS Synchornization occured.

Thanks

Saiju- Hide quoted text -

- Show quoted text -
Click to expand...

Sorry about that.

Another observation is that, all the users are there as SharePoint
users for the PWA site, but after the deactivation, lost the
Permissions. When I remove them as a SharePoint user too and do
synchornization, then WSS Synchornization occurs and they have
permissions even though I am using nested groups. I am wondering
whether it is a bug of Program that if it sees the user as a
SharePoint user, it won't check the permissions of that user and hence
it is not getting added.
 
R

Rolly Perreaux

You are correct Saiju.

Nested AD groups can be used in AD Synchronization for PWA 2003 and 2007.

All the AD Sync is doing is an LDAP query to the Active Directory database
and expands the user memberships of all groups within the group. It's really
great for Administrators.

Cheers,
 
R

Rolly Perreaux

Hi Saiju

It sounds like your problem is that PS is out-of-sync with AD, hence why
your resources/users were inactive. Try adding a temporary AD group name
(with one AD user) to the Enterprise Resource Pool Synchronization, re-sync,
then add back your Project_Resource AD group to the Enterprise Resource Pool
Synchronization and re-sync again.

Good luck
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Scheduled Active Directory Synchronization doesn't work 3
Active Directory Synchronization 4
Active Directory Synchronization 3
Active Directory Synchronization - Issue 0
Active Directory Resource Pool Synchronization 0
Active Directory Resource Pool Synchronization errors? 0
Active Directory Resource Pool Synchronization 7
Schedule multiple AD groups for resource sync? 2

Top