Using EPM with Active Directory For Dummies

[Wegz]

Hi,

Our org has been working with EPM using Windows Authentication since
January. We are about to move our access across to AD within the next
few months, with the pilot already underway.

Now I have read up on using Active Directory with EPM and I think I
understand that I need to set up groups with access to specific groups
within AD, and when they sync, new members from AD are created in PWA
with team member rights.

Can I play out a scenario and see if I am on the right track.

We have User X, Y and Z. All are assigned to a Team Members Group and
a Project Managers Group in PWA.

Before the move to Active Directory, Users X, Y and Z would login
their computer on Domain 1. They could then use EPM and PWA normally.
Now, User X and Y have moved over to Active Directory, and now have to
login using Domain 2. They no longer have access to PWA.

I believe to allow them to get access I need to do the following. In
the Domain 2, set up two new groups called AD_Team Members and
AD_Project Managers, and have them assigned to these groups. Then, I
need to set up two new groups in PWA, called AD_Team Members and
AD_Project Managers and get each to sync to their respective group in
Domain 2. This will then add Users X and Y to the correct groups in PWA
and give them access again to PWA and EPM.

Also under Admin Server Configuration I need to put the Active
Directory Group to Synchronize with Domain 2??

Am I on the right track or am I completely off the mark?

Thanks for any help I can get.

Matt

 

[Rolly Perreaux]

Hi Matt,

Based on your scenario you can do it the way that you have described and
it will work. But now you will have two user accounts for User X, one as
a Project Server Authenticated user and one as a Windows Authenticated
user. Plus you will also have two Project Server groups, one called
AD_Project Managers group and the default Project Managers group.

Instead, change the authentication method for your current PWA Users
from Project Server authentication to Windows Authentication using
Domain2\<UserName>.

To Change the User Authentication method
1. Log in to PWA as Administrator and click Admin --> Manage Users and
Groups.
2. Select the User name and click Modify User.
3. In the Modify User page, select Windows Authentication.
4. Cut the current user name in the Windows User Account and paste in
the User Name. (In this case think of the User Name as the Display
Name).
5. Add the user's Windows User Account as Domain2\<UserLoginName> in the
Windows User Account box.
6. Add the user's current Email Address in the E-Mail box.
7. Click Save Changes
8. Repeat Steps 3-7 for the other users.

The nice thing about doing it this way is that you still retain your
Group Settings instead of having to create new groups, adding the
permissions and adding the group to the categories.

Oh and another thing...
You can still do AD Synchronization with the default Project Server
groups if you wish. It's just a matter of adding the Active Directory
Group (Domain2\<GroupName>) to the Project Managers Group setting and
then in the Groups page expand the "Active Directory: Set the options
for AD synchronization" setting and click "Update Now".

Good Luck!
Let us know if this solution works for you.

Cheers,

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com

 

[Wegz]

Hey Rolly,

Thanks for your detailed response. Unfortunately, I still am having no
luck.

It's really racking my brain. From what I understand to sync with AD
is a two step process. Firstly you have an Active Directory Group which
consists of everyone who needs access to EPM. This group is
synchronised with the Resource Pool via the server Configuration Page
in PWA. This is mean to "pull in" everyone into the resource pool.

The second step, I believe, is you create multiple groups in AD, such
as Project Mangers, Executives etc. You have each of those groups in
EPM also, with the correct security settings to view/edit EPM data. Now
each one of these groups is sync to its corresponding AD group. When
they sync up, it puts each member into the correct group within EPM.

Is this correct so far.

Now the problem I have is when I try Step One. I have a group in the
Active Directory List Called Team Members (this holds each person who
is part of EPM). I put into the filed Active Directory Group to
Synchronise "INTERNAL\Team Members and select to update now (I am
logged on the box with Proj Server and I Have read rights to AD). I get
either the following messages:

Sometimes
The Active Directory group is currently being synchronized with the
Enterprise Resource Pool. -> it just sits there and nothing ever
happens (is this mean to take a long time or show some sort of
progress?)
OR
The Active Directory group failed to synchronize with the Enterprise
Resource Pool on 23/08/2006 at 2:49 PM.

When I map to each group and try to sync, I just get that it has
failed.

Now if you have any suggestions on what I could investigate that would
be great. Otherwise, thankyou for the help you provided me already.

Matt

 

[Rolly Perreaux]

Hi Matt,

I know that AD Synchronization can be a little confusing

But we need you give us the big picture of your network?

I specifically want to know the following:
- Active Directory structure (Forest-->Domain)
- Is Domain1 and Domain2 in the same forest or 2 different forests?
- How is your Project Server is deployed in the domain(s)?

Just remember that Synchronizing in Project Server is really two
separate processes. One process is for sync'ing with the Enterprise
Resource Pool, the other process is for sync'ing Project Server Users
and Groups.

Also remember when sync'ing with the Enterprise Resource Pool it will
create the enterprise resource and also create the Project Server User
Account for that resource.

Any additional insight would be appreciated
Many thanks in advance

--
Rolly Perreaux, PMP, MCSE
Project Server Trainer/Consultant

TriMagna Corporation
Microsoft Gold Partner
http://www.trimagna.com

 

[dthibodeaux]

Hi Rolly,

I am finding the same issue happening.

Have you resolved this issue yet?
My answers for this would probably be

My Active directory sits in (xxxxx-2 ---> pdc1)
My Project Server sits in (xxxxx-2 ---> project)
They are in the same forest but different servers
It is deployed as a single server not a farm.

Can you help?

Debbie