none
Project Server user automatically gets removed from the 'Advanced permission(PWA Site)' page and gets 'access deined' error RRS feed

  • Question

  • Hi,

    I am working on Project Server 2007.

    I am facing an issue only with a particular user that he is getting 'access denied' error time by time (mostly on every Friday, when he try to login). When we check the User's profile under the 'Manage User' section, then his Project Server account status shows that this user is 'Active'.

    When we check whether his ID is available on the 'Advanced Permission' page of PWA site (PWA -> Site Action -> Site Setting -> Advance Permission) or not, then we found that user is not being displayed over there on that page. While other users are being displayed perfectly. His account automatically gets removed from the site. If we add this user to the PWA site again (PWA -> Site Action -> Site Setting -> Advance Permission -> New -> Add User) . Then everything works fine for him and he starts to login.

    That’s why, we have to re-add his profile to the Advanced Permission page of PWA site again and again on every week. L

    Has anybody an idea, why are we getting this issue and is there any way to fix this issue permanently?

    Thanks,

    Saurabh Chauhan           

     

    Friday, November 25, 2011 10:54 AM

Answers

  • Hi All,

    I got the reason behind this issue as well solution.

    Reason :

    We researched on this issue and found that this user re-joined the company.  And he is using the same user id ‘Domain\user1’ as he was using before leaving the company. Active directory maintains one Security Identifier (SID) for each user account. And when we provide project server access to any user, then Windows SharePoint services store user information based on the both user SID and Logon information.

    So what happened, when user was working with organization previously then he was also a project server user. So windows SharePoint services was holding the user SID and logon information for his account(Domain\user1). After that he left the organization, that’s why his AD account was deleted but SID and logon information was still presented in the project server’s content database.  

    Then user again re-joined the organization, and his user id was created with the same name as he was using before leaving the organization (Domain\user1). But this time AD will create a new SID for this user account. Then again project server access is provided to that user. When we add this user to project server, then windows SharePoint services will be holding two records or two different SID’s for the same user ID “Domain\user1”.Then windows SID conflict issue comes and user gets the access denied error.

    Solution :

    Actually we need to run the below stsadm command to migrate the user account from old account name to new account name :

    stsadm -o migrateuser -oldlogin DOMAIN\user -newlogin DOMAIN\user [-ignoresidhistory]

     Please follow the below microsoft link for detailed explanation about this stsadm command.

    http://support.microsoft.com/kb/896593

     

    Thanks,

    Saurabh Chauhan

     

    Friday, December 9, 2011 2:28 PM

All replies

  • Hi there,

    Next time this happens, rather than adding the user on the advanced permissions page, just open the user in the PWA > Server Settings > Manage Users then click save, this will create a user synchronisation job and add the user back to the PWA site using the correct process. After the job has completed successfully in the PWA queue ask the user to retest. Then monitor to see if this issue re-occurs.

    Thanks

    Paul


    Paul Mather | Twitter | http://pwmather.wordpress.com
    Friday, November 25, 2011 12:22 PM
    Moderator
  • Hello Saurabh,

    In PWA, permissions are controlled by PWA, when you add a user from Site action site option you are adding user using SharePoint action.

    During User sync process PWA removes the user added manually via site actions if user has different set of permission in PWA

    The right approach to add user in PWA is via PWA>>Server Settings>>Manage user.

    http://technet.microsoft.com/en-us/library/cc197354(office.12).aspx

    Thanks,

    Hrishi Deshpande

    DeltaBahn LLC

     

    Tuesday, November 29, 2011 7:05 PM
    Moderator
  • Hi Paul/ Hrishi,

    The same problem appeared again. User is got "access denied" error again. Then i checked two things:

    (1) Is user Active or not? (via PWA>>Server Settings>>Manage user)

    Then i found user is already active.

    (2) Is user being displayed in Advance Permission page or not? (via PWA -> Site Action -> Site Setting -> Advance Permission

    Then i found user is not being displayed.

    Then i re-saved the user's profile via PWA > Server Settings > Manage Users > user profile > save. And then i also checked on 'Advanced Permission' page, and found user is being displayed on that page now.

    But the problem remained same  and user was not able to log on to PWA site yet.

    Note : if I removed this user from 'Advanced Permission' page and re-added this user, then he started to log on to PWA site successfully. This's why i need to remove/re-add user's profile whenever he gets the 'Access Denied' error. It is just for temporary solution.

    I am not able to understand why only this user facing this problem. Even i have resaved his profile in project server.

    Do you have any other idea?

     

    Thanks,

    Saurabh Chauhan 

     



    Wednesday, November 30, 2011 11:01 AM
  • Hello Saurabh,

    Thanks for the update.

    Could you please try following step when user is getting access denied.

    a. Remove the user from advanced permission

    b. Re-save user profile via PWA manage user page

    c. Verify whether user is listed in "Advanced permissions" or not.

     

    As per the information provided looks like there is some scheduled job which is removing the user from PWA, mostly group AD sync job

    Check the user group membership in PWA , later check whether the group is set to automatic AD sync or not, if yes then validate whether user account is part of AD group being synchronized.

     

    Thanks,

    Hrishi Deshpande

     

    Wednesday, November 30, 2011 8:21 PM
    Moderator
  • Hi Hrishi,

    Thanks for your reply. I tried the below steps you suggested:

    (a) First of all I didn't need to remove the user from advance permission page , bacause user is automatically getting removed from the 'advance permissions' page itself time by time.

    (b) When user got removed from the advance permission and started receiving access denied error, then I resaved the user's profile via PWA manage user page.

    (c) Then I verified that user is listed in 'advanced permission' now. But still user was not able to log on to PWA.

    (d) Then I removed this user from 'Advanced Permission' page and re-added this user via PWA site-> Site Action -> Site Setting -> Advance Permission -> New -> Add - > Add Users (not via Manage User page). Then he started to log on to PWA site successfully. This's why i need to remove/re-add user's profile whenever he gets the 'Access Denied' error.

    Note : for your information, automatically Group AD Synch is disabled.

    I am not able to understand why only this particular user is facing this issue. Even other users from the same Project server security group are able to log on PWA site successfully.

    Thanks,

    Saurabh Chauhan

     

    Thursday, December 1, 2011 11:08 AM
  • Hi All,

    I got the reason behind this issue as well solution.

    Reason :

    We researched on this issue and found that this user re-joined the company.  And he is using the same user id ‘Domain\user1’ as he was using before leaving the company. Active directory maintains one Security Identifier (SID) for each user account. And when we provide project server access to any user, then Windows SharePoint services store user information based on the both user SID and Logon information.

    So what happened, when user was working with organization previously then he was also a project server user. So windows SharePoint services was holding the user SID and logon information for his account(Domain\user1). After that he left the organization, that’s why his AD account was deleted but SID and logon information was still presented in the project server’s content database.  

    Then user again re-joined the organization, and his user id was created with the same name as he was using before leaving the organization (Domain\user1). But this time AD will create a new SID for this user account. Then again project server access is provided to that user. When we add this user to project server, then windows SharePoint services will be holding two records or two different SID’s for the same user ID “Domain\user1”.Then windows SID conflict issue comes and user gets the access denied error.

    Solution :

    Actually we need to run the below stsadm command to migrate the user account from old account name to new account name :

    stsadm -o migrateuser -oldlogin DOMAIN\user -newlogin DOMAIN\user [-ignoresidhistory]

     Please follow the below microsoft link for detailed explanation about this stsadm command.

    http://support.microsoft.com/kb/896593

     

    Thanks,

    Saurabh Chauhan

     

    Friday, December 9, 2011 2:28 PM
  • Hi All,

    I am experiencing the same issue except that the user is a new user.  I open the user in Manage Users page and save it.  I see the job queued and ran.  However, his need did not appear in the PWA's Advance Permission list.  Any suggestions?

    Thursday, February 2, 2012 5:18 AM