locked
Link existing resource to Active Directory RRS feed

  • Question

  • I am working with an existing implementation of Project Server 2010 where Active Directory is used to synchronize resources.  When initially implementing this environment, it was decided that most people in the department would be created as resources, however, they would not be given the "logon to Project Server" permission (they were created manually).  There have been some cases where these existing resources have later needed to have access to the server, so they are added to the necessary AD group, and synchronized into Project Server.  Due to the existing account already being in the resource pool, it creates a 2nd resource with the same name but the windows user account tagged to the end (example, Jane Doe [DOMAIN\jdoe]). 

    Is there any way to update the existing resource information so that Project Server knows to link that resource with the new resource in Active Directory?  We have tried manually selecting "logon to Project Server" and entering the windows user ID, but it has the same behavior (adds a second resource to the enterprise resource pool). 

    I understand that you can prevent active directory from synchronizing that account, but we are hoping there is a better solution that doesn't disable the inherant functionality of AD sync.

    Thank you and let me know if you need additional information.

    Tuesday, December 17, 2013 9:44 PM

Answers

  • I believe I have found a resolution to this (tested a couple times and it worked).  If you update only the resource name to match AD, it will create a duplicate resource (with DOMAIN...) at the end.  However, if you update the resource to have the same name, email address, and Windows User ID, then Active Directory will link the account when synchronizing and will not create a duplicate resource. 

    • Marked as answer by Mshea Wednesday, December 18, 2013 4:32 PM
    Wednesday, December 18, 2013 4:32 PM

All replies

  • Hi, 

    Your approach is not right sorry to say that :(

    You sync Active directory for resources pool. ONce you will do this you will have all the resource available in the enterprise resource pool. They will not have access to Project Server, Once you decide to give access to specific resource then you can opt either of the way

    1. You can manually add windows account and permission type to resource. but this is a heavy job to do

    2. You ask your Active directory team to create group with same name what you have in project server e.g project manager, team member, resource manager.

    Then go to server setting map project server group with AD group then sync it .

    Here cache is project server work in first in first out queue it means it will create user from AD with same name then for one resource it will add user log in account and for other one it treat as duplicate.

    I would suggest not to create resource or user manually if using AD sync or Use manual approach but then stop Sync. 

    To avoid this issue you can remove users who are already present from AD groups so that when your AD group sync with project server groups it will not affect those users who are already present in the project server as user( manually created)


    kirtesh


    • Edited by Kirteshtiw Wednesday, December 18, 2013 5:21 AM
    Wednesday, December 18, 2013 5:19 AM
  • Hello Kirtesh,

    If I remember correctly, when you add a new user to Active Directory and they are synchronized into Project Server, the following is set by default:

    • The "logon to Project Server" button is checked
    • The Windows User Account is populated
    • The email address is populated
    • The user is added to the out of box Team Members security group

    If this is the case, the Administrator would need to manually enter each user's account to uncheck the "logon to Project Server" button after the resource is synchronized into Project Server. Because there are many resources who should be available for project assignments, but not many who need to login to Project Server, this could be an issue.

    Wednesday, December 18, 2013 5:41 AM
  • After thinking about this a bit more, I think the better approach may be to synchronize all resources to the resource pool via Active Directory, but then have the Administrator manually uncheck "logon to Project Server" and check the "prevent Active Directory synchronization" for any resource who will not access the system. Do you agree? I guess the only anomaly to this would be when a user is needed in the resource pool but does not have an Active Directory account (maybe a partner or contractor). If they are later added to AD (they become an employee), you would run into this issue again, right?
    Wednesday, December 18, 2013 6:10 AM
  • Which group you have mapped with Resource pool sync.

    When you sync reosurce pool with AD in that case only resource will be added to the project server i mean to say :

    • The "logon to Project Server" button is unchecked
    • The Windows User Account is not  populated
    • The user is not added to the out of box Team Members security group

    http://technet.microsoft.com/en-us/library/gg982985(v=office.14).aspx

     http://technet.microsoft.com/en-us/library/gg750243(v=office.14).aspx

    these link will give you better idea.

    For giving user permission you map project server group with AD groups this will give you proper access.

    For resources you use resource pool sync .     

    No Project Server user accounts will be automatically created for resources that are added to the Enterprise Resource Pool through Active Directory synchronization.

    If you go with 2nd approach you will not face any problem in future.

    Once you do resource pool sync it will create reosurces without user login.

    Then you can map Project Permission group with AD group it will add user account to the users who are present in ad. 
    For this you have to create different- different groups in Ad as per project server group and add user as per your need in ad group. be careful do not t map project server group with group which you are suing for resource pool mapping sync.  

     

     

    kirtesh

    • Proposed as answer by Kirteshtiw Wednesday, December 18, 2013 8:03 AM
    Wednesday, December 18, 2013 6:29 AM
  • Hi Kirtesh,

    I don't believe this is correct.  Please see the scenario below from the link you sent above:

    • Scenario: The user exists in Active Directory and is a member of the Active Directory group that is mapped to the Enterprise Resource Pool. The user does not exist in Project Server.
    • Action: A new corresponding Project Server user and enterprise resource is created in Project Server and added to the Team Members Project Server security group.

    This says that it creates both an "enterprise resource" AND a "Project Server user" in Project Server.  I have a dev environment, so I ran a test this morning as well and it worked as I had previously mentioned.  First, I deleted an existing resource that was synched from AD.  When running the synchronization, it created a new resource for the user, checked the "resource can logon to Project Server", added the Windows User ID and email, and added the user to the default Team Members security group. 

    The 2nd test I ran was to manually edit the resource to uncheck the "logon to Project Server" and saved. When I re-ran the synchronization, it updated the account and re-checked that property.  So, I am now back to where I started.

    Any thoughts?  Has anyone run into a situation where a resource (non user, cannot login to Project Server) needed to be updated to synchronize with Active Directory? 

    Wednesday, December 18, 2013 2:21 PM
  • As an update, I ran another test where I left the "logon to Project Server" checked and the Windows User ID and email in place, but removed the user from the default Team Member security group.  This removed the user from the count of "Number of Active Project Server Users" (so should not count for licensing, right?) and should prevent the user from logging in to PWA.  I re-ran the synchronization and found that the user is not re-added to the Team Member group.  Is this a potential solution?  Am I overlooking something?  Below would be the process:

    • When a new resource needs to be added to the resource pool, they should be added through Active Directory.
    • After the synchronization, the Administrator will need to update their resource account to remove them from the default Team Member security group (effectively removing all permissions from the user account).
    • If a user later needs to login to Project Server, they would need to be added to an Active Directory group that is mapped with a Project Server security group.  This would then add the logon and other necessary permissions.

    Please let me know if there are other solutions that others have found for this situation.  Thank you!

    Wednesday, December 18, 2013 2:53 PM
  • As per link if you see first point;

    condtion:  

    User exists in Active Directory and is a member of the Active Directory group mapped to the Enterprise Resource Pool. The user does not exist in Project Server

    Action:

    A Project Server User Account is not created based on this synchronization. The Active Directory user needs to be added to a Project Server security group to create a user account.

    This will give you desired result

    1. Yes , When a new resource needs to be added to the resource pool, they should be added through Active Directory. You just sync resource pool  and not to check " logon to Project Server" .It will create only resource not the user.

    2. For your second point i would sugget you to use Group mapping for project server. In this once you add Resource in ad group suppose project manager and map it with Project server group and sync it then automatically that resource will become user and get project manager access.

    3. Yes, If a user later needs to login to Project Server, they would need to be added to an Active Directory group that is mapped with a Project Server security group.  This would then add the logon and other necessary permissions.

     

    kirtesh

    Wednesday, December 18, 2013 3:06 PM
  • Kirtesh,

    Thank you for working with me on this, but I don't think that we are on the same page.  Below is the current setup and result of AD synch in my Dev environment:

    Setup:

    • After navigating to PWA / Server Settings / Active Directory Resource Pool Synchronization, we have this setup to synch a "resource pool" AD group with the Enterprise Resource Pool.

    Result:

    • When a new user is added to this Active Directory group, it adds a new resource to the Enterprise Resource Pool.  By default, it also checks the "logon to Project Server" setting, adds the Windows User ID, adds the email address, and puts the user in the Team Members security group.

    How can I update this default setting to not have Project Server check the "logon to Project Server" when adding new resources?  There is not an option on this page to stop this from happening.

    Just as FYI, we also have AD groups mapped to Project Server security groups, but this is a 2nd step.  For the users that will not login to Project Server, they would not be included in one of these AD groups.

    Wednesday, December 18, 2013 3:24 PM
  • I think the main scenario/question is: You have an existing resource (maybe a partner or contractor, does not have a Windows User ID) who was added to projects/assignments but was not able to login to Project Server.  If this user later becomes an employee (is given a Windows User ID), can you update the existing resource to synchronize with Active Directory and his Windows User ID? 

    If not, do you need to synchronize this user through Active Directory (creating a new resource), map all of the work (including actuals) from the existing resource to the new resource, and then delete the old resource?

    Wednesday, December 18, 2013 3:30 PM
  • Oops I am keep on talking about 2013 but you have 2010 so sorry for that  :(

    Yes you are right for 2010 environment Once you sync resource pool then resource will have access to PWA and get access as team member.

    Now once resources will have team member access your admin need to either change it manually or he can sync AD groups with project server permission group.

    Once user will have team member access they will be able to log in to PWA.


    kirtesh

    Wednesday, December 18, 2013 3:36 PM
  • Mesha,

    If partner or contractor or any other resource later become employee then they will have windows account. Yes we can update that from AD sync. but if display name would be different then sync will create duplicate user.

    eg. when user if not having Windows account and you have created resource display name as Jhon smith. Jhon is first name and smith is last name , But id later point of time if in ad reosurce display name will be Smith Jhon then sync will create new resource as per new diplay name which it will fetch from AD but if display name would be same for ad and project server resource then it will only update property as per ad means email, windows account.

    Once AD will create duplicate then you admin need to delete old resource and keep the user in the pool. 

       


    kirtesh

    Wednesday, December 18, 2013 3:46 PM
  • Thank you, Kirtesh.  So, here is what is happening:

    • I update the partner resource to have the exact user name that will be synched with Active Directory (example: SMITH; JHON).
    • When Active Directory synchronizes, it doesn't link to that account and creates a new resource named "SMITH; JHON (DOMAIN\JSMITH)"

    So, we end up with two Jhon Smiths ("SMITH; JHON" and "SMITH; JHON (DOMAIN\JSMITH)").  Is there a way to avoid this and have the AD synch link up to the existing partner account?

    Wednesday, December 18, 2013 4:08 PM
  • Yes, 

    If in PWA user has different name form AD then yes Sync will create new entry as resource which will have act as user.  you can not avoid it only what you can do once you come to know that not partner is having windows account and become employee then as per AD just chnage the display name before AD sync.

    But if In PWA resource display name is same as AD display name then it will not create duplicate entry but just update the property.


    kirtesh

    Wednesday, December 18, 2013 4:14 PM
  • I believe I have found a resolution to this (tested a couple times and it worked).  If you update only the resource name to match AD, it will create a duplicate resource (with DOMAIN...) at the end.  However, if you update the resource to have the same name, email address, and Windows User ID, then Active Directory will link the account when synchronizing and will not create a duplicate resource. 

    • Marked as answer by Mshea Wednesday, December 18, 2013 4:32 PM
    Wednesday, December 18, 2013 4:32 PM