Cascade Skyline - with Microsoft Logo and Project Support header - author Brian Smith

Project Server: A few AD Sync Gotchas

Project Server: A few AD Sync Gotchas

  • Comments 9

Thanks to Jon and Mark on our team for this article on ADSync.

Sometimes there are lingering questions around Project Server and Active Directory Sync or specific scenarios to watch for that aren't documented. One of the biggest of these is something we've come to call AD GUID mismatches. This is when a user being synchronized has the exact same email address, SAM account and display name as a user already in the Project Server database, however, the AD GUIDs don't match.  We've seen this from time to time with different customers and have released a hotfix to help in this situation. Prior to the February 2010 Project Server CU, if this situation was encountered we'd end up in a situation where the sync job would never finish. Now, when this condition is detected, the user is skipped and the rest of the group is synchronized.

Now for a little more information, first, how do we see users get into this state? A user has to be deleted from Active Directory and then recreated with the exact same Display Name, SAM account and email address. Sometimes we see this if an account had been recreated for a user during troubleshooting. Occasionally we see it when users leave a company and come back to work at a later date. So why don't we just automatically synchronize the users? There is a possibility, however remote, that a user could work on sensitive projects and then leave the company. At a later date a new hire could join the company and get the same Display Name, email address and SAM account. In that situation, if the user were added to the Project Server environment, they would get access to all the sensitive projects that the previous user had access to. We'd prefer to err on the side of security rather than have access inadvertently granted.

We have a few recommendations to avoid this situation. First, whenever possible, don't delete users from AD if you use the AD Sync features of Project Server. Instead your should inactivate, or archive the accounts as available in your AD version. Secondly, it's definitely not recommended to reuse account names and email addresses for new individuals.

We do have some other assistance to offer if you are in this situation, but best to open a support incident to let us guide you through the options.

This issue steps off the beaten path a little bit from our normal Project Server planning and administration in that it's best for the PMO to get company/organizations AD Admins involved to help make sure their practices are compatible.

Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post
  • I think this is what is happening to me and another user in our company.  I just happen to be the PM for the 2003 to 2007 migration.  Both of us were contractors at our company.  We had to leave after 2 years and then came back.  We got the same login IDs and email addresses and now our AD IDs won't sync with PS2007.  I have a case open with Microsoft.

    lantz

  • Is there a way to use PSI or other method in order to clear the AD_GUID for inactive resources (deleted from the AD) so when they return the sync to AD won't fail.

    Organization uses Project Server 2007

  • Is there a way to sync with an active directory without changing any of the resource paramenters in my plan?

  • Hi Mariya, sorry for the slow response - I'm not sure what you mean by not changing the resource parameters.  Could you explain a little more?

    Best regards,

    Brian.

  • As I just ran into this and spent some time troubleshooting it, adding the ULS error for the search engines to direct to this blog: "A resource could not be updated during Project Server Active Directory Synchronization because a duplicate windows account name conflict occured that could not be resolved."

  • I got the error but I won't say it's caused by new user / or re-activated user. When I check the error on the windows event logs, i get user that have always been on my AD never deactivated or deleted (maybe moved to different OU). This is causing some of the job queues to partial fail. How can I clear this issue?

  • Hi,

    I have facing issue same.i had check in AD user have no duplicate value but i am getting sam eerror duplicate acount in eventvwer.

  • I just encountered this but found that there were two disabled accounts in the AD group I was synching.  I removed the two disabled accounts and the AD Synch is now completing successfully.

  • Hi Brian ... I know this is a relatively old post, but I would appreciate it if you could provide a comment on something... Is it still Microsoft's recommendation to avoid deleting users from AD if the AD Sync feature is used in Project Server?  Our AD team does delete users (rather than deactivating) and we have encountered issues when the deleted users are rehired and subsequently re-added back into AD (same SamAccountName, different SID) and then sync'd back up with Project Server.

    Our AD team is looking for best practices in this scenario.

    My workaround is to remove the old account from Project Server and let the sync bring the user in again, however I realize this will disassociate the assets the user may have had associated with them prior to being removed.  Is there a better way to deal with this?

    Thank you in advance. (If relevant, our environment is Project Server 2010, December 2013CU)

Page 1 of 1 (9 items)