Cascade Skyline - with Microsoft Logo and Project Support header - author Brian Smith

August, 2011

  • Brian Smith's Microsoft Project Support Blog

    Project Server 2010: How to best manage large numbers of resources

    • 4 Comments

    This posting follows on from the one yesterday concerning how Project Server makes use of SharePoint permissions and features – but concentrates on some potential issues you can run into if you have a very large user base and also have projects that have very large teams.  We are also authoring a TechNet article explaining this in more depth – I will add a link once it is published.  This isn’t going in to the usage of the RBS or the other internal feature – but concentrates more on the technical issues of large user populations.  If you fit in this category then read on…

    As mentioned in the previous post Project Server 2010 uses the normal SharePoint permissions infrastructure to set access control both to the Project Web App (PWA) site and also any Project sites that are created for the individual project plans held in Project Server.  At the PWA site level the users are added to certain groups depending on their permissions levels within Project Server, so you will generally see SharePoint groups for Project Managers, Readers, Team members, Web Administrators and finally Workflow and Project Detail Pages Administrators.  Each of these groups will show the individual PWA users as appropriate.  This is a change from 2007 where individuals were added to the PWA site with specific permission levels.  You may have seen issues in 2007 if you had large numbers of users as whenever changes were needed in the member permissions the users would be removed and then added back – so some users would get “Access Denied” until they were added back after a change.  We had some workarounds for this scenario involving turning off the user synchronization.  In 2010 we made a couple of changes to avoid this problem – firstly the change to using groups at the PWA site level, and secondly we now remove then add back each individual as opposed to removing everyone and then adding back everyone.  So getting an Access Denied in the same scenario in 2010 is very unlikely.

    At the Project site level however we do not use the group approach and manage the users on an individual basis.  In most scenarios this is not an issue as the number of resources assigned to a project, and hence added to a site, is generally low compared to the total number of users in the system.  However there could be some scenarios where customers wish to have many or all of their users accessing many or all of their project sites.  This could either be achieved by adding many users to a project – or by giving the “View Project Site” permission at the team member level in a category that included many or all projects.  Either way this would then add very many individual users with permissions to the project sites.  And why is this a problem?  If the numbers of users is large then it is possible for the recommended software boundaries and limits of SharePoint Server to be exceeded – and this can lead to performance issues.  Each user added individually to a site would be considered a security scope – and the recommended maximum number of unique security scopes per list is 1,000 (SharePoint Server 2010 capacity management – Software boundaries and limits - http://technet.microsoft.com/en-us/library/cc262787.aspx).  So each list and library in the site would be inheriting from the parent site permissions – and would exceed this limit if more than 1,000 user had access to the site (as they are individually added).

    In our experience the performance issues would then relate to any change in the site membership caused by changes in the categories or groups – or following such actions as adding a user or inactivating a user.  For example this last action of inactivating a user will actually remove that user from all sites they have access to – and the reason the limit is imposed is that when it is exceeded the process of removing a user can become very slow – particularly if this same user is also being removed from very many sites each of which is also way over the limit.  In extreme cases with multiple user inactivations it is possible that the server will become unresponsive and unable to authenticate users. I will include some of the error messages you might see, and the corresponding ULS entries at the end of this posting so that this aids finding this potential cause.

    If you are following along (and I’m sure some of my readers are way ahead of me…) you will realize there is a Catch-22 here.  Your server could become unresponsive whenever you need to manage users because you have too many users with permissions on the sites.  So remove some users… which will then make the server unresponsive...  How to escape from this loop?  There are some quick ways to get this resolved – but before rushing in to that it is better to review what it is you are really trying to achieve.  If the desire is that most people can access most projects then managing the permissions outside of Project Server using groups and inheritance from PWA is the way to go.  If however the fact that many users had access to many sites was really a mistake then you need to correct that issue – and either remove the “View Project Sites” from the offending category or reduce the number of resources assigned to the plans – but first of course you need to stop the synchronization of users to the sites otherwise any action may make your server very slow.  As mentioned in the previous post this can be achieved by us of the UserSyncSettings method – and just repeating that here to save you having to open that post up:

    The setting can be changed using the PSI and the Admin Web Service and the UserSyncSettings method. The enumeration of values that can be set are detailed at http://msdn.microsoft.com/en-us/library/websvcadmin.usersyncsettings_di_pj14mref.aspx, and the method described at http://msdn.microsoft.com/en-us/library/gg229480.aspx.

    Turning off the Project Site sync is achieved by the enumeration DisablePWS.

     

    Member name Description
    Enabled Value=1. Enable all synchronizations.
    DisablePWA Value=2. Disable synchronization with Project Web App.
    DisablePWS Value=4. Disable synchronization with project sites for the user.
    DisableEmailSync Value=8. Disable email synchronization.
    DisableAll Value=16. Disable all synchronizations.

    *** CORRECTION ***  Looks like this table may be in error both here and in the SDK.  Still awaiting confirmation but looks like the values should be 0,1,2,3 and 4 - rather than 1,2,4,8,16. *** 

    *** Confirmed - the values are 0 to 4, so unfortunately you can only set a single value and not do any either direct or enumerated multiple selections.  Also corrected the following example - where 4 would be disable all ***

    This relates to settings in the MSP_WEB_ADMIN table of the Published database in the WADMIN_USER_SYNC_SETTING column. So for example a query such as:

    Update [ProjectServer_Published].[dbo].[msp_web_admin] set [WADMIN_USER_SYNC_SETTING] =4

    would do the same as using the method to set the enumeration:

    int syncSettings = (int)SvcAdmin.UserSyncSettings.DisableAll;

    We’d certainly prefer you to not touch the DB correctly – but I’m guessing that many of you would find it much easier to execute a SQL query to update the value than to write the code necessary to do the same (I certainly would!).

    Once that is turned off then you can safely do user management without causing further performance problems – but of course it would still be possible to trigger the same issues if you tried removing the users directly from the project site, using the out of the box SharePoint functionality. One way to remove the users very quickly without triggering the individual deletion that causes the problem is to inherit permissions from the parent.  This can be done via the UI on the Site Actions, Site Permissions page of the individual sites:

    image

    This will lose any custom permissions.  If your end goal is to give most users access to most sites then this may be how you want to keep things long term – so before taking this action you would probably want to be sure that the PWA site has the right permissions for all the users who need access – as that will be where this site will start inheriting from once you click the button.  Obviously if you have thousands of sites (and you probably have if this is causing you problems) then PowerShell can automate the change for you.

    Run the following PowerShell command in the SharePoint 2010 Management Shell

    $site = Get-SPSite “<url of PWA>”

    Foreach ($web in $site.AllWebs) {

            $web.Update()

            $web.ResetRoleInheritance()

            $web.Update()

            }

    $site.Dispose()

    This (or the UI method) would also need to be run for any new sites created to avoid the problem coming back – but if you had ‘corrected’ your categories and team memberships then all would be ok going forward.

    If you do decide that leaving everything inheriting is right for most projects then you may also want to have certain projects that are more ‘secret’ and for these you will need to continue to manage the permissions and user on an individual level.  One thought I had was to set a property on these ‘special’ sites via PowerShell and then you could use this property to filter out in a modified version of the above PowerShell command and ensure you didn’t reset the role inheritance accidentally.  I should also point out that if you use the Synchronize option on the Project Sites page then this would re-break the inheritance – so should be avoided.

    As a guide we have seen the issue with a customer with around 3000 users where they are nearly all added to each of their 1500 sites.  And as promised, here are the error messages and ULS entries.  Different users may see different symptoms – but the user who initiates the issue, perhaps by inactivating a couple of resources, will see the ‘Save’ button on the page apparently stick on the ‘clicked’ position and eventually get a “An unexpected error has occurred.” message.  The correlation ID will be found in the ULS logs and will have several rows all relating to a SQL deadlock and the Critical level one will look like:

    08/10/2011 12:17:02.85    w3wp.exe (0x2178)    0x314C    SharePoint Foundation    Database    5586    Critical    Unknown SQL Exception 1205 occurred. Additional error information from SQL Server is included below.  Transaction (Process ID 80) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.    886d9cdd-5c0c-4f3a-8f89-f4e8c92acde3

    Another High level one that gives more information on the query causing the issue will be something like:

    08/10/2011 12:17:06.97    w3wp.exe (0x2178)    0x314C    SharePoint Foundation    Database    tzkv    High    SqlCommand: 'SET NOCOUNT ON; DECLARE @DN nvarchar(256),@LN nvarchar(128),@@DocUIVersion int,@@S uniqueidentifier,@@Level tinyint; DECLARE @ItemId int; DECLARE @@iRet int; DECLARE @ExtraItemSize int; SET @@Level = 1; SET @@S=@wssp0;  EXEC @@iRet = proc_SecRemoveUserFromSite @@S, @wssp1, @wssp2  SELECT @ItemId = @wssp3  IF @@iRet <> 0 BEGIN  GOTO DONE; END  ;BEGIN TRAN IF NOT EXISTS( SELECT tp_ID FROM UserData WHERE tp_ListId = '06C8C9BB-B10B-4042-8859-9F9985E73E76' AND tp_ID = @ItemId  AND tp_Level = 1 AND tp_RowOrdinal =0) BEGIN  SELECT @ExtraItemSize = 0  EXEC @@iRet = proc_AddListItem @SiteId….

    I have shortened it considerably – but the key piece is the proc_SecRemoveUserFromSite.  Finally the ‘Unexpected’ one:

    08/10/2011 12:17:06.97    w3wp.exe (0x2178)    0x314C    SharePoint Foundation    Runtime    tkau    Unexpected    System.Runtime.InteropServices.COMException: Exception from HRESULT: 0x80131904    at Microsoft.SharePoint.Library.SPRequestInternalClass.UpdateMembers(String bstrUrl, UInt32 dwObjectType, String bstrObjId, Guid& pguidScopeId, Int32 lGroupID, Int32 lGroupOwnerId, Object& pvarArrayAdd, Object& pvarArrayAddIds, Object& pvarArrayLoginsRemove, Object& pvarArrayIdsRemove, Boolean bRemoveFromCurrentScopeOnly, Boolean bSendEmail)     at Microsoft.SharePoint.Library.SPRequest.UpdateMembers(String bstrUrl, UInt32 dwObjectType, String bstrObjId, Guid& pguidScopeId, Int32 lGroupID, Int32 lGroupOwnerId, Object& pvarArrayAdd, Object& pvarArrayAddIds, Object& pvarArrayLoginsRemove, Object& pvarArrayIdsRemove, Boolean bRemoveFromCurrentScopeOnly, Boolean bSendEmail)    886d9cdd-5c0c-4f3a-8f89-f4e8c92acde3

    Once the sever is in the condition – which could last 15-30 minutes, then other users will get timeouts on their pages and the ULS logs may show the following:

    08/10/2011 12:20:22.30    w3wp.exe (0x1228)    0x1454    SharePoint Foundation    Monitoring    b4ly    High    Leaving Monitored Scope (ExecuteStoredProcedureDataReader -- MSP_AUTH_GETUSERBYNAME). Execution Time=120002.728838442    2be0491a-a64b-4237-8cfc-40342a374d49

    08/10/2011 12:20:22.30    w3wp.exe (0x1228)    0x1454    Project Server    General    8ym5    Monitorable    PWA:http://<server>/PWA, ServiceApp:Project Web App Service Application, User:, PSI: SqlException occurred in DAL:  <Error><Class>0</Class><LineNumber>0</LineNumber><Number>-2</Number><Procedure></Procedure>  <Message>  System.Data.SqlClient.SqlError: Timeout expired.  The timeout period elapsed prior to completion of the operation or the server is not responding.  </Message>  <CallStack>     at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)     at …

    I should also point out that use of the Project Site Provisioning Settings page option to not automatically synchronize users may avoid you getting in to this situation – but you still need some process to control access – and if most sites are unrestricted then the inheritance option from PWA may be worth a try.  Just as a reminder – the option on the Project Site Provisioning Settings page looks like this:

    image

    and un-checking will stop the automatic addition of Project Server users to sites (but will not remove ones who are already there).

    Hopefully the workarounds given will assist in avoiding these types of issues if you really need to have very large numbers of users accessing each of a large number of project sites. As promised – once we have a TechNet article out in the wild I will link to it.

  • Brian Smith's Microsoft Project Support Blog

    Project Server 2010: Timesheets - Where do Personal Tasks come from?

    • 3 Comments

    If you have the setting to allow personal tasks to be added to the timesheet then they of course could come from the user.  But what about the ones that haven’t been entered by the user and appear to have the same name as tasks that were in projects that they had already started work on?  We have had a few questions on this behavior so thought it worth a blog posting.

    So here is my timesheet – and I have 5 tasks in the “Project BriSmith TS Blog” project, and I’ve spent an hour on each – so I’ve entered the time and saved my timesheet. (Status is “In Progress”)

    image

    Later on I go back to my timesheet and things have changed!

    image

    So what happened?  The task names give you the clue, and the Project Manager (me) has followed through on his action for each of the tasks.  Basically if a task gets deleted while a timesheet is in progress then we do not delete the time that is already entered but instead the task gets changed to a Personal Task.  A couple of interesting things to note though – the task name is actually cached as part of the timesheet (in case it gets deleted!) so the spelling mistake was actually corrected in the plan for the “Correcttting the spellling” task – but the cached version is still shown.  This would be the case for any re-named task – as long as the resource was still assigned.  If I click through to the task I see the current name published from the plan – correcting the spelling:

     image

    The next thing to note is that if I delete and re-create a task then as far as project is concerned this is a new task (with a new unique GUID) so it shows up as a Personal Task (keeping the original entered time) and also as the new task.

    The 4th task is interesting – I unassigned myself from this task and then re-assigned – so this is actually a new assignment – but as far as the timesheet is concerned it still shows it related to the project.  Also if I had published after de-assigning I would have seen a Personal Task and then after re-assigning and publishing this personal task would be gone and the project task back again (along with the entered time).   This surprised me a little - so I had to take a look behind the scenes.  It appears that as long as you don’t assign this task to anyone else, then you will get the same GUID for the re-assignment – but if you re-assigned to someone else, and then added back the original resource then the GUID would change and the timesheet would show the same behavior as the deleted and re-created task – both a Personal Task with the already entered time and the ‘new’ project task.

    The 5th task just got deleted so no longer exists so my recorded time now shows against Personal Tasks.  And finally the untouched task is still there as expected.

    So if the Personal Task does really relate to a task that has been re-created in some way then the resource should copy the time entered across the the project task and delete the personal task (Remove Task in the ribbon).  If it has been removed for good then the personal task is a record of the time spent – and should remain (depending on your time recording processes).

    This is the behavior when the timesheet is “In Progress”. If it is approved then the Project name and Task name are persisted even if the task is deleted.

    Other actions can lead to this behavior – if the project is saved back to the server (save as) over the top of an existing plan then all tasks and assignments will be replaced by identical ones – and any tasks in progress will change to Personal Tasks in the timesheets.  Also before we fixed the bug with Save for Sharing in the June CU this would change the GUIDs too – and have the same effect.

    All the above behavior assumes that Single Entry Mode is turned off.  With Single Entry Mode turned on then the Personal Tasks do not appear – the tasks just go (along with the time entered into them) – and also any task name changes reflect immediately in the timesheet (it is a direct link to the task, rather than a placeholder in the timesheet).  The re-assignment to the same task, even though it maintains the same GUID does not keep the entered time.  Single Entry Mode keeps the My Tasks and Timesheet view in Sync and Personal Tasks are never seen on the My Tasks view.

  • Brian Smith's Microsoft Project Support Blog

    Microsoft Project 2010: Cumulative Update Version Blog Updated

    • 2 Comments

    Just for reference – I have added the April and June CU information, and some notes around SP1 versions, to the on-going blog post at http://blogs.msdn.com/b/brismith/archive/2010/09/23/how-to-tell-which-cumulative-update-hotfix-or-service-pack-version-of-project-server-2010-and-project-2010-you-are-running.aspx.

  • Brian Smith's Microsoft Project Support Blog

    Project Server 2010: Can I delay running the SharePoint Configuration Wizard?

    • 3 Comments

    In SharePoint 2010 when you upgrade to a new Cumulative Update or Service Pack this involves two main steps – first is loading the binaries, and the second is running the SharePoint Server 2010 configuration wizard (psconfig or psconfigui).  SharePoint supports delaying the running of the configuration wizard or even detaching content databases while running the wizard, so that these perhaps slow parts of the process can be managed in a more timely fashion.  If you look at a SharePoint farm that is in this condition you will see in Central Administration, Upgrade and Migration, Review database status, that it says against many of the databases (Content, Config, and Admin Content) – Database is in compatibility range and upgrade is recommended.  However, if you have Project Server installed then you will see against all of its databases (certainly for SP1/June CU) – Database is too old and upgrade is required.  Some other databases such as BDC or PPS ones may just say No action is required if there were no updates for schema in the particular release.  For some CUs you might see this for Project and the SharePoint content databases too.

    If you ignore this message and try and go to PWA then you will get an error message: Error, Project Web App cannot connect to Project Server. For more information, contact your system administrator. – along with a GUID for tracking the full error in the logs.

    image

    Looking in the logs you will find the following exception and unexpected level records – which are pretty self explanatory.

    08/23/2011 09:46:41.85    w3wp.exe (0x1724)    0x0FC0    Project Server    General    g7ls    Exception    System.ServiceModel.FaultException`1[Microsoft.Office.Project.Server.Interfaces.DefaultServerFault]: The databases are out of the range of compatibility, upgrade your databases. (Fault Detail is equal to Microsoft.Office.Project.Server.Interfaces.DefaultServerFault).    fe5f9380-1f54-4021-a6a2-5fe7d3e321e8

    08/23/2011 09:46:41.85    w3wp.exe (0x1724)    0x0FC0    SharePoint Foundation    Runtime    tkau    Unexpected    System.ServiceModel.FaultException`1[[Microsoft.Office.Project.Server.Interfaces.DefaultServerFault, Microsoft.Office.Project.Server.Communications, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c]]: The databases are out of the range of compatibility, upgrade your databases.   Server stack trace:      at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) …

    So to answer the question in the title – No, you cannot delay the running of the configuration wizard if you are using Project Server if there are database updates required in the particular patch you have loaded.  Not every CU will require database changes – but rememeber these are cumulative, so the need for the database update will also depend at what level your server is when applying the patch. 

    *** Update based on feedback from one of my favorite customers - if you really cannot run the config wizard for a while then it will only be PWA that won't work.  The Project sites will still work (apart perhaps from issues/risks/deliverables lists) and of course all the other SharePoint features and Central Administration will be just fine. ***

  • Brian Smith's Microsoft Project Support Blog

    Project Server 2010: SharePoint Permissions in upgraded PWA instances

    • 1 Comments

    I was reviewing a case yesterday and just checking the behavior of SharePoint permissions in Project Web App after an upgrade from 2007 to 2010 – either in place or a 5 database  – thought this might be useful information to blog about. 

    In 2007 in the Project Web Access site the users would be added directly to the site with SharePoint permissions based on their roles.  These permission levels were identifiable by their names which would be like Project Managers (Microsoft Office Project Server).  In the Project workspaces these same permission levels would be used, and the users again added directly based on their roles within the project.  So this generally be a small subset of the overall user population – just those added as resources on the plan, and potentially others depending on the use of the View Project Workspace permission within categories. Here is the start of the list of permissions on the PWA site – Project workspaces will be similar although the permission levels may be different.

    image

    In 2010 in Project Web App we now use groups within the /PWA site and the users are added in to these groups rather than directly to the site.  The groups are named Project Managers Group (Microsoft Project Server), Team members group (Microsoft Project Server) etc.   Some individual user accounts will be present in PWA as shown below (blanked out) – these will be site collection administrators and other farm admins.

    image

    For the Project sites (formerly called workspaces) we still add the users directly, but we have new SharePoint permission levels which are named similarly to 2007, but we have dropped ‘Office’ from the product name – so they are now like Readers (Microsoft Project Server), Web Administrators (Microsoft Project Server).

    If you upgraded from 2007 to 2010, either in place or 5 DB then you will retain the old permission structure – but also get the new ones too.  So for example you would see all your users individually in the Project Web App permissions, as well as them belonging to the respective groups.  At the Project Site level you would see the users but with both Permission Levels applied – so they might have Web Administrators )Microsoft Office Project Server), Web Administrators (Microsoft Project Server).

    image

    All of this is the expected behavior and none of this will break anything, although I admit it may look unusual having the two sets of permission levels.  Also it does not leave any security issues as in 2010 if I remove someone from a Project plan then they get taken off the site with both sets of permission levels – and if I inactivate a user they are removed both at the individual level from PWA and also removed from the group that 2010 would have put them in – so all is good.  If you really wanted to then you could delete the permission levels with (Microsoft Office Project Server) in the names, and also remove the individual user permissions on PWA (apart from the site collection admins of course).  Worth checking that the groups contain the members you expect first just in case for some reason the sync hasn’t populated the groups yet.

Page 1 of 2 (9 items) 12