Project Server users and resources can be synchronized with the users of the Active Directory directory service across multiple domains and forests. This feature helps administrators with tedious tasks, such as manually adding large numbers of users, updating user metadata such as email addresses, and deactivating users who no longer require system access. Active Directory synchronization can be done manually or on an automated schedule. When Active Directory synchronization occurs, only the Project Server data is changed. Active Directory data is never altered — it is only queried.
Project Server user/resource properties updated during synchronization
When synchronization occurs, Project Server 2007 updates the following Project Server user/resource properties with specific Active Directory user metadata fields:
| Active Directory user property | Project Server user/resource property |
|---|
ADGUID (UserObject.objectGUID) | Stored in the Project Server Published database (WRES_AD_GUID field in MSP_RESOURCES table). This property is not viewable in the Project Web Access user interface. |
Windows User Account (domain\sAMAccountName) | Windows User Account |
Display Name (UserObject.displayName) | Display name/Resource name |
Email Address (UserObject.mail) | Email address |
Department (UserObject.department) | Group (resource property only) .gif) Note |
|---|
This does not refer to Project Server security groups. |
|
You can customize Active Directory synchronization to map to additional metadata fields by using server-side handlers. For more information about server-side handlers, see the MSDN article Writing and Debugging Event Handlers for Project Server 2007 (http://msdn2.microsoft.com/en-us/library/bb802729.aspx).
Best practices for Active Directory synchronization
The following are best practices that Microsoft recommends when managing Active Directory synchronization in Project Server 2007:
Create specific Active Directory groups that correspond to each Project Server security group and the Project Server enterprise resource pool. For example, give the new Active Directory groups names such as “Project Server — ERP”, “Project Server — Project Managers”, “Project Server — Executives”. Nest existing Active Directory groups inside these groups for better organization.
Always synchronize the enterprise resource pool first, and then synchronize Project Server security groups. This ensures enterprise resource properties are set up correctly.
Schedule the synchronization to take place once per week during off-peak hours.
Troubleshoot synchronization issues by examining the application event log on the farm’s application server.
Ensure that the account specified for the Project Server application Shared Services Provider has permission to read from all Active Directory domains and forests used in synchronization.
Task requirements
The following are required to perform the procedures for this task:
Access to Project Server through Project Web Access with an account having the Manage Active Directory Settings and Manage users and groups global settings.
Read access (for the SSP service account for the Project Server instance) to all Active Directory groups and user accounts involved in the synchronization. You can verify this account in the SSP's properties on the Shared Services Administration page on the SharePoint Central Administration Web site.
To manage Active Directory synchronization in Project Server 2007, you can perform the following procedures. Active Directory synchronization can be configured for the Enterprise Resource Pool or for Project Server security groups. The two procedures are not dependent on each other.