Configure Active Directory synchronization with Project Server 2007 security groups

Topic Last Modified: 2008-09-08

Project Server 2007 security group synchronization controls Project Server security group membership by automatically adding and removing users from specified Project Server security groups based on group membership in the Active Directory directory service. Each Project Server security group can be mapped to a single Active Directory group. This Active Directory group can, however, contain nested groups whose members will also be synchronized.

The following actions can occur during a Project Server security group synchronization process:

• A new Project Server user account can be created based on an Active Directory account.

• An existing Project Server user can be removed from a Project Server security group.

• An existing Project Server user can be added to a Project Server security group.

• An existing Project Server user account's metadata (name, e-mail address, and so on) can be updated if it has changed in Active Directory.

• A previously inactive Project Server user account can be reactivated.

Before you perform this procedure, confirm that:

• You have read Manage Active Directory synchronization in Project Server 2007.

• You have access to Project Server through Project Web Access with an account with the Manage Active Directory Settings and the Manage users and groups global settings.

• The Shared Services Provider (SSP) service account for the Project Server instance has Read access to all Active Directory groups and user accounts involved in the synchronization. You can verify this account in the SSP's properties on the Shared Services Administration page on the Central Administration site.

  For more information about the SSP service account, see Plan for administrative and service accounts (Project Server).

To configure security group synchronization

Use this procedure to configure security group synchronization with Active Directory in Project Server 2007.

The following table describes possible scenarios and corresponding actions that occur when security group synchronization takes place:

Configure security group synchronization

1. On the Project Web Access Home page, click Server Settings.

2. On the Server Settings page, in the Security section, click Manage Groups.

3. On the Manage Groups page, in the Group Name column, click the name of the security group that you want to synchronize.

4. On the Add or Edit page for the group you selected, in the Group Information section, for Active Directory Group to Synchronize, click Find Group.

5. On the Find Group in Active Directory page, in the Group Name field, enter all or part of the name of the Active Directory group which you want to synchronize with your security group. Click the button next to the Group Name field to search the Active Directory forest based on your search criteria.

   To select a group from a remote forest, type the fully qualified domain name of the group (for example, group@corp.contoso.com). You can synchronize to a security or distribution group of any scope (Local, Global, or Universal).

   Note

   The Active Directory forest that is searched is displayed at the top of the Find Group in Active Directory page. The forest is defined by the fully qualified domain name of the account for the Shared Services Provider on which the Project Server instance is running.

6. From the Group Name list, select the group with which you want to synchronize your Project Server security group. Click OK.

7. On the Add or Edit Group page, you should see the Active Directory group you selected in the Group Information section next to Active Directory Group to Synchronize. Click Save.

8. On the Manage Groups page, in the Group Name column, select the check box next to the security group that you just configured for synchronization. Then click Active Directory Sync Options.

9. If you want to schedule synchronization to occur on a scheduled basis, on the Synchronize Project Server Groups with Active Directory page, in the Scheduling section, select Schedule Synchronization. Alternatively, you can choose to manually run the security group synchronization. If you prefer the manual option, skip the following step and continue to step 11.

10. In the Frequency fields, define the frequency at which you want synchronization to occur between the Project Server security group and the Active Directory group. This can be scheduled over a defined period of days, weeks, or months. Select a start date and time.

11. You can enable inactive user accounts to be reactivated if they are found in the Active Directory group during synchronization. To do so, in the Options section, select Automatically reactivate currently inactive users if found in Active Directory during synchronization. (For example, enabling this option would ensure that if an employee were rehired, the employee's user account would be reactivated).

12. Click Save to save the settings. Click Save and Synchronize Now if you want to synchronize your Project Server security group immediately. If you choose not to schedule the synchronization, you can rerun it manually when needed by returning to this page and clicking Save and Synchronize Now.

13. You can check the status of the security group synchronization by returning to the Synchronize Project Server Groups with Active Directory page for the specific security group and reviewing the information in the Status section. It will contain information such as when the last successful synchronization occurred.