Manage security group synchronization with Active Directory in Project Server 2010
Applies to: Project Server 2010
Topic Last Modified: 2012-05-21
Summary: User security access in PWA can be managed automatically by associating a PWA security group with an Active Directory group.
This article describes security group synchronization scenarios, how to configure security group synchronization with Active Directory, and security group synchronization with users in a different domain.
Microsoft Project Server 2010 security group synchronization controls Project Server security group membership by automatically adding and removing users from specified Project Server security groups based on group membership in the Active Directory directory service. Each Project Server security group can be mapped to a single Active Directory group. However, this Active Directory group can contain nested groups whose members will also be synchronized.
The following actions can occur during a Project Server security group synchronization process:
A new Project Server user account can be created based on an Active Directory account.
An existing Project Server user can be removed from a Project Server security group.
An existing Project Server user can be added to a Project Server security group.
An existing Project Server user account's metadata (name, e-mail address, and so on) can be updated if it has changed in Active Directory.
A previously inactive Project Server user account can be reactivated.
Before you perform this procedure, confirm the following:
The account with which you are accessing Project Server through Project Web Access (PWA) has both the Manage Active Directory Settings and the Manage users and groups global permissions enabled.
The Service Application service account for the Project Server instance has Read access to all Active Directory groups and user accounts involved in the synchronization. You can verify this account on the Service Application page on the SharePoint Central Administration Web site.
Scenarios for security group synchronization in Project Server
The following are possible scenarios and corresponding actions that occur when security group synchronization takes place:
| Scenario | Action |
|---|---|
The user exists in Active Directory and is a member of the Active Directory group mapped to the current Project Server security group. The user does not exist in Project Server. |
A new corresponding user account is created in Project Server and is granted membership to the current Project Server security group. |
The user is not a member of the Active Directory group mapped to the current Project Server security group. The user also exists in Project Server and is a member of the current Project Server security group. |
The existing Project Server user is removed as a member of the current Project Server security group. |
The user exists in Active Directory and is a member of the Active Directory group mapped to the current Project Server security group. The user also exists in Project Server, but is not a member of the current Project Server security group. |
The existing Project Server user is given membership to the current Project Server security group. |
The user exists in Active Directory and is a member of the Active Directory group mapped to the current Project Server security group. The user also exists in Project Server and is a member of the current Project Server security group. User information has been updated in Active Directory. |
The corresponding Project Server user information is updated (if applicable). |
The user exists in Active Directory and is a member of the Active Directory group mapped to the current Project Server security group. The user also exists in Project Server, but as an inactive account. |
If the Automatically reactivate currently inactive users if found in Active Directory during synchronization option is selected in Project Server, the account is reactivated and is added to the current Project Server security group. If the option is not selected, the account remains inactive in Project Server. |
Configure security group synchronization
You can use this procedure to configure security group synchronization with Active Directory in Project Server 2010.
To configure security group synchronization
On the Project Web App Server Settings page, in the Security section, click Manage Groups.
On the Manage Groups page, in the Group Name column, click the name of the security group that you want to synchronize.
On the Add or Edit page for the group that you selected, in the Group Information section, for Active Directory Group to Synchronize, click Find Group.
On the Find Group in Active Directory page, in the Group Name field, enter all or part of the name of the Active Directory group that you want to synchronize with your security group. Click the button next to the Group Name field to search the Active Directory forest based on your search criteria.
To select a group from a remote forest, type the fully qualified domain name of the group (for example, group@corp.contoso.com). You can synchronize to a security or distribution group of any scope (Local, Global, or Universal).
Note
The Active Directory forest that is search is displayed at the top of the Find Group in the Active Directory page. The forest is defined by the fully qualified domain name of the account for the Service Application on which the Project Server instance is running.
From the Group Name list, select the group with which you want to synchronize your Project Server security group. Click OK.
On the Add or Edit Group page, you should see the Active Directory group that you selected in the Group Information section next to Active Directory Group to Synchronize. Click Save.
On the Manage Groups page, in the Group Name column, select the check box next to the security group that you just configured for synchronization. Then click Active Directory Sync Options.
If you want synchronization to occur on a scheduled basis, on the Synchronize Project Server Groups with Active Directory page, in the Scheduling section, select Schedule Synchronization. Or, you can choose to manually run the security group synchronization. If you prefer the manual option, go to step 10.
In the Frequency fields, define the frequency at which you want synchronization to occur between the Project Server security group and the Active Directory group. This can be scheduled over a defined period of days, weeks, or months. Select a start date and time.
You can enable inactive user accounts to be reactivated if they are found in the Active Directory group during synchronization. To do so, in the Options section, select Automatically reactivate currently inactive users if found in Active Directory during synchronization. (For example, if you enabled this option, it would ensure that if an employee were rehired, the employee's user account would be reactivated.)
Click Save to save the settings. Click Save and Synchronize Now if you want to synchronize your Project Server security group immediately. If you decide not to schedule the synchronization, you can rerun it manually when you have to by returning to this page and clicking Save and Synchronize Now.
You can check the status of the security group synchronization by returning to the Synchronize Project Server Groups with Active Directory page for the specific security group and reviewing the information in the Status section. It contains information such as when the last successful synchronization occurred.
Synchronizing security groups across domains requires a two-way trust relationship
Imagine that you need to synchronize Project Server 2010 security groups with Active Directory users that exist in a domain other than the one that Project Server 2010 is installed on. For example, your organization may acquire a new company, or your branch may need to add users from a different branch within your organization. In this scenario, a two-way trust relationship must exist between the domains in order for Active Directory users in one domain to synchronize with security groups in a Project Server 2010 installation that exists on a different domain.
Note
Project Server 2010 does not support synchronizing security groups or the Enterprise Resource Pool with Active Directory users across different domains in which only a one-way trust relationship exists between domains. It is possible for an Active Directory user to synchronize with SharePoint Server 2010 in a cross-forest deployment in which a one-way trust relationship exists between domains (see Resolve accounts across multiple forests (SharePoint Server 2010). However, Project Server 2010 does not support this scenario.
For more information about trust relationships in Windows Server 2008 and Windows Server 2008 R2, see Managing Trusts. For information about creating a two-way trust relationship between domains in Windows Server 2008 or Windows Server 2008 R2, see Create an External Trust.