Activate AD GUID for Windows Authenticated Resources in PS2003

AD Sync plays a vital part in Project Server 2003 environment. It allows you keep the user account updated with any changes. With the click of a button, users get updated in the Project Groups. With another click of a button they get updated in the Enterprise Resource Pool. The core of AD-Sync process is AD GUID. Each Project Account created using AD has an AD GUID.

One can create user accounts in PWA &/or in Project Professional. Such accounts will not have AD GUID associated. Put differently, accounts created by means other than AD in Project Server 2003 don’t get updated during AD-Sync. The primary reason being, that those accounts will not have an associated AD GUID in the Project Resources tables. Check my earlier article on Active Directory Integration in MS Project Server 2003.

In my environment, the old Project Administrator initially created account using Project Professional & PWA. Later we switched to AD-Sync. Up till now we had a situation where those account were not getting updated during AD-Sync due to missing GUID. Some of those users left company, some got promoted & needed Project Manager or Executive role rather than of Team Member, for some their name were missing post-fix which we used to put for external users and for some email address was missing in the Project Server. Due to number of such users it was laborious work to update these accounts manually.

I got it resolved recently after some work. Those of you who have such accounts with missing AD GUID which were not created in AD & want to switch all their Project Accounts to get updated during AD-Sync, here is my trick.

There are few things you have to make sure. Since your resources don’t have AD GUID, AD-Sync won’t update their account information.

Follow steps below to enable AD GUID for resources

(Try this for one resource in development & then do it for all resources in production)

1. Find the resource name which was created within Project 2003.(not with AD). Make sure that resource have ‘Clear User AD GUID:’ greyed out in ‘Modify user’ in PWA > Admin > Users.

2. Make sure you have the correct Windows User account information in ‘Modify User’ screen.

3. I assume that you have configured AD Group for each Project Server Group in PWA > Admin > Modify Users and Groups > Group. I also assume you have configured Enterprise Resource pool AD group in PWA > Server Configuration.

4. Go to AD Management Console from Project Server or AD Server (Contact your AD admin for help). Locate the user & go to ‘Member of’ tab in User Properties. If the user was created with Team Member role in Project, make sure to assign him similar AD Group. Plus assign him one extra AD group for Project. Say in this example Resource Manager. (This extra AD Group membership will do magic here :). Don’t worry we’ll remove this macho in later steps.)

5. In PWA > Admin > Manage users and groups > Group, under ‘Active Directory: Set the options for AD synchronization’ click ‘Update Now’ to sync with AD. Refresh the page after some time till you see a message in that section which displays the time when AD groups were last synchronized.

6. Now in PWA if you go to that user’s Modify Properties, you’ll see that ‘Clear User AD GUID:’ option is now active. (little success)

7. User AD GUID information is stored in two tables.

MSP_Web_Resources

MSP_Resources

Run this query against Project server database. (Contact your DBA for help here)

–Query1:

select Res_name, WRes_NT_Account, WRes_Email, WRes_AD_GUID from MSP_Web_Resources where Res_Name like ‘resource_name%’

select Res_name, Res_AD_GUID from MSP_Resources where Res_Name like ‘resource_name%’

— replace resource_name% with actual Resource name.

8. Result for MSP_Resources might show multiple entries for that user. Only one entry will show AD GUID after step 5 above.

Run the following query to update remaining records with the AD GUID. (Contact your DBA for help here)

–Query2:

update MSP_Resources

set Res_AD_GUID = ‘{GUID}’

where Res_Name = ‘resource_name

–Replace GUID in {GUID} with actual GUID number you will see in the records.

–Replace resource_name with actual resource name you are trying to update.

9. Run Query1 in step 7 above to verify that all records in MSP_Resources has been updated with AD GUID.

10. In AD Management console, remove the extra AD group account membership for that resource which you added in Step4 above.

11. In PWA > Admin > Manage users and Groups > Group, sync the AD group again. This will remove the extra group from user’s membership.

12. In PWA > Admin > Server configuration, click the ‘Update Now’ button to sync the Enterprise Resource Pool with corresponding AD group. After this step email address was updated for accounts from which it was missing earlier.

13. In PWA Modify User properties, make sure all information has been properly updated.

During the above procedure, make sure you check Application logs in Event Viewer for messages / errors. To set detailed logging into Event View, you can use Set Tracing utility from Project Server 2003 Resource Kit. Check my earlier post to see how you can use it.

(I don’t guarantee any issue which may arise from changes mentioned in this article. Test this process first in development. Send your suggestions if you feel something can be improvise this process.)

Leave a Reply

Enter the CAPTCHA * Time limit is exhausted. Please reload CAPTCHA.