Project Server: A few AD Sync Gotchas

Thanks to Jon and Mark on our team for this article on ADSync.

Sometimes there are lingering questions around Project Server and Active Directory Sync or specific scenarios to watch for that aren’t documented. One of the biggest of these is something we’ve come to call AD GUID mismatches. This is when a user being synchronized has the exact same email address, SAM account and display name as a user already in the Project Server database, however, the AD GUIDs don’t match.  We’ve seen this from time to time with different customers and have released a hotfix to help in this situation. Prior to the February 2010 Project Server CU, if this situation was encountered we’d end up in a situation where the sync job would never finish. Now, when this condition is detected, the user is skipped and the rest of the group is synchronized.

Now for a little more information, first, how do we see users get into this state? A user has to be deleted from Active Directory and then recreated with the exact same Display Name, SAM account and email address. Sometimes we see this if an account had been recreated for a user during troubleshooting. Occasionally we see it when users leave a company and come back to work at a later date. So why don’t we just automatically synchronize the users? There is a possibility, however remote, that a user could work on sensitive projects and then leave the company. At a later date a new hire could join the company and get the same Display Name, email address and SAM account. In that situation, if the user were added to the Project Server environment, they would get access to all the sensitive projects that the previous user had access to. We’d prefer to err on the side of security rather than have access inadvertently granted.

We have a few recommendations to avoid this situation. First, whenever possible, don’t delete users from AD if you use the AD Sync features of Project Server. Instead your should inactivate, or archive the accounts as available in your AD version. Secondly, it’s definitely not recommended to reuse account names and email addresses for new individuals.

We do have some other assistance to offer if you are in this situation, but best to open a support incident to let us guide you through the options.

This issue steps off the beaten path a little bit from our normal Project Server planning and administration in that it’s best for the PMO to get company/organizations AD Admins involved to help make sure their practices are compatible.