An organisation decides to synchronise with an Active Directory (AD) group to populate either their enterprise Resource Pool or a User group such as Team Members in Microsoft Project Online. The IT department deactivates a user in the AD Group and a synchronisation with Project Online occurs after the deactivation.
- As expected, the user can no longer login to Project Online
- Perhaps unexpected as the deactivation in AD does not set the users account to inactive in Project Online. I.e. the inactive state in AD does not synchronise with the inactive state in Project Online!
- Also unexpected might be that no updates to the account can be made, as Project Online can no longer resolve the user to a windows account, so edits of any sort to the user cannot be saved!
The implications are as follows:
- The user will be listed in Project Online as Active which is misleading (this however can be changed, keep reading)
- The user will likely be a member of one or more user groups which is misleading (as their AD account is inactive so they can’t benefit from these group memberships)
- No edits to the user can be saved (e.g. removing them from user groups) due to Project Online being unable to resolve their windows account
- The AD synchronisation job will return queue errors
Why is it often misunderstood?
The reason outcome 2 & 3 are frequently unexpected is due to the misconception of statement highlighted on the below screen. Many administrators assume that this message infers that users set to Inactive in AD groups will also be inactivated in Project online. However, the highlighted message only indicates that users tagged as inactive in Project Online will be reactivated if found in an AD group during sync – and not the other way around!!
With the above in mind the recommendation to organisations using AD synchronisation for Resource Pool or Group Membership population, is to set Inactivate Resources in Project Online PRIOR to them being inactivated by the IT department in a synchronised group. Any edits to the user should occur before the AD synchronisation of the inactive resource occurs.
How to update user details if the user has already been inactivated in AD?
Essentially a PO administrator has three options:
- If the user is no longer required in Project Online and has not been assigned to any projects as a resource the Administrator can delete the user (this is a bit drastic and should only be done after considering the implications).
- Alternately asking the IT department to temporarily reactivate the user, and then synchronising this group with Project Online will allow PO administrators to apply their changes and then the user can be deactivated in AD again.
- Accept that while changes to the user cannot be made – the user can be set to inactive in Project Online if done from the Manage Users toolbar instead of via editing the resource (see below screenshot)
(26000) – AdSyncERP.AdSyncERPMessage. Details: id=’26000′
For more details, check the ULS logs on machine adbc441a-35c4-4a4d-baf9-fbc8445de065 for entries with JobUID 4c0d3b8c-f2b8-e911-b089-00155de86c05.
- GeneralQueueJobFailed (26000) – AdSyncERP.AdSyncERPMessage. Details: id=’26000′
Edit screen for an inactive AD user: