Project Server: A few AD Sync Gotchas

Thanks to Jon and Mark on our team for this article on ADSync.

Sometimes there are lingering questions around Project Server and Active Directory Sync or specific scenarios to watch for that aren't documented. One of the biggest of these is something we've come to call AD GUID mismatches. This is when a user being synchronized has the exact same email address, SAM account and display name as a user already in the Project Server database, however, the AD GUIDs don't match.  We've seen this from time to time with different customers and have released a hotfix to help in this situation. Prior to the February 2010 Project Server CU, if this situation was encountered we'd end up in a situation where the sync job would never finish. Now, when this condition is detected, the user is skipped and the rest of the group is synchronized.

Now for a little more information, first, how do we see users get into this state? A user has to be deleted from Active Directory and then recreated with the exact same Display Name, SAM account and email address. Sometimes we see this if an account had been recreated for a user during troubleshooting. Occasionally we see it when users leave a company and come back to work at a later date. So why don't we just automatically synchronize the users? There is a possibility, however remote, that a user could work on sensitive projects and then leave the company. At a later date a new hire could join the company and get the same Display Name, email address and SAM account. In that situation, if the user were added to the Project Server environment, they would get access to all the sensitive projects that the previous user had access to. We'd prefer to err on the side of security rather than have access inadvertently granted.

We have a few recommendations to avoid this situation. First, whenever possible, don't delete users from AD if you use the AD Sync features of Project Server. Instead your should inactivate, or archive the accounts as available in your AD version. Secondly, it's definitely not recommended to reuse account names and email addresses for new individuals.

We do have some other assistance to offer if you are in this situation, but best to open a support incident to let us guide you through the options.

This issue steps off the beaten path a little bit from our normal Project Server planning and administration in that it's best for the PMO to get company/organizations AD Admins involved to help make sure their practices are compatible.

Comments (8)

Cancel reply

  1. Lantz Cox says:

    I think this is what is happening to me and another user in our company.  I just happen to be the PM for the 2003 to 2007 migration.  Both of us were contractors at our company.  We had to leave after 2 years and then came back.  We got the same login IDs and email addresses and now our AD IDs won't sync with PS2007.  I have a case open with Microsoft.


  2. Eyal G says:

    Is there a way to use PSI or other method in order to clear the AD_GUID for inactive resources (deleted from the AD) so when they return the sync to AD won't fail.

    Organization uses Project Server 2007

  3. Mariya says:

    Is there a way to sync with an active directory without changing any of the resource paramenters in my plan?

  4. Hi Mariya, sorry for the slow response – I'm not sure what you mean by not changing the resource parameters.  Could you explain a little more?

    Best regards,


  5. Andrew Lavinsky says:

    As I just ran into this and spent some time troubleshooting it, adding the ULS error for the search engines to direct to this blog: "A resource could not be updated during Project Server Active Directory Synchronization because a duplicate windows account name conflict occured that could not be resolved."

  6. zozovic says:

    I got the error but I won't say it's caused by new user / or re-activated user. When I check the error on the windows event logs, i get user that have always been on my AD never deactivated or deleted (maybe moved to different OU). This is causing some of the job queues to partial fail. How can I clear this issue?

  7. Hi,

    I have facing issue same.i had check in AD user have no duplicate value but i am getting sam eerror duplicate acount in eventvwer.

  8. Bryan G says:

    I just encountered this but found that there were two disabled accounts in the AD group I was synching.  I removed the two disabled accounts and the AD Synch is now completing successfully.

Skip to main content