This issue only affects Project Online, and only customers in Project Server permissions mode – and only customers who have recently changed modes to Project Server permissions mode (SharePoint permissions mode is the default – so if you haven’t changed it then you will not hit this issue). This problem was introduced by a change in the last few weeks (Sept/Oct 2013) and the symptoms are that users added to the Administrators group in Project Online, Server Settings, Manage Groups – will lose their permissions when an Active Directory Sync (Group Sync) happens within Project Online. If you look at the Manage Groups page you will see something like this; there is an Active Directory Group of Company Administrator listed against the Administrators group.
Basically this will mean that any user who is set as a Global Administrator will be sync’d with the Administrators group – but conversely any user added manually to the Administrators group who is not a Global Administrator will get dropped from the Administrators group on the next sync. By default the sync will be run daily in the early hours of the morning PST (at least in US hosted site) but can also be run manually from the Manage Groups page.
A couple of workarounds until we correct this – you can either add users as Global Administrators and they will then get sync’d to the Administrators group (Not a good choice if you are using other SharePoint Online features and do not want to give elevated permissions) – or you can remove this Active Directory group which will then mean you can manually add users as you normally would and they will not get removed.
The steps to do this 2nd workaround would be to open the Administrators group, then manually select from the Available Users which ones you want to be Administrators, remove any that have been sync’d because they are Global Administrators that you do not wish to be Project Online Administrators, then click the ‘x’ next to Company Administrator in the Active Directory Group section to remove the group. Once everything is set correctly and the group removed (and potentially added any group you do wish to sync) then you can click Save.
*** Update 1/22 - My colleague Sriram suggested the best approach here is to create a new group at the SharePoint level and then add your correct administrators to this group - then just sync this new group in place of Company Administrators - then just maintain that group rather than adding individual members as I have shown below. Great idea Sriram! ***
We are working on correcting this issue and I will update this posting once I know more on the fix and timelines. Sorry for any inconvenience this has caused.
Hi Brian,that Blog helped me very much - but my Workaround is a bit different.The issue with your Workaround by removing the synch of the AD-Group is that the main Admin can be thrown out accidentially by the additional Admin. To prevent this I have created an additional Group (Admin without AD Sync) which has exactly the same rights as the Default Admin Group - maybe you can add this to your blog.Best Regards Steffen
When we changed to "Project Server Permissions" mode the application created a ton of groups that seem to be the same but with "for Project Web App". I need to understand what is the difference between all these new default security groups, can you point me
in the right direction? Any documentation will be greatly appreciated.