Tuesday, June 23, 2015

How to deactivate a user with AD account deleted and no AD sync ?


Hi,

Here is a short one. One of our fellow MVP shared with us an issue which might look trivial. 

The background
Project Server 2013, on premise (meaning hosted on the customer infrastructures, not Project Online). The AD sync is not enabled, meaning that the users are created, updated, deactivated manually and not syncronized via the organization AD.

The issue
A user has been deleted from the AD. Since there is no AD sync in Project Server, the user in Project Server is not automatically deactivated. As soon as you don't need to edit anything in the user's profile, this is not an issue. But if you do, now there is an issue.. Project Server needs a valid AD account for every user, meaning that whenever you save a user's profile, it checks for the AD account and prevent you saving the user's profile in case the AD account is not valid (or empty).
Consequently you just cannot edit anymore the user's profile to deactivate it, neither just delete his AD account, which cannot be empty for a user. If you try so, you'll get the following message:


Figure 1: error message while saving a user's profile with no valid account
Neither you can use the account status (active/inactive) since you'll be prevented from saving the profile.

The workaround
Discussing about this non-sense, another fellow MVP proposes a workaround: entering a valid AD account for this user deleted in the AD, deactivate him and save the resource. This is quite an ugly solution but it does the job, doesn't it?

The solution
Finally a third MVP brough up a solution, THE solution. In the user's profiles list (server settings, manager users), you actually have a button which is intented to deactivating users. We hardly make a stop on this button since it is there since ages and in our mind, what is old is useless and has obviously been replaced by a newer feature. This feature doesn't require to edit and save the resource but directly write in the DB whitout checking for a valid account, which solves our issue!
Figure 2: deactivating a user from the user's profiles list
The limitation
Nothing is perfect... Once deactivated as explained, you cannot use the same method ot reactivate the resource, you do need to edit the user's profile, facing the same issue again. But what would be the need to reactivate a user (not a resource) with no valid AD account?


The conclusions
  1. Do not bypass those good old buttons you are seeing since Project 2003 and never looking anymore. They can be quite useful. For example, the "view effective rights" feature can use very useful for supporting your users in case you have a complex security model. See this blog I wrote some months ago.
  2. An AD account should not be deleted but only deactivated, otherwise it could trigger such issues in connected systems.
  3. Anyway, using the AD sync prevents from having such issues.
  4. The MVP community is extremely powerful, skilled, reactive, imaginative, efficient!

Share this article :

6 comments:

  1. Thank you very much for this useful information!

    Wanted to add more - this is also valid in Project Online environment, deactivating users in UI and by PowerShell script:

    Add-Type -Path "\Microsoft.ProjectServer.Client.dll"

    $pwaUrl = "https://.sharepoint.com/sites/pwatest"
    $username = "name.lastname@tenant.domain"
    $cred = Get-Credential $username # I'm using Get-Credential, because I'm also checking user status in Azure AD > Connect-AzureAD -Credential $cred

    $projContext = New-Object Microsoft.ProjectServer.Client.ProjectContext($pwaUrl)
    $projContext.Credentials = $credentials
    $resources = $projContext.EnterpriseResources
    $projContext.Load($resources)
    $projContext.ExecuteQuery()

    $resourcesToDeactivate = $namedResources | ? { $_.IsActive -eq $true -and }
    Write-Host "Count of resources to deactivate ="$resourcesToDeactivate.Count
    # Deactivates user and resource
    # Works also for users/resources deleted from AD
    $resourcesToDeactivate | % `
    {
    $res = $_
    $res.IsActive = $false
    $projContext.EnterpriseResources.Update()
    $updatedCount++
    }
    if ($updatedCount -gt 0)
    {
    $projContext.ExecuteQuery()
    Write-Host "$updatedCount users deactivated in Project Online" -ForegroundColor Green
    }

    ReplyDelete
    Replies
    1. Thanks so much for the share Aleksandrs

      Delete
    2. Is there anyway to delete them instead of deactivate through script?

      Delete
    3. Is there any way to delete resources through script instead of deactivate?

      Delete
    4. There is a $res.DeleteObject() function, which should be used instead of $res.IsActive = $false. Please note, that $projContext.EnterpriseResources.Update() and $projContext.ExecuteQuery() could be necessary after the delete action.

      Delete
  2. We recently set up AD sync after having lots of users manually added over the time. I'm looking for a way to mass deactivate any PWA users who do not have a valid AD account.

    ReplyDelete