Authentication : SSO &  WWV_CUSTOM-F_ security-group _ app_id

Similar Messages

• SAML 2.0 and AD Security Group Membership

  In ADFS 2.0, as a part of the token, I can pass the AD
  security groups the user is in. Does SAP SSO have the ability to send and
  receive SAML 2.0 tokens with AD security group membership?

  Hi Jeff,
  SAP SAML 2.0 Identity Provider is able to include any group (or role) assignment of the user (available in the NetWeaver AS Java UME) as SAML Attribute in the generated SAML 2.0 Assertion.
  These group assignments of the user can be local (maintained in local UME database) or remote ones if the UME is configured with other Data Source.
  So in order to be able send the AD group assignments of the user you need to change the NetWeaver UME Data Source to your AD. More information how to do that you can find at this page: Identity Management - SAP Library.
  Then in your Identity Provider you can configured so called "Authorization-Based Assertion Attributes" in the "Identity Federation" tab of your trusted Service Provider configuration. An example with such attributes is provided at this page: Configuring Identity Federation with Transient Users - Identity Provider for SAP Single Sign-On and SAP Identity Managem… (although the page is for Transient federation these attributes are supported for all supported NameID formats).
  Regarding the receiving part:
  In SAP SAML 2.0 Service Provider of NetWeaver AS Java received SAML 2.0 Attribute can be either assigned to any UME attribute of the authenticated user, or to be used in rules that assign specific role(s) or group(s) to the user. For more details see these pages: Configuring Federation Type Persistent Users (Advanced) - User Authentication and Single Sign-On - SAP Library and Configuring Federation Type Virtual Users - User Authentication and Single Sign-On - SAP Library
  Regards,
  Stefan

• How to read contents of files that do not fall under public security group?

  Hi,
  I need to read the contents of a WCM based xml file that does not fall under public security.
  The process is like this:
  First the user makes chnages to the content.
  The workflow will be triggred based on the security group metadata that is associated with the content.
  Once the content is finally approved our workflow calls a custom idoc script.
  First we tried directly reading the xml contents from the idoc script which was still in the context of workflow. But since content item is still in workflow I was not able to read the changes. So I created a separate content publisher thread and read the DOC_INFO and checked for the dStatus value. If the value is RELEASED then I reading contents by calling ssIncludeXml idoc script.
  This was working fine for public content. But now the requirement is that all content cannot be public. Content authors should not be able to edit the content that does not belong to their group, So we created security groups (and roles) and are associating that groups to the relavent content.
  Beacuse of this change I am not not able to read the non public content. The call to DOC_INFO_BY_NAME service, which gives all the content files' metadata, is expecting the user to be logged in to give the details.
  I tried calling the CHECKIN service with sysadmin and captured the cookies returned by that service and use cookies for the DOC_INFO_BY_NAME service call. But the service call was faling. It is throing the 401 forbidden error with the message that user needs to be logged in to get the details.
  How to address this problem. Someone please help.
  Note: I also tried using ridc for this. I was able to get it working but since it is executing in the context of server ridc api is changing server's environment properties like HTTP_HOST, HTTP_CGIPATHROOT etc. It also seemed like system was becoming non functional after using ridc. When I called check-in the system metadata values like security group are no more loading. Not sure if ridc is the culprit here but worried that it might be causing this issue.
  Regards,
  Pratap

  Sorry, I posted too much details while posting this question. I was saying "not able to read *non* public content".
  Anyway, I was able to resolve the issue. I was able to authenticate with sysadmin credentials in the request to service using basic authentication and was able to read doc info with that credential.
  But I realized there is more than option for reading secure content.
  - I could set user name as sysadmin in the m_environment (if I am in the context of a service) and the call the DOC_INFO_BY_NAME service.
  - I can post an HTTP request to DOC_INFO_BY_NAME service with sysadmin credentials and do basic authorization via the connection. (This is what i have done successfully as of now )
  - I could add guest role to all security groups with R (read) privileges.
  I will look into all options and implement the one which is more apt.
  Regards,
  Pratap

• User won't add to an AD security group

  Hello,
       I've been scouring around the last few days and I've come up empty handed with an issue I'm having on a personal domain and I'm hoping someone here can point me in the right direction.
       I have a domain controller set up in a lab environment running Server 2012 RU with three computers and three users joined to the domain.  I'm currently attempting to apply group policy via AD security groups but I've hit a dead
  end.  I've created the users and moved them to a nested OU, we'll call it SiteA>Users.  I then created a global security group called Control Panel Restriction and placed it in a nested OU in SiteA>Groups, and joined one of the users to the
  security group.  I then created a group policy and configured it to restrict all access to the control panel and linked it to the SiteA OU.  In security filtering I've removed the authenticated users group and added the Control Panel Restriction
  group.
       The first time the user is joined to a security group it seems to work fine.  If I remove the user from the group and run gpupdate /force, the user can once again access the control panel.  From that point going forward,
  however, it's as if the user is never added to a security group again.  I can add the user directly to the security filtering section of the GPO and it works, but it's like security group membership will not update anymore for that user.
       Troubleshooting:  I've verified the permissions of the security group for the GPO and made sure it has read and apply group policy access, I've created a test user and placed it in the Control Panel Restriction security group
  and policy applied successfully (once), so I know the group works.  I ran a gpresult /r for the user and found the group policy IS being applied, but it's being denied through security filtering.  In the group membership section of the gpresult report
  it indicates the user is only a member of the default security groups in AD, not the custom made security group, even though a quick inspection of AD proves otherwise.
       Any advice?

  After you add, or remove, a user from a group, ensure that the changes have replicated/propagated across the DC's (waiting for your replication cycle time is usually enough), then, ensure that the user logs off, and then log the user on again.
  The logoff/logon cycle is typically important, since the user's security token is constructed at logon, and the token is constructed based on group memberships at the time of logon.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• GPO Security Group filtering not working

  Hello all,
  DC: 2008R2 w SP1
  Client: W7 SP1
  Objective: Disable Removable Storage
  I can filter by individual user but not a security group (global). (linked to both users and computers OU). I check and make sure the user (me) belong to the group using the command whoami /groups. I check the Delegation setting and make sure that the security
  group has the read and "apply" gpo checked. Also the Authenticated Users group has "read" allow.
  Any clues?
  Thanks

  Glad to hear this.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• DirectAccess Installation Errors Involving Security Group

  So I've read that it's best practice to filter DirectAccess GPO Affects to a single Security group instead of the "All Commputers" Group in AD. So I've done this. I created a group called 'DirectAccess' and set that as the target. When I attempt
  to generate the GPO in the DirectAccess Wizard, I recieve this error:
  "Security Group MyDomain\DirectAccess cannot be found"
  "The Operation Failed. All of the Specified Security Groups are invalid."
  So it looks like the group is invisible to my Server? The only thing I can think of is my AD Structure is sitting on some 2008 R2 boxes and this server is 2012 R2 box. Is there a requirement for AD to be at 2012 Operational Level for DirectAccess to work
  in 2012 server R2?
  --Aaron

  Update: I had this closed a while ago. Microsoft was finally able to set it up in my environment. I will post the Closure email they sent me detailing the steps needed to successfully install DirectAccess:   **Note I have changed all my Server/AD
  information to match M$'s Contoso dummy domain
  Issue:
   Unable to configure Direct Access Server (DA_EDGE). Error: Security group CONTOSO\DirectAccess Clients cannot be found..
  Troubleshooting:
   We collected logs from the Direct Access server while configuring Direct Access.
  logman create trace ETWTrace -ow -o c:\ETWTrace.etl -p {AAD4C46D-56DE-4F98-BDA2-B5EAEBDD2B04} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048 –ets
  logman update trace ETWTrace -p {62DFF3DA-7513-4FCA-BC73-25B111FBB1DB} 0xffffffffffffffff 0xff –ets
  Configured Direct Access
  logman stop ETWTrace -ets
   We could not find information which could give us clue about the cause of the issue. We found that it was not able to find the group.
  2464: 04: 2014-06-24 11:56:18.627 VERBOSE: Validating security group (CONTOSO\dagroup1) in the domain...
  2464: 04: 2014-06-24 11:56:18.707 NTE: Security group CONTOSO\dagroup1 cannot be found.
   We Collected Network Capture but could not find anything in LDAP Search Request Packet about the same.
   We found that DC has 2 NIC and both were getting Domain Profile.
   We removed the DMZ NIC and kept only NIC connected to LAN.
   We again tried to configure Direct Access however it still came up with error.
   We involved Directory Services team to take a look at the issue however in logs we were not able to find anything.
   We collected Process Monitor and got it analyzed by the on the Direct Access Server and found that we were not able to create GPO. However it does not give clue as to how its failing.
  11:58:51.6421023 PM RAMgmtUI.exe 1836 CreateFile
  \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
  11:58:51.6446131 PM RAMgmtUI.exe 1836 CreateFile
  \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Control, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
  11:58:51.6472327 PM RAMgmtUI.exe 1836 CreateFile
  \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Data/List Directory, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete,
  AllocationSize: n/a
  11:58:51.6500318 PM RAMgmtUI.exe 1836 CreateFile
  \\DC.contoso.com\SysVol\contoso.com\Policies\{D937469B-6E34-4A7F-9405-F9F97DC200E0} NAME NOT FOUND Desired Access: Read Attributes, Delete, Synchronize, Dis, Options: Directory, Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read,
  Write, Delete, AllocationSize: n/a
   We did research internally and decided to configure Direct Access with Domain Computers Security Group (Using PowerShell command) and change it from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated
  Group Policy on Direct Access Server.
  Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal'
  -ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
   We Also configured Certificate Authentication, and Exception for “EDGE.contoso.com'” in NRPT ising poweshell.
  Add-DAClientDnsConfiguration -DnsSuffix 'EDGE.contoso.com' -Verbose -ComputerName 'DA_EDGE.contoso.com'
  Set-DAClient -Downlevel 'Enabled' -Verbose -ComputerName 'DA_EDGE.contoso.com'
   Once Direct Access got configured we were able to update GPO and connect client from outside.
   On Windows 7 client machine we found IP Helper Service disabled and after enabling the service we were able to connect on that as well.
  Resolution:
   We configured Direct Access with Domain Computers Security Group (using PowerShell command) and changed the security group from GPMC – DirectAccess Client Settings GPO to “Direct-Access-Clients” security group and updated Group Policy on Direct
  Access Server.
  Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com\DirectAccess Server Settings' -ClientGpoName 'contoso.com\DirectAccess Client Settings' -DAInstallType 'FullInstall' -InternetInterface 'Internal' -InternalInterface 'Internal'
  -ConnectToAddress 'EDGE.contoso.com' -DeployNat -Verbose -ComputerName 'DA_EDGE.contoso.com'
  Commands for troubleshooting Direct Access Clients connectivity:
   To check client status:
  netsh dns show state
   To check effective NRPT on the client:
  netsh name show eff
   To Check status of IPHTPS Interface:
  netsh int http show int
   To Check status of Teredo Interface:
  netsh int teredo show state
   To Check Windows Firewall Profile on the client:
  netsh advf show cu
   To Check IPSec Main Mode Security Association:
  netsh advf mon show mmsa
   To Check IPSec Quick Mode Security Association:
  netsh advf mon show qmsa
  Related Articles:
  Manage DirectAccess Clients Remotely
  http://technet.microsoft.com/library/jj574200.aspx
  Remote Access
  http://technet.microsoft.com/en-US/network/dd420463
  Remote Access (DirectAccess, Routing and Remote Access) Overview
  http://technet.microsoft.com/en-us/library/hh831416
  Remote Access (DirectAccess) Prerequisites
  http://technet.microsoft.com/en-us/library/dn464273.aspx
  DirectAccess Offline Domain Join
  http://technet.microsoft.com/en-us/library/jj574150.aspx
  Plan the DirectAccess Infrastructure
  http://technet.microsoft.com/en-us/library/jj574101.aspx
  Configure the DirectAccess Server
  http://technet.microsoft.com/en-us/library/jj574180.aspx
  Configuring and Implementing DirectAccess with Windows Server 2012
  http://technet.microsoft.com/en-us/video/tdbe13-configuring-and-implementing-directaccess-with-windows-server-2012.aspx

• NAC authentication SSO crashed after update fixes in Win Server2K3

  NAC 4.7(2) authentication SSO with Active Directory on WinServer2k3 crashed after update the next fixes:
  KB2478971          KERBEROS WEAK HASHING ALGORITHMS
  This update addresses the vulnerabilities by preventing the use of weak hashing algorithms in both Windows Kerberos and Windows KDC and by preventing the client from downgrading the encryption standard to DES for Kerberos communication between client and server.
  http://www.microsoft.com/technet/security/bulletin/MS11-013.mspx
  KB2478953          ACTIVE DIRECTORY DoS
  The vulnerability could allow denial of service if an attacker sent a specially crafted packet to an affected Active Directory server. The attacker must have valid local administrator privileges on the domain-joined computer in order to exploit this vulnerability.
  http://www.microsoft.com/technet/security/bulletin/MS11-005.mspx
  The NAC solution was working fine for a year, but since my costumer installed those fixes we have troubles to auth users in NAC, CAM can't read LDAP tree and CAS neither. I requested my customer to remove those fixes, they did it but they don´t have a snapshot or checkpoint previous to restore the servers.
  We have followed the Cisco's tshoot guides but the problem continues...
  Any suggestion?

  Could you please retpye ktpass on Win2003 server.You said CAM crashed, Do you find any message on support log.
  If you need a quickly support . please open a tac support case for this issue .
  SongL

• Using WMI Filter to apply group policy to users on computers in a security group

  Hello all,
  I've got a bunch of computers that I want to apply some user side polices that affect all users that log on to these specific computers (they are used for exams).
  Unfortunately it is company policy to have a flat OU structure and as such moving these computers into their own OU is out of the question. Which brings me to wanting to create a WMI filter to limit the policy to running on computers only within the security
  group and then set the security filtering to "Authenticated Users". The policy will be linked to the all student computers OU where a few thousand machines sit, but will only apply to 20 or so machines (I know it's messy).
  Anyway that brings me to my question, can someone point me in the right direction for how I would go about creating this WMI query?
  Cheers

  > I've got a bunch of computers that I want to apply some user side
  > polices that affect all users that log on to these specific computers
  > (they are used for exams).
  That's what "Loopback" initially was designed for. Nowadays, we can use
  some other tricks :)
  http://evilgpo.blogspot.de/2012/02/loopback-demystified.html
  http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Sync Project Online Security Group to SharePoint Security Groups

  Hi,
  Is there any way to sync prject server security group(Custom) into SharePoint Security Groups.
  My scenario is: I created a document library, I want to apply project server security on it, based on project server security groups, for that currently I created a custom group in sharepoint and manualy added the users into that group. That doesn't looks
  good, because if my project online group will change, than manually I have to change sharepoint group too. So what I want is, that sharepoint group is automatically synced with project online group.
  Or is there any other way to assign project online security in document library?
  Thanks
  PSN

  No there is no workaround other then creating a group on Office 365 server.
  SharePoint Online lets you create security groups via the Admin Overview page
  http://technet.microsoft.com/en-us/magazine/hh395478.aspx
  Just found a 3rd part. check if it can help
  http://en.share-gate.com/blog/migrate-to-office-365-configure-sharepoint-to-use-active-directory
  Active Directory Synchronization: Allows you to sync your Active Directory Objects such as users and groups to your Office 365 account. This is a one-way synchronization, which means you continue to manage users On-Premises, and your changes
  will appear on Office 365 SharePoint. However, authentication and passwords are still managed by Office 365. It will be required for Password Sync and Single Sign On (see below).
  If this helped you resolve your issue, please mark it Answered

• ORA-20001: Unauthorized access (security group package variable not set).

  I'm creating an app that uses APEX authentication and features self-registration (working) and forgot password (not working) forms.
  My forgot password is public (requires no authentication). The user provides username and secret answer, which are validated, then provides the new password. I attempt to use htmldb_util.reset_pw to reset the user's password, but it's not working.
  I have a process on the new password page calling a PL/SQL anonymous block that looks like this (see below), where P16_ITEM1 = username and P18_ITEM1 = new password.
  BEGIN
  apex_040000.htmldb_util.reset_pw( V('P16_ITEM1'), V('P18_ITEM1') );
  END;
  I also don't know how to send accurate success/failure messages from such PL/SQL block back to APEX, but that's a separate issue I guess.
  Anyway, when testing via SQL Developer as the user with APEX_ADMINISTRATOR_ROLE, I get the following error:
  ORA-20001: Unauthorized access (security group package variable not set).
  ORA-06512: at "APEX_040000.WWV_FLOW_FND_USER_API", line 22
  ORA-06512: at "APEX_040000.WWV_FLOW_FND_USER_API", line 1220
  ORA-06512: at "APEX_040000.HTMLDB_UTIL", line 1253
  ORA-06512: at line 8
  I've searched previous threads and tried different suggestions with no luck.
  I'm on Oracle DB XE 11g and APEX 4.x.
  Any help will be appreciated. Thanks,
  Alex.

  Anyway, when testing via SQL Developer as the user with APEX_ADMINISTRATOR_ROLE, I get the following error:
  ORA-20001: Unauthorized access (security group package variable not set).When running code outside Apex that depends on the Apex security group being set, run the following before your own code:
  wwv_flow_api.set_security_group_id(apex_util.find_security_group_id('YOUR_SCHEMA_NAME'));Google "wwv_flow_api.set_security_group_id" for more details, such as this blog post:
  http://www.easyapex.com/index.php?p=502
  - Morten
  http://ora-00001.blogspot.com

• Too many AD security groups for ACS 4.1

  We have an issue that when a user is a member of too many Windows AD (2003) security groups (roughly 65) they won't get authenticated by our ACS 4.1.
  The 1st thing we investigated was the Windows Kerberos authentication issue. Which basically says that if a user is a member of more than 70 security groups then Kerberos authentication might fail. However we've used the tokensz.exe tool to calculate that the affected users Kerberos Token size isn't above the problem 12,000 bytes. Link to that issue http://technet.microsoft.com/en-us/library/cc757478%28WS.10%29.aspx
  On the ACS, when a user is a member of too many security groups, the error message is "External user not found". When the user is brought down to the "magic" number of security groups authentication works no problem.
  At the same time on the DC errors can be found in the CSWinAgent.log file.
  CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Insufficient space for all of user [email protected] certificates
  CSWinAgent 01/18/2010 12:25:23 A 0063 5720 NTLIB: Group list buffer is too small for getting full groups list.
  So we are starting to think that the DC and / or CSWinAgent is causing us issues. Has anyone experienced similar issues?
  Thanks
  Stuart

  Hi Stuart,
  We are hitting a bug here.
  CSCse49827            Bug Details
  ACS Remote Agent fails users with too many goups
  Symptom:
  Windows External Database authentication fails on the ACS 4.0 SE if a user is a member of
  too many Windows groups.
  Conditions:
  This is specific to the ACS SE running 4.0.1(42) or earlier using Windows Domain Authentication
  to the ACS Remote Agent.
  Workaround:
  Reduce the number of group memberships the user is part of or reduce the lenght of
  the group names the user is a part of.
  Further Problem Description:
  If a user ia a part of enough windows groups that the number of characters total of all the groups
  exceed 1024 bytes the authentication of that user will fail.  All other users should still authenticate
  without any trouble
  Please upgrade ACS to 4.1.4 and that should fix it.
  First you need to upgrade it to 4.1.1 and then 4.1.4
  Regards,
  ~JG
  Do rate helpful posts

• Security group not working

  Hi
  I have a few security groups which initially can be use in Sharepoint 2010 but after a few months it seems that this groups cant be used anymore. the users in the groups could not access Sharepoint.
  TIA

  For the users to access sharepoint site, it is required that they need to be present in any of the below groups.
  Owners Group -> Full control of the site
  Members group -> Contribute access to the site
  Visitors group -> Read access to the site
  Designers group -> contribute + design access to the site
  Also if you add the NT Authority\Authenticated users to any of the above groups then all the authenticated users of the active directory will have the rights to access the site as per the groups they are assigned to.
  Hope this helps.
  Amalaraja Fernando,
  SharePoint Architect - HP
  e-Mail: [email protected]
  [email protected]
  This post is provided "AS IS" with no warrenties and confers no rights.
  Hi,
  Will try this way out. Thanks
  Regards,
  Jarvis

• Is there a way for an end user to see who has membership in a security group

  Windows Server 2008 R2
  Active Directory Domain
  Windows 7 workstations
  I am looking for a way that my end users can look at a folder security tab and then discover who has membership in the security groups listed.
  Is that possible? Any drawbacks or concerns?

  Hi Tod,
  Based on my research, other than viewing group membership in ADUC, we can use this PowerShell cmdlet
  Get-ADGroupMember GroupName and Net Group GroupName to view members in a group:
  However, these commands can only be used on Domain Controllers or when connecting to DCs remotely. That’s because accounts and account membership are stored on Domain Controllers, therefore we can only view group membership on DCs.
  More information for you:
  Viewing the Direct Members of a Group
  http://technet.microsoft.com/en-us/library/dd391915(v=WS.10).aspx
  Net group
  http://technet.microsoft.com/en-us/library/cc754051.aspx
  Best Regards,
  Amy

• Not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365

  not able to set security group without mail enabled as site collection admin using powershell in sharepoint online site - office 365?
  Any idea?

  after few days test in my lab, I can see that only email enabled group can be added as site collection admin using POWERSHELL.
  hope this helps who stuck like me!! :-)

• Project Server 2010: PWA Removing Default Project Site Security Groups When Creating a New Project

  I looked for this specific issue with Project Server 2010/PWA/SharePoint and could not find an exact answer... hopefully someone can help.
  We are currently using Project Server 2010 and have a number of project site templates that are used dependent upon the enterprise project type selected. Each of these project site templates have unique permissions which should create the default security
  groups on the project site upon publishing/syncing:
  <Project Name> Members
  <Project Name> Owners
  <Project Name> Visitors
  <Project Name> Project Managers (Project Web App Synchronized)
  <Project Name> Team Members (Project Web App Synchronized)
  Web Administrators (Project Web App Synchronized)
  Whether a user creates a project through PWA or Project Pro 2010 and imports the project into PWA, we get a weird result in the Site Permissions of the newly created project site. PWA will remove all default security groups from the project site template
  and add a whole list of users in the Site Permissions list without groups. 
  Once the project is published and the project site is created, we can then go back and add those default security groups back in the project Site Permissions and even add a couple of custom groups without them being removed on all subsequent project syncs
  or publishing. 
  How do we get PWA to not overwrite the project site templates' security groups and place each user in the proper default security groups? At the same time, how is PWA adding a number of users into the Project Site Permissions?
  Thanks in advance.

  Paul,
  Thanks for that information. Right now we are using the Test environment to turn the Auto-sync feature back on. I suspect that the reason this is happening is due to PWA groups/categories/security templates. There may be more than one PWA group that is "overwriting"
  the default project site groups upon initial creation of the project. We will look further into the security settings to tighten up the policies.