The Ramblings of Two Microsoft .NET Developers, TFS, and Visual Studio ALM Guys --- "Yes, we are both named Ed."

How to Remove User from Team Foundation Service Accounts Security Group



I love learning new things and today I learned something new for Team Foundation Server.  This one has perplexed me in the past and it’s one of the areas that I just never dived down deep enough to try out.  I’m more writing this blog post so I can search for this again when I come to this situation in the future!

Essentially, I wanted to remove some users from the built-in “Team Foundation Service Accounts” security group at the server-instance level.  They are added whenever you add them in the “Administration Console Users” group in the TFS Administration Console.  However, when you look at the built-in service accounts group using Team Explorer or the Administration Console, you’ll notice that the dialog commands are disabled.

Disabled Commands for Editing Team Foundation Service Accounts Security Group

There are some side-effects for having real users in this security group so I wanted to remove them completely and leave only the actual TFS Service Account user.  Some of those side effects are more pronounced in Team Foundation Server “11.”  No worries though – because a colleague tipped me at using the command-line tool for managing security, TFSSecurity.exe.  It’s a command-line tool that I actually rarely use and completely forget is available but it’s super powerful.  In our case, it was pretty easy for me to use the /g- switch which allows for removing a member from any security group including this built-in one.

>tfssecurity /g- "Team Foundation Service Accounts" n:DOMAIN\username /server:https://tfs.mycompanydomain.com/tfs

It works!

Ed Blankenship

Posted in TFS


Tuesday, April 17, 2012 8:09:30 AM (Pacific Daylight Time, UTC-07:00)
Hi Ed thanks for pointing this out - I think this was also a command I'd semi-forgotten.

I have a query after reading your post.
Our "Team Foundation Service Accounts" only have the service account on them but the "Project Collection Service Accounts" have this account, plus the setup user and old service account should this group also be tidyed up? What are the side effects - you mention in the post?

Thanks

Simon
Simon B
Tuesday, April 17, 2012 8:28:37 AM (Pacific Daylight Time, UTC-07:00)
Our "Team Foundation Service Accounts" only have the service account on them but the "Project Collection Service Accounts" have this account, plus the setup user and old service account should this group also be tidyed up? What are the side effects - you mention in the post?

Simon


Good questions - Service Accounts have permissions that are typically above and beyond what is intended for regular users. For example, we want service accounts to be able to impersonate requests for other users but don't want regular user accounts to be able to do the same thing. Also, there is some new functionality around the TFS alerts where being in the service accounts group changes the ownership of the alert subscription with the service accounts group which isn't desirable for a real person.
Thursday, July 19, 2012 6:43:59 AM (Pacific Daylight Time, UTC-07:00)
Hi ED


I have tried all ways to remove delete permission for all users , but else where it is getting inherited by other ways , i have kept the user in contributor group , but still he is able to delete all files and project too. , can you please guide me to resolve this issues.


Thanks
Kishore
Monday, March 18, 2013 2:13:52 AM (Pacific Standard Time, UTC-08:00)
Very Good Post, Thx
Oren Micha
Name
E-mail
(will show your gravatar icon)
Home page

Comment (Some html is allowed: a@href@title, b, blockquote@cite, em, i, strike, strong, sub, sup, u) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.  

[Captcha]Enter the code shown (prevents robots):

Live Comment Preview