April 16, 2012 3:11 PM | Comments [4] | by Ed Blankenship
I love learning new things and today I learned something new for Team Foundation Server. This one has perplexed me in the past and it’s one of the areas that I just never dived down deep enough to try out. I’m more writing this blog post so I can search for this again when I come to this situation in the future!
Essentially, I wanted to remove some users from the built-in “Team Foundation Service Accounts” security group at the server-instance level. They are added whenever you add them in the “Administration Console Users” group in the TFS Administration Console. However, when you look at the built-in service accounts group using Team Explorer or the Administration Console, you’ll notice that the dialog commands are disabled.
There are some side-effects for having real users in this security group so I wanted to remove them completely and leave only the actual TFS Service Account user. Some of those side effects are more pronounced in Team Foundation Server “11.” No worries though – because a colleague tipped me at using the command-line tool for managing security, TFSSecurity.exe. It’s a command-line tool that I actually rarely use and completely forget is available but it’s super powerful. In our case, it was pretty easy for me to use the /g- switch which allows for removing a member from any security group including this built-in one.
>tfssecurity /g- "Team Foundation Service Accounts" n:DOMAIN\username /server:https://tfs.mycompanydomain.com/tfs
It works!
Ed Blankenship
Our "Team Foundation Service Accounts" only have the service account on them but the "Project Collection Service Accounts" have this account, plus the setup user and old service account should this group also be tidyed up? What are the side effects - you mention in the post?Simon
Remember Me
a@href@title, b, blockquote@cite, em, i, strike, strong, sub, sup, u