This article explains how to add a domain user account to the groups associated with a VSTS team project using the TFSSecurity.exe tool that comes with Visual Studio Team System (VSTS). You might find this useful if you’re having problems using the GUI tools provided in VSTS and Visual Studio 2005 to manage such groups. It is assumed that you have already installed VSTS in your development environment and used it to create a team project.
Acknowledgement: Thanks to James Manning for explaining various aspects of the TFSSECURITY tool to me. See here for more details.
Most developers use an Integrated Development Environment (IDE) like Visual Studio to write, debug and build their software. VSTS takes this idea one stage further by providing an integrated set of tools to support the entire software development lifecycle. Amongst the facilities provided by VSTS are: Source Control, Document Control, Work Item Management, Bug Tracking, Reporting Services, Process Guidance, Team websites and support for Team builds. Add to this list the tools in the professional version of Visual Studio 2005 and you’ve got a state of the art development environment for your team.
VSTS is comprised of a number of tiers that sit on different computers in your development environment. Typically, the data and application tiers sit on one (or two) dedicated computer(s) called the Team Foundation Server (TFS). The client tier, meanwhile, sits on a developer’s PC along with Visual Studio 2005. At present (Nov, 2005) Visual Studio 2005 has been released to the market and VSTS is at Beta 3 - refresh. There are still a number of wrinkles that need ironing out of Team Foundation Server, particularly when it comes to managing security and permissions.
Using TFSSecurity.exe to add users to a team project contributor group
The following steps presume you have installed TFS on a computer called DEVSERVER in a Domain called SIGNAUSTR that already has user accounts for Jim and TFSSERVICE - see Note 1 below:
- Logon to DEVSERVER as TFSSERVICE - see Note 4.
- Find the directory containing TFSSecurity.exe installed during the setup of TFS.
- Add this directory to your path (Control Panel | System – Advanced, Press Environmental Variables, select Path in the System Variables list, press Edit and type a semicolon plus the path to the end of any existing string in the Variable Value box)
- Open the Command prompt window and type the following command:
TFSSECURITY /server:DEVSERVER /g [SandpitTest]
Where SandpitTest is the name of your team project. The program lists all the groups associated with SandpitTest. Note the name of the group to which you want to add users, e.g. Contributors. If you get FATAL ERROR TF50309 - see Note 3 below.
- Type the following command:
TFSSECURITY /server:DEVSERVER /g+
If you like typing you could use the SID value returned at step 4 (SID:S-1-9-xxx - with spaces removed) instead of [SandpitTest]\Contributors. SIGNAUSTR is the name of the domain of which your TFS is a member and Jim is a user in the domain who you want to make a Contributor to the project SandpitTest. Also see Note 5.
TFSSECURITY is a powerful tool that allows you to do much more than just adding users to a team project. Type the following to obtain help about its various commands:
Note 1: TFSSERVICE is the domain account you created during the installation of TFS for running Team Foundation Services. I had some permissions issues with this account because I installed TFS on my primary domain controller. These issues were resolved once I made it a member of the domain’s Enterprise Admins security group - many thanks to Adithya Dev at Microsoft support who patiently sorted out the problem for me.
Note 2: The original version of this article included the source code to build ListTeamProjects; a program written by James Manning and maintained at his blogsite. Although you should not need this program to use TFSSECURITY due to a bug (see Note 3) it may be useful to you so, James has provided the EXE plus the source here.
Note 3: There is a bug in TFSSECURITY released with Beta 3 Refresh which means that you have to supply the URI of the project to list its groups rather than the friendly name. Therefore in place of /g [SandpitTest] you must enter /g vstfs:///Classifications... . You can get the URI of your project by running ListTeamProjects with the name of your TFS server as a parameter, for example ListTeamProjects DEVSERVER. See note 2 for details about ListTeamProjects.
Note 4: If you just want to list the global groups on your server (step 4) then you can logon as any user who is a member of "Team Foundation Valid Users". If you want to add or remove users from a global group then logon as any user who is a member of "Team Foundation Administrators". If you want to add or remove users from a project group (step 5) then logon as any user who is a member of either the project's "Project Administrators" group or a member of "Team Foundation Administrators".
Note 5: If you want to add a user to a group whose friendly name includes whitespace then put quotes around the entire group name. For example, "[SandpitTest]\Build Services".