Udostępnij za pośrednictwem


Can you direct me to Directory Services?

As with many of my other Administration and Operations posts, this one stems from posts I've seen on the Visual Studio Team System forums. I've read a number of questions where people are having trouble granting their Active Directory users access to their Team Foundation Server.

What I've found is that, oftentimes, this is due to either the trust relationships between their domains or the permissions for the account currently running as the TFS service account. In the latter case, this may be due to using a local account rather than AD account as the service account, AD permission settings, the "Log on as service" permission, or AD trust relationships (looping us back to the first possibility).

So, to help you figure this all out, I'm going to lay down The Word on what it is you need to set up in order to get AD users into TFS.

  1. If you wish to use AD users, you must either:
  • Create local accounts with the same user names and passwords as your AD accounts (and add them to a TFS group) if you want to use a local account as your TFS service account (or)
  • Use an AD account for your TFS service account

In the second case, your TFS service account needs to have read access to objects in all domains you wish to add users from

  • In short, this means the domain of the TFS service account must be trusted by all of the other domains you wish to use
  • Also, users in those domains need to be granted the rights to read objects. This is the default, but some folks lock down their ADs so normal users can't read all other users/computers/etc. for their domain. If your domains are set up this way, you'll have to talk the domain admins into granting the permission to your service account explicitly.

No matter what your TFS service account is, it needs "Log on as a Service" permission. Two useful sites on how to set this permission are this forum post and our MSDN documentation.

Hopefully setting that up will let you add your domain users to TFS. If not, though, there may be fouler forces at work. Still, you'll probably want to take a look back at my other post on getting users into TFS entitled "Get your users for nothin' and your sync for free" as our periodic sync process is known to have issues in Whidbey (VSTS 2005) RTM and SP1.

Best of luck, and let me know if you hit any other stumbling blocks along the way!

[Edit: I should note that, from what I can recall of our stated support cases, we permit you to have as many two-way trusts as you like, but only claim to support one one-way trust where the TFS service account must be in the trusted domain.]

Comments

  • Anonymous
    April 02, 2007
    Martin Hinshelwood on TFS Admin Tool 1.2 Gotcha. Adam Singer on Can you direct me to Directory Services?...
  • Anonymous
    April 12, 2007
    I'm not having trouble adding users from the domain, but instead have trouble with too many users from the domain showing up in the Assign To field.  I'm guessing this is due to the Directory Services API returning up to 1000 entry by defualt.  In a large domain, this means 1000 (random) account shown in the Assign To flield of a Work Item.  Is there anyway to filter this down to just TFS users?  At first the TFS users didn't even show up until they were individually added to TFS groups.  Just adding their security groups doesn't cut it.  But now I'd like to get rid of the myriad other users who don't have anything to do with the project.  Thanks!
  • Anonymous
    April 12, 2007
    Good question, Todd. I haven't customized work items, myself, so will rely on other's knowledge to help answer this one. Take a look at the forum post here for steps to limit this list:http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=583115&SiteID=1
  • Anonymous
    June 05, 2008
    As with many of my other Administration and Operations posts, this one stems from posts I've seen on the Visual Studio Team System forums . I've read a number of questions where people are having trouble granting 0their Active Directory users access t