Tuesday, March 24, 2009

Setting up a TFS Administrator account, without having to assign the user to the local administrators group.

When I first got TFS running, I found that for every user that needed the ability to create a project in TFS, I had to add them to the local administrators account. Giving every user that needed to be able to create a project in TFS the privileges of a local admin just gave me the hibbie jibbies.

After some investigation, I found out the exact set of permissions that one needs to give a user in TFS so that they have the permissions to create a project, without having to make them an admin on that machine.

The complication arises from the fact that TFS is not a single application, but a stack of products that includes the TFS server, a SharePoint portal and a Sql Reporting Services server. A user who is to have the ability of creating projects in TFS needs to be assigned to the TFS Administrators group (theoretically they need only the “Create New Projects” permission, which is provided to the TFS Admin group). Unfortunately, adding the user to the TFS Admin group, does not setup the permissions required for SharePoint and Reporting Services. Which is why you end up getting a whole set of error messages such as:

“TF30224: Failed to retrieve projects from the report server. Please check that the SQL Server Reporting Services Web and Windows services are running and you have sufficient privileges for creating a project.”

Because Microsoft has not provided a single tool that will setup the permissions across the other two apps, you need to do it manually. And here are steps to do just that:

  1. Add the user to the TFS Administrators Group

Select the TFS server node in TFS Explorer.

Right click and browse to –> Team Foundation Server Settings –> Group Membership


Double click on the Team Foundation Administrators group, to open its properties dialog.


Select “Windows User or Group” and click on “Add…”.


Enter the user id and click ok.


Click on Ok and close to close out of all the dialogs.

  1. Setup SharePoint security settings

A). Determine location of SharePoint Admin Pages

The following actions need you to know the URLs to some SharePoint administration pages. These can be obtained by by running the “TfsAdminUtil.exe ConfigureConnections view” command on the TFS server. (TfsAdminUtil.exe can be found in the folder: C:\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools)

The 2 links that are important for this part are: SharepointUri SharepointAdminUri (This is the same as the SharePoint Central Administration page, which can be opened by going to Administrative Tools à SharePoint 3.0 Central Administration)


B). Add the user to the SharePoint Farm Administrators Group.

Open up SharePoint Central Administration (—> Administrative Tools –> SharePoint 3.0 Central Administration)


(Alternatively, you can browse to the SharepointAdminUri 2(A))

Go to the Operations tab:


Click on “Update Farm Administrator’s Group”


Click on “New –> Add Users”


Enter the user id and then click on the “Check Names” icon to make sure SharePoint was able to find the correct user. Next, make sure that “Farm Administrators” group is selected and click Ok.


C). Add the user to the “Site Collection Administrators” list.

Visit the SharePoint Team Site page. (This is the SharePointUri link)

Click “Site Actions –> Site Settings”


Click on “Site collection administrators”


Enter the user id, click on “check names” to confirm that you have entered the correct user id and then click ok.


You will be returned to the “Site Settings” page.

D). Give the user “Full Control” to the entire SharePoint portal.

On the “Site Settings page”, Click on “Advanced Permissions”.


Click on “New –> Add Users”


Enter the user-id and click on “check names” to confirm that you entered the correct user-id. Select “Full control” under the “Give users permissions directly” heading.


Click Ok.

You might need to restart SharePoint Products and Technologies or Internet Information Services (IIS) before these changes will take effect.

  1. Setup Reporting Services server settings

Browse to the Reporting Services administration page: http://TFSServerName/Reports/Pages/Folder.aspx

A). Add the user as a Content Manager to the Reporting Services Server.

Go to the “Properties” tab and then click on “New Role Assignment”.


Enter the user-id, select “Content Manager” and then click Ok.


B). Give the user site-wide “System Administrator” privileges to the Reporting Services portal.

Click on “Site Settings”.


Click on “Configure Site Wide Security”


Click on “New role assignment”.



Enter the user-id, select “system-administrator” and then click Ok.


The user for whom you did the above steps should “theoretically” be able to create new projects in TFS now.

Best of luck!

Note (added 04.06.2009): To give a AD group or user full control over all newly created TFS SharePoint portals you need to do the following: To fix this, access SharePoint Central Administration. You will need to do this with your TFSSetup account (or equivalent) since it will be the only account out of the box that has Central Admin privileges. Go to: ‘Application Management –> Policy for Web Application’ and click ‘Add Users’. On the first screen, ensure Zones is set to ‘All Zones’ and click Next. Then under ‘Choose Users’ add your user account to the box and click the little ‘tick’ icon below to ‘check names’. Check the box for ‘Full Control’ and click ‘Finish’. This gives your user full access over the whole application, which means all future sub sites that may get created.

References: How to: Set Team Foundation Server Administrator Permissions http://msdn.microsoft.com/en-us/library/bb552341.aspx

More information regarding permissions for all sub-portals http://stevennagy.spaces.live.com/blog/cns!B2EFDBF0964586B3!363.entry

1 comment:

Anonymous said...

Thanks man! Being a first time TFS admin, the learning curve is a little daunting and tutorials like this help to level it out! :)