I know we can add/remove users for Team Foundation Service Accounts group using TFSSecurity command
for example - tfssecurity /g- "[TEAM FOUNDATION]\Team Foundation Service Accounts" n:DOMAIN\username /server:https://tfs.mycompanydomain.com/tfs
When I try to remove inactive user (the AD user left the organization) I am getting Error: The identity cannot be resolved.
How can I remove inactive user from "Team Foundation Service Accounts" group.
Any help would be highly appreciated.
TFS version : 2017
Since that user is inactive (the AD user left the organization).
Please execute the command tfssecurity /imx “username” /collection:url, then view the result to check this user existing in which group(s) in your collection. Ensure your removed this user from all the TFS groups.
If you are also not able to remove him from other group. You could try to use User ID instead of domain name.
tfssecurity /g- "[TEAM FOUNDATION]\Team Foundation Service Accounts" n:userID /server:https://tfs.mycompanydomain.com/tfs
The UserId is stored in Tfs_Configuration database.
If you want to know your ID, you could ask your TFS administrator to check the [dbo].[tbl_Identity] table to get your UserID.
Related
Is there any way to grant only board access to Azure DevOps (TFS) users without showing Repo's (codes)?
Yes. In the Project Settings-Permissions, click New Group and create a new group, add the users you want to "grant only board access to Azure DevOps".
Then, in this group's Permissions, set all the permissions to "deny" accept those in the Boards( these you can set to "Allow").
without showing Repo's (codes)?
As for this requirement, you need to go to the Project Settings-Repos-Repositories, select the target groups or users, set the "Read" permission to "Deny". After this, the group members or users can not see the repo file anymore.
Having upgraded to Plastic SCM version 8.0.16.3533, one user who can assign code reviews, another can't.
The users each have two domain accounts using the same user ID, i.e. domain1\userID and domain2\userID. I've ensured the users old domain account have been deactivated. They both have active licences and are in a group assigned to the repository permissions.
No code
All users are able to assign code reviews.
My Gerrit Version is -2.10.2
Regarding an Gerrit group (Delete user permission), I am the Gerrit administrator, I have user add/delete permission for Gerrit groups. Today I noticed that even the users who all have access to Gerrit group, are also able to remove users from Gerrit group. I thought, only admin can perform the manage groups and users permissions, whereas it is working for user as well. I have checked the project it has configured the access from “Rights Inherit From: All-Projects” also “Project All-Projects” it has below settings.
Global Capabilities
Administrate Server -
Allow - Administrators
Priority -
Batch - Non-Interactive Users
Stream Events -
Allow - Non-Interactive Users
Could you let me know where I can configure the permission, So that user should is not allowed to remove the user from Gerrit group. Only Gerrit administrator need to have users add & delete permission from Gerrit groups.
Check the following:
Click on the "General" tab of some group.
Look at the group in the "Owners" field
All users that are members of the owner group (or members of one of its sub-groups) has the permission to add and remove users to original group.
Put the administrator group (or other group you want) in this field and click on the "Change owner" button.
TFSConfig Identities listed all TFS accounts and all but one matched Windows.
How do I fix the lone user account where the Match is False?
While this may not be relevant, I add it to the post in case it provides any additional clues. I tried to reapply the user in the Application Tier Console Users list and it failed. The log stated the account is also an orphaned SQL Server Login. I assume that makes sense if the SID is mismatched, though.
Since you have reapply the user in the Application Tire Console Users list. Changes you make to local or Active Directory groups do not get reflected in TFS immediately.
It may be a identity synchronization issue. You must wait for the next identity synchronization with Windows before the properties of accounts that you do some account change will be updated. This requirement includes changes from group to user, user to group, and domain account to local account.
You could also force TFS to sync, details please refer this blog. After this run the TFSConfig Identities again.
When I try to create a meta-task in TFS15 RC1 the following error come on;
Access denied. [username] needs Edit meta-task permissions to perform the action. For more information, contact the Team Foundation Server administrator.
The user in question is a superadmin of TFS15.
You are lack of the related permission, you can give the permission follow below step:
Open Meta-task under Release hub in your team project
Right click Meta-task select Security
Either add your account in one of the groups or directly add your
User ID (click Add...-Add Windows identity)
Note:
Please make sure the permission for Edit meta-task of your
account or the TFS group has been set Allow.
When you add the new user ID under the users, you need to change
permission (such as Not set-Allow) and save changes. Otherwise,
the user will disappear.