I am working with team foundation server and I added a user in the server from Administration Console and the user has access to the server. But the problem is even when I remove that user from Administration Console user still able to login to the server. Can anyone help me here? Thank you in advance.
To remove users completely from TFS server. You should remove the user from all the security groups.
UsE the command below to get this account has been added to which groups. Then check all those groups and try to remove that account from those groups.
TFS security imx:
tfssecurity /imx [domain\account] /server:[server url]
Besides, changes you make to local or Active Directory groups do not get reflected in TFS immediately. Instead, TFS will synchronize those groups regularly.
A periodic clean-up job that is executed removes people from the global groups. If you just wait, they will disappear in a couple of days. They will not have access to any of the TFS assets however.
You could look in http://tfs.mydomain.com:8080/tfs/_oi to see the sync job.
If you cannot wait for the scheduled job, you can try to do the force sync: http://msmvps.com/blogs/vstsblog/archive/2011/02/17/force-tfs-to-sync-with-active-directory.aspx
Related
We had a person leave our company and their windows domain account for Active Directory was deleted. They have since come back but have been given a different windows domain account user name. Now when we attempt to assign them tasks it's always associated with the old account. I assume this is because the name is still the same and TFS is doing some kind of duplication check. I've tried removing cache and have verified that the Team Foundation Server Periodic Identity Synchronization job is running properly. I can also see the old active directory account show up when attempting to Add a windows user or group via the dialog along with the new Active Directory user.
What's strange is this user is not showing up as a member of any groups in TFS for any of the Team Project Collections. So why are they still showing up in the [Team Project Collection]\Project Collection Valid Users group?
Seems the main issue is deleted users still in "Assigned To" List. First try to throw down the issue.
If you are using VALIDUSER rule, it contains all valid users in TFS. You may check collection level Project Collection Valid Users group, you may need to check every group to delete the user. And use TFSSecurity /imx command to display information about that group, thn delete the user from right group.
After delete the old user, you need to try to let TFS sync with Active Directory, for detail steps, you can refer to:
Force TFS to sync with Active Directory
Active Directory Groups not Syncing with Team Foundation Server 2010
I have a new TFS 2013 install (Basic Mode).
I added an AD Group (MyDomain\TFSAdmins) to the [DefaultCollection]\Project Collection Administrators TFS group. But users in this group can't authenticate to the TFS web portal (http://myTFSserver:8080/tfs). Only the Administration Console User can authenticate... What am I doing wrong?
Am I missing something at the Application Tier level?
What you did are entirely correct.You didn't missing anything at the Application Tier level.
You could try to do some trobuleshooting as below:
1.Clean IE cache,clean TFS cilent machine chache.
2.Try to use these uers to collect TFS by VS, see if you can successfully connect it.
3.Add a AD user instead of a AD group
you can just use the "iisreset" to solve the problem. I was try to find a lot of anwsers for this problem and after thought a little more I remembered that TFS uses IIS to publish the Site. So I just use the iisreset and the users appear in the group inside TFS.
Here is the scenario:
I have 2 TFS servers, TFS-A is in local and TFS-B is abroad.
Check into TFS-B is very slowly, so my idea is to check into TFS-A first,
and check all changes into TFS-B from TFS-A in once time at night.
But the TFS-A and TFS-B have different user accounts, when I synchronize them, error happens.
The error told me access denied.
So if it is possible to sync two TFS with different accounts.
How to do it?
Thanks in advance.
You need to supply a user mapping in your TFS integration platform configuration. A similar post shows how to do this in detail: TFS Integration Platform: How to map users with the SVN adapter?
Hope that helps you further.
I created a local group user which I added to TFS Contributor/Valid User groups. Anytime if I needed to add a user as contributor, I would add him/her to the local group and the person has the access to TFS; which is until now. Recently a new person got hired and MIS setup the domain account for him. I added him the same way but for some reason he couldn't connect to TFS. I tried everything that I know of. I even asked MIS to recreate (delete and create again) the user in ADS. But nothing seems to be working. Does anybody know what could be possible problem?
I had the same issue that the a user did not get permission to TFS when adding hem/her to the user group. I resolved it by adding the user directly to TFS. You can use the TFS Administration Tool to add users quickly to TFS, SSRS and Sharepoint: http://tfsadmin.codeplex.com
OK. I solved the problem. It was TFS cache that was causing this problem. Once I cleared it, everything worked fine.
Thanks for trying to help.
How can I add AD users to TFS users from a computer that can't connect to AD/domain? Structure is like this:
TFS Server, in AD/domain
My computer, wtih VS.NET, can't join to AD/domain
Only way to ad AD users to TFS users list I could find is in VS.NET->Team->Team Foundation Server Settings->Security->Add users or groups->Windows user or group. Since my computer can't join to AD I can't see the AD in Locations list. Is there a way to do this without installing VS.NET to the server?
You can do this at the command line (Visual Studio Command line is easiest):
tfssecurity /g+ <tfsgroupidentifier> <user or group identifier> /collection:http://server:8080/tfs/collectionname
example:
tfssecurity /g+ "Scrum Project\Readers" "Contoso\CEO" /collection:http://contoso:8080/tfs/Default
WORKAROUND:
Here is a solution for adding users to TFS 2010 when your development machine doesn't have access to the remote domain.
Create the user on the server if you haven't already done so and Add the user to the ProjectTeam group.
Then on your local machine that isn't tied to the domain, simply create a user with the same username.
Right-Click on your project in Team Explorer and choose "Team Project Settings" --> "Group Membership..."
Click on the group you want to add the user to, and press the "Properties" button.
Select "Windows User or Group" and click "Add"...then just type in the username (you shouldn't need to specify the domain) - even if it initially identifies your current computer/domain...it should automatically change it to the remote domain.
Then you can delete that username from your local computer.
I spent about 4 hours trying to add a user for a remote domain before getting this to work.
Microsoft really should have thought about this scenario for remote developers, TFS running on remotely hosted servers and so on.
I hope that helps.
If you do decide you are ok with doing this from the TFS server, you don't need to install the whole Visual Studio 2008 client. Instead, just install the team explorer client. It will install the Visual Studio shell, along with the TFS tools, but no development language pieces.
I have this very same problem. The only way I have found to solve this is to have a computer that I can RDP to within the domain and add the user from there.
Its not pretty, but it works....
p.s. As long as you have permission on the domain, you could write a tool to do this.