Set default queries for all users in TFS web UI - tfs

How can i set default queries for all users in Team Foundation Server when i am using Team web access?

How to: Save a Team Query (Team System Web Access)
If you have the required permissions, you can save a query to share with other users to a folder location that other users can access. They have them available by default. Queries saved in a location where the team can use them are called Team Queries.
To save a query as a team query, you must be a member of the Project Administrators group.
Create or modify a work item query.
Click Save As.
In the Save as Query dialog box, in the Name box, type a name for the query.
Click the Team query option.
In the Team project list, select the team project.
In the Description field, type a description.
Click OK when you are finished.

Related

Which permission allows a user to create Task Groups in TFS 2017 Build?

When I try to create a task group from a task in my build definition in TFS 2017, I get an error that says
Access denied. (user name) needs Edit task group permissions to
perform the action. For more information, contact the Team Foundation
Server administrator.
I've checked the following documentation pages, but none of them seem to mention how to grant edit task group permission:
Task Groups
Permissions and groups in VSTS and TFS
Build and release permissions
I'd like to know the correct way to grant this permission.
Additional information:
My account is a member of a Builders group in the appropriate project, and that Builders group has Allow set for every permission listed at the above Build and release permissions link, except override check-in validation by build and Update build information which are both Not Set, and the documentation recommends leaving those permissions as they are.
There are three related permission Administer task group permissions, Delete task group, Edit task group for task groups configuration.
You could set it from Build&Release --Task Group--right click it in left pane--select security.
However just like some other permission settings, you could also directly add a user or TFS group here. After add a user, there should be a users list under TFS group list.
"Build Administrators", "Contributors","Project Administrators" or "Release Administrators" there are just four default groups here. You don't have to add your user account in these groups and set the permission for a specific group to grant related permission of "task group". For example, if you don't want to give all users in a group the correspondingly permission, you could simply give the permission for a user.
In your case, you could add your old "Builders" group here or just add your owner account either directly here or one of a default group.
The other answer is good, except that I have no Builders group... perhaps due to the upgrade path that had been followed on that server.
Go to Task Groups hub, e.g. http://{server}:8080/tfs/{collection}/{project}/_apps/hub/ms.vss-releaseManagement-web.hub-metatask, and hover on Task Groups in left pane, click Ellipsis and choose Security. By default, the old Builders group is not in there, but Build Administrators is. The permission Edit task group can be set here, if needed, but it looks like the correct thing to do is add the user to one of the groups Build Administrators, Project Administrators or Release Administrators.

Assigned To field not showing user with the same name as a deleted user

We had a person leave our company and their windows domain account for Active Directory was deleted. They have since come back but have been given a different windows domain account user name. Now when we attempt to assign them tasks it's always associated with the old account. I assume this is because the name is still the same and TFS is doing some kind of duplication check. I've tried removing cache and have verified that the Team Foundation Server Periodic Identity Synchronization job is running properly. I can also see the old active directory account show up when attempting to Add a windows user or group via the dialog along with the new Active Directory user.
What's strange is this user is not showing up as a member of any groups in TFS for any of the Team Project Collections. So why are they still showing up in the [Team Project Collection]\Project Collection Valid Users group?
Seems the main issue is deleted users still in "Assigned To" List. First try to throw down the issue.
If you are using VALIDUSER rule, it contains all valid users in TFS. You may check collection level Project Collection Valid Users group, you may need to check every group to delete the user. And use TFSSecurity /imx command to display information about that group, thn delete the user from right group.
After delete the old user, you need to try to let TFS sync with Active Directory, for detail steps, you can refer to:
Force TFS to sync with Active Directory
Active Directory Groups not Syncing with Team Foundation Server 2010

How to grant permission to a user to manage users and groups and prevent the same user to import and export work item types in TFS

How to grant permission to a user to manage users and groups and prevent the same user to import and export work item types in TFS. if i added the user to project admin group the user would be able to do both of the mentioned tasks.
There is no any way to do it out of the box.
As you can see, "Project Admnistrators" group is hardcoded project group, which you cannot remove or manage it permissions. TFS system have no special permission to deny import/export workitem types. "Project Administrators" members can modify WITD by default.
But there is a workaround.
First of all you will need to create a custom group (for example: "PM"), grand the same permissions for it (like "Project Administrators" already have) and move all PM users from "Project Administrators" to the new group. After that, members of this group cannot modify the project templates.
Then you have to prevent the addition of any user to the "Project Administrators" group.
You can use this command for it:
TFSSecurity.exe /a+ Server FrameworkGlobalSecurity GenericRead n:"[PROJECT]\Project Administrators" DENY /collection:http://tfsserver:8080/tfs/DefaultCollection
Now each user in "[PROJECT]\Project Administrators" group will lose the whole access to the TFS Server.
Of course, you must inform the users about that.

How do I bind a field definition rule to an AD Group for a custom TFS 2010 Work Item Template?

I am attempting to add a "Requested By" field to a custom Work Item Template in TFS 2010. When I create the field in the work item, I wish to have the values restricted to a particular AD group. I'm looking for functionality similar to the "Assigned To" field in the standard templates. However, if I add this AD group to one of the TFS groups, they all get added as valid users in TFS and that is not the behavior I'm looking for. I simply wish to restrict the values for a field to an specific AD group. I've tried adding the AD group to the "Group" property of the VALIDUSER field definition rule, but I get the following error:
---------------------------
Error
---------------------------
Error importing work item type definition:
TF26204: The account you entered is not recognized. Contact your Team Foundation Server administrator to add your account.
---------------------------
OK
---------------------------
Thanks in advance!
[Update]
On further investigation, I have found that it works with certain AD groups, but not with others. For instance, it works with our "Developers Group" but not with "Domain Users". It's actually a fairly small subset of groups that I've tested that work. Again, Any help would be appreciated!
The simplest way I've found is to use the ALLOWEDVALUES field definition rule. Add to the list of allowed values the name of a TFS Group. I have still not been able to get the AD group to work directly. But my big problem was that when I was trying to use a project group, I was putting the project name in the "[Project]\Group Name".
As stated here
some people may think that “[project]” is a place holder for the
project's name, but it is meant as a literal.
You should be able to add an AD group, by simply writing it as domain\group.
Note, however, that the group needs to have some access privileges to the team project (e.g. A member of Contributers).
Have you tried to create a TFS Group, add the AD group in the TFS Group, then add the TFS Group in the "Group" property of the VALIDUSER field definition ?
If I remember correctly you can't put AD group in the "Group" property of a TFS Field, but only TFS Groups...

Adding Active Directory users to Team Foundation Server

How can I add AD users to TFS users from a computer that can't connect to AD/domain? Structure is like this:
TFS Server, in AD/domain
My computer, wtih VS.NET, can't join to AD/domain
Only way to ad AD users to TFS users list I could find is in VS.NET->Team->Team Foundation Server Settings->Security->Add users or groups->Windows user or group. Since my computer can't join to AD I can't see the AD in Locations list. Is there a way to do this without installing VS.NET to the server?
You can do this at the command line (Visual Studio Command line is easiest):
tfssecurity /g+ <tfsgroupidentifier> <user or group identifier> /collection:http://server:8080/tfs/collectionname
example:
tfssecurity /g+ "Scrum Project\Readers" "Contoso\CEO" /collection:http://contoso:8080/tfs/Default
WORKAROUND:
Here is a solution for adding users to TFS 2010 when your development machine doesn't have access to the remote domain.
Create the user on the server if you haven't already done so and Add the user to the ProjectTeam group.
Then on your local machine that isn't tied to the domain, simply create a user with the same username.
Right-Click on your project in Team Explorer and choose "Team Project Settings" --> "Group Membership..."
Click on the group you want to add the user to, and press the "Properties" button.
Select "Windows User or Group" and click "Add"...then just type in the username (you shouldn't need to specify the domain) - even if it initially identifies your current computer/domain...it should automatically change it to the remote domain.
Then you can delete that username from your local computer.
I spent about 4 hours trying to add a user for a remote domain before getting this to work.
Microsoft really should have thought about this scenario for remote developers, TFS running on remotely hosted servers and so on.
I hope that helps.
If you do decide you are ok with doing this from the TFS server, you don't need to install the whole Visual Studio 2008 client. Instead, just install the team explorer client. It will install the Visual Studio shell, along with the TFS tools, but no development language pieces.
I have this very same problem. The only way I have found to solve this is to have a computer that I can RDP to within the domain and add the user from there.
Its not pretty, but it works....
p.s. As long as you have permission on the domain, you could write a tool to do this.

Resources