I'm trying to script some permission removals from a user list using PowerShell. The problem is that when I perform a command to list the user groups associated with the user, I get a generic result that cannot be used when I perform the command to remove the user from that group.
To get the groups for the user:
tfssecurity /im <domain>\<username> /server:<tfsserver>:8080/tfs
Results:
The target Team Foundation Server is http://:8080/tfs/. Resolving identity "\username"...
SID: S-1-5-21-3609080306-XXXXXXXXXX-XXXXXXXXX-5728
DN: CN=LastName, FirstName,OU=Disabled Users,DC=company,DC=com
Identity type: Windows user Logon name: \ Mail address: [email protected] Display name: lastname, firstname Description: TFS User
Member of 1 group(s): [A] [TeamProject]\Developers
Done.
The Problem: When I try to remove the user from the group returned:
tfssecurity /g- "[TeamProject]\Developers" <domain>\<username> /collection:http://tfsserver:8080/tfs/collection/
I get:
The target Team Foundation Server is http://tfsserver:8080/tfs/collection. Resolving identity "[TeamProject]\Developers"...
Error: The identity cannot be resolved.
What I'm looking for, is something like:
vstfs:///Classification/TeamProject/af89c143-2f5e-4f5b-974e-903e8db86f73\Developers
I do know that the TFS UI can provide those group SIDS, but I'd like to see if I can get those SIDS from TFSSecurity or other command base to that can be leveraged by PowerShell.
C:\Program Files (x86)\Microsoft Visual Studio 14.0>tfssecurity /g- "[Archive Projects]\Developers" \ /server:http://:8080/tfs/ Microsoft (R) TFSSecurity - Team Foundation Server Security Tool Copyright (c) Microsoft Corporation. All rights reserved.
The target Team Foundation Server is http://tfs-na.ihs.com:8080/tfs. Resolving identity "[Archive Projects]\Developers"...
Error: Multiple identities found matching '[Archive Projects]\Developers'. Please specify one of the following identities:
- [Archive Projects]\Developers (vstfs:///Classification/TeamProject/8153b33c-addc-48c2-81c0-XxXXXxxxXXXX\Developers)
- [Archive Projects]\Developers (vstfs:///Classification/TeamProject/f3d25cfe-41b3-4f30-a329-BBBbbBBBbbbb\Developers)
- [Archive Projects]\Developers (vstfs:///Classification/TeamProject/c0820b8e-2af0-416c-88b5-CCcccCCCccCC\Developers)
No need to use SID in the using of
tfssecurity /g-command. Your command is right.According to the error
The identity cannot be resolved, this is more like a connectivity problem with the domain server. Use a direct connection between the Team Foundation Server en de AD server, all identities can be resolved. Besides, if you are using two different domains with your account and TFS server. Make sure they are trusted each other, details take a look at this question: TFSSecurity Unable to Resolve Identity