TFSSecurity with vstfs:///Classifcation IDs

807 views Asked by At

I'm trying to script some permission removals from a user list using PowerShell. The problem is that when I perform a command to list the user groups associated with the user, I get a generic result that cannot be used when I perform the command to remove the user from that group.

To get the groups for the user:

    tfssecurity /im <domain>\<username> /server:<tfsserver>:8080/tfs 

Results:

The target Team Foundation Server is http://:8080/tfs/. Resolving identity "\username"...

SID: S-1-5-21-3609080306-XXXXXXXXXX-XXXXXXXXX-5728

DN: CN=LastName, FirstName,OU=Disabled Users,DC=company,DC=com

Identity type: Windows user Logon name: \ Mail address: [email protected] Display name: lastname, firstname Description: TFS User

Member of 1 group(s): [A] [TeamProject]\Developers

Done.

The Problem: When I try to remove the user from the group returned:

    tfssecurity /g- "[TeamProject]\Developers" <domain>\<username> /collection:http://tfsserver:8080/tfs/collection/

I get:

The target Team Foundation Server is http://tfsserver:8080/tfs/collection. Resolving identity "[TeamProject]\Developers"...

Error: The identity cannot be resolved.

What I'm looking for, is something like:

vstfs:///Classification/TeamProject/af89c143-2f5e-4f5b-974e-903e8db86f73\Developers

I do know that the TFS UI can provide those group SIDS, but I'd like to see if I can get those SIDS from TFSSecurity or other command base to that can be leveraged by PowerShell.

C:\Program Files (x86)\Microsoft Visual Studio 14.0>tfssecurity /g- "[Archive Projects]\Developers" \ /server:http://:8080/tfs/ Microsoft (R) TFSSecurity - Team Foundation Server Security Tool Copyright (c) Microsoft Corporation. All rights reserved.

The target Team Foundation Server is http://tfs-na.ihs.com:8080/tfs. Resolving identity "[Archive Projects]\Developers"...

Error: Multiple identities found matching '[Archive Projects]\Developers'. Please specify one of the following identities:

  • [Archive Projects]\Developers (vstfs:///Classification/TeamProject/8153b33c-addc-48c2-81c0-XxXXXxxxXXXX\Developers)
  • [Archive Projects]\Developers (vstfs:///Classification/TeamProject/f3d25cfe-41b3-4f30-a329-BBBbbBBBbbbb\Developers)
  • [Archive Projects]\Developers (vstfs:///Classification/TeamProject/c0820b8e-2af0-416c-88b5-CCcccCCCccCC\Developers)
1

There are 1 answers

7
PatrickLu-MSFT On

No need to use SID in the using of tfssecurity /g- command. Your command is right.

tfssecurity /g- "[TeamProject]\Developers" <domain>\<username> /collection:http://tfsserver:8080/tfs/collection/

enter image description here

According to the error The identity cannot be resolved, this is more like a connectivity problem with the domain server. Use a direct connection between the Team Foundation Server en de AD server, all identities can be resolved. Besides, if you are using two different domains with your account and TFS server. Make sure they are trusted each other, details take a look at this question: TFSSecurity Unable to Resolve Identity