1

I am experiencing an issue where I can not add users to the Project Administrators group in a team project even though my user account is in the Project Collection Admins group. I've also tried with an account that is part of the Administration Console Users group with no success.

Insufficient permission error

This only affects some Team Projects. The permissions on the out-of-the-box security groups have not been modified.

This was working fine before we upgraded from TFS2015 so I assume something changed in TFS2017.

Interestingly, I can remove users from a Project Admin group just not add any.

I noticed that there is now a Security Service Group which seems to contain all of the other security groups. I'm wondering if this could be what is causing permission conflicts as a majority of them are 'Not set'.

Security Service Group permissions

Any suggestions would be greatly appreciated. :)

rene
  • 41,474
  • 78
  • 114
  • 152
dnolan87
  • 13
  • 3
  • I see something similar to your problem. I will investigate further tomorrow and see if I have more luck in solving it. – Tore Østergaard Jan 11 '17 at 16:33
  • Okay, I have the exact same problem! I saw inconsistent results because I have a few projects where I am mentioned specifically in the Project Administrators group, and here I could add just fine. The problem is also mentioned by a user FM on [Brian Harry's blog](https://blogs.msdn.microsoft.com/bharry/2016/11/16/news-from-connect-2016/) and a MS employee reply seems to indicate that it is an known issue. – Tore Østergaard Jan 12 '17 at 09:21
  • 1
    Hi Tore, thank you for your reply. I did manage to find a workaround and add myself to the Project Administrator group. Here are the steps: 1. Make yourself an admin of the team (ie, rights to edit board, columns, etc). This can be done under the Team Profile page. 2. Add yourself to the team if you are not a member already 3. Temporarily change the "Edit project level" permission to true on the team security group 4. Add yourself to the Project Administrators group 5. Undo the "Edit project level" permission change - set to 'Not set' Hopefully that makes sense. – dnolan87 Jan 12 '17 at 13:39
  • Your workaround worked for me too, Thanks. Hopefully MS will come with a better overall fix. – Tore Østergaard Jan 12 '17 at 14:19

1 Answers1

0

Rajesh Ramamurthy (MSFT) has supplied a fix (comment on Brian Harry's blog) for the issue that should also be fixed in the upcoming TFS 2017 Update 1 release.

Here is how it is done:

  1. Run the following SQL in your TFS Configuration DB: select LocalScopeId from tbl_Groupscope where PartitionId > 0 and ScopeType = 2 and Active = 1
  2. The results should be copied to a file on the server, for example C:\LocalScopeIdList.txt
  3. Run the following power shell script on the server and update the first three values as needed.

Script for step 3:

$url = "http://localhost:8080/tfs/defaultcollection"
$localScopeIdList = Get-Content C:\LocalScopeIdList.txt
$cmd = "C:\Program Files\Microsoft Team Foundation Server 15.0\Tools\TFSSecurity.exe"

$collection = "/collection:"+ $url
$permissions = "Read", "Write", "Delete", "ManageMembership", "CreateScope"

foreach($scopeId in $localScopeIdList) {
    foreach($permission in $permissions) {
        $token = $scopeId + "\"    

        $param =  @("/a+", "Identity", $token, $permission, "adm:", "ALLOW", $collection)
        Write-Host $param

        & $cmd $param
    }
}

I have tried the above on our pre-prod server with success so I expect to deploy it in production this weekend.

Tore Østergaard
  • 4,362
  • 3
  • 27
  • 43