TFSSecurity with vstfs:///Classifcation IDs

Question

I'm trying to script some permission removals from a user list using PowerShell. The problem is that when I perform a command to list the user groups associated with the user, I get a generic result that cannot be used when I perform the command to remove the user from that group.

To get the groups for the user:

    tfssecurity /im <domain>\<username> /server:<tfsserver>:8080/tfs

Results:

The target Team Foundation Server is http://:8080/tfs/. Resolving identity "\username"...

SID: S-1-5-21-3609080306-XXXXXXXXXX-XXXXXXXXX-5728

DN: CN=LastName, FirstName,OU=Disabled Users,DC=company,DC=com

Identity type: Windows user Logon name: \ Mail address: username@domain.com Display name: lastname, firstname Description: TFS User

Member of 1 group(s): [A] [TeamProject]\Developers

Done.

The Problem: When I try to remove the user from the group returned:

    tfssecurity /g- "[TeamProject]\Developers" <domain>\<username> /collection:http://tfsserver:8080/tfs/collection/

I get:

The target Team Foundation Server is http://tfsserver:8080/tfs/collection. Resolving identity "[TeamProject]\Developers"...

Error: The identity cannot be resolved.

What I'm looking for, is something like:

vstfs:///Classification/TeamProject/af89c143-2f5e-4f5b-974e-903e8db86f73\Developers

I do know that the TFS UI can provide those group SIDS, but I'd like to see if I can get those SIDS from TFSSecurity or other command base to that can be leveraged by PowerShell.

C:\Program Files (x86)\Microsoft Visual Studio 14.0>tfssecurity /g- "[Archive Projects]\Developers" \ /server:http://:8080/tfs/ Microsoft (R) TFSSecurity - Team Foundation Server Security Tool Copyright (c) Microsoft Corporation. All rights reserved.

The target Team Foundation Server is http://tfs-na.ihs.com:8080/tfs. Resolving identity "[Archive Projects]\Developers"...

Error: Multiple identities found matching '[Archive Projects]\Developers'. Please specify one of the following identities:

[Archive Projects]\Developers (vstfs:///Classification/TeamProject/8153b33c-addc-48c2-81c0-XxXXXxxxXXXX\Developers)

[Archive Projects]\Developers (vstfs:///Classification/TeamProject/f3d25cfe-41b3-4f30-a329-BBBbbBBBbbbb\Developers)

[Archive Projects]\Developers (vstfs:///Classification/TeamProject/c0820b8e-2af0-416c-88b5-CCcccCCCccCC\Developers)

Provide what you've tried and the error or unexpected that you are getting — Brandon Zamudio, May 22 '17 at 15:54
Edit your post and include all of this well formatted buddy! — Brandon Zamudio, May 22 '17 at 16:40

score 0 · Answer 1 · answered May 23 '17 at 04:35

0

No need to use SID in the using of tfssecurity /g- command. Your command is right.

tfssecurity /g- "[TeamProject]\Developers" <domain>\<username> /collection:http://tfsserver:8080/tfs/collection/

According to the error The identity cannot be resolved, this is more like a connectivity problem with the domain server. Use a direct connection between the Team Foundation Server en de AD server, all identities can be resolved. Besides, if you are using two different domains with your account and TFS server. Make sure they are trusted each other, details take a look at this question: TFSSecurity Unable to Resolve Identity

answered May 23 '17 at 04:35

PatrickLu-MSFT

49,478
5
35
62

1

Actually there is a little bit more to it then that. We have multiple collections and in those collections, we have multiple team projects with project groups of the same name, i.e. "Developers", "Testers". – Alvatron May 23 '17 at 13:53
I'm trying to tackle this from a server level, because the user may or may not exist in the TP groupm which can exist in any of the team projects within the collection. When we have more than one group with the same name we get another error. – Alvatron May 23 '17 at 13:53
If it is a unique name, then the tfssecurity /g- works just fine – Alvatron May 23 '17 at 13:55
@Alvatron This is due to you are trying to remove a user of a group from server level. There maybe multiple groups with the same project name and group name in different project collections. If you are querying the group info at a collection level such as `tfssecurity /im \ /collection::8080/tfs/collection name` And then remove the user from the group also in collection level. There should not be this issue. – PatrickLu-MSFT May 23 '17 at 15:46
@Alvatron To list all groups for a user with multiple collection info. It's not able to use tfssecurity command to do this. You may have to TFS API to do this. A sample( https://social.msdn.microsoft.com/Forums/vstudio/en-US/9f977d37-23d8-4b07-a5dd-6cdc6d9dc6a6/listing-all-the-tfs-users-and-the-groups-they-belong-to-possible?forum=tfsadmin) for you reference. And group id is stored in Tfs_Configuration database. You may need to use sql command to list the `dbo].[tbl_Group]` table in your Tfs_Configuration database. – PatrickLu-MSFT May 23 '17 at 15:51
Thanks, I think I may go the SQL route. Do you know which tables I'd have to join to get the identity and group membership? dbo.table_Group is a great start. – Alvatron May 24 '17 at 19:28
@Alvatron It's not recommended to operate the TFS database, if you really want to operate the database, please make a backup first. Try `SELECT * FROM [Tfs_Configuration].[dbo].[tbl_Identity]` . More details please refer https://stackoverflow.com/questions/28371723/is-it-possible-to-list-all-users-in-a-tfs-group-from-sql-server – PatrickLu-MSFT May 26 '17 at 01:59

TFSSecurity with vstfs:///Classifcation IDs

1 Answers1