1

I have been converting access to Team projects using Active Directory groups.

I am a project collection admin and we host around 40 odd team projects.

On all the other proects everything is fine, I have been able to add all the AD groups I needed to the Various TFS groups that exist in a Team Project (Contributors, Readers etc).

When I come to the problem project I can see the add button, and I am able to search for and select the AD group I want, but when I click save, I see a red banner message with the text:

Unable to add members to this group.
Failed to resolve the specified groups to join.
You do not have sufficient permissions to add members to the following groups: 
[Team Project]\Build Administrators

I have looked at the oi and all I can see around the time of the issue are activities reporting a 200 response.

I am looking at the api and the database to see what I can do but not sure where to start. I thought I might be able to see something about security but it is asking for a guid that I am not sure how to get hold of.

Looking at the database I thought there might be a security table, but not sure where to start.

I'm going to keep looking at what to do, so I am going to keep this updated

update 2019-03-27

We have a support call open with Microsoft, I still have issues managing the teams, but I have been able to update the team via the Apis, I even found a useful little CLI tool to help with the tasks I needed to do.

Luke Duddridge
  • 4,285
  • 35
  • 50
  • any findings? were you able to solve your issue? – NicolasW Mar 25 '19 at 20:09
  • @NicolasW currently still with a premium support call with Microsoft, been about a month now. Since I raised this question, have been able to use the API and TeamFoundationClient packages to add and remove people and groups on the teams, but I cannot delete the groups, and I am still having issues deleting the groups I want via the UI and api – Luke Duddridge Mar 27 '19 at 14:04

2 Answers2

1

In my case, I was trying to add someone to a group that I was in - which I don't need since I'm a Project Administrator. Once I took myself out of the group, I was able to add others again.

rvandyke
  • 11
  • 1
0

Got the answer and the fix worked.

After a lot of back and forth, sending files and running some tfssecurity queries, they were able to determine the problem.

What I had done was add the domain User AD containing our project collection admin account in as a project reader, as the security on tfs works on a least level principle it was then applying a deny permision on my Project collection admin account, by simply removing the AD group from the reader level, which I was able to do, the ablity to manage the securities came back.

I havent been able to find the specific group that I belonged to that then set the deny, but there is no denying that removing the AD group from the reader level fixed the issue.

Luke Duddridge
  • 4,285
  • 35
  • 50