How to Add Users to “Team Foundation Service Accounts” Group in TFS for Integration Tool Access


3 views

Many developers encounter permission issues when trying to run the TFS Integration Tool, particularly when the tool requires membership in the special "Team Foundation Service Accounts" group. Even as a TFS administrator (member of TFS Administrators group), you might find the "Add" option grayed out in the Team Foundation Server Administration Console.

The grayed-out interface isn't a bug - it's by design. The "Team Foundation Service Accounts" group is a protected system group in TFS, similar to Windows' "Local System" account. Microsoft intentionally restricts GUI modifications to prevent accidental security breaches.

The most reliable way to add users is through PowerShell. Here's the complete script:

# Load TFS assemblies
Add-Type -AssemblyName "Microsoft.TeamFoundation.Client, Version=14.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

# Connect to TFS
$tfsCollectionUrl = "http://yourtfsserver:8080/tfs/DefaultCollection"
$tfs = [Microsoft.TeamFoundation.Client.TfsTeamProjectCollectionFactory]::GetTeamProjectCollection($tfsCollectionUrl)
$tfs.EnsureAuthenticated()

# Get security service
$securityService = $tfs.GetService([Microsoft.TeamFoundation.Framework.Client.ITeamFoundationSecurityService])

# Get the group SID
$namespaceId = "Service"
$groupSid = $securityService.ReadIdentity(
    [Microsoft.TeamFoundation.Framework.Common.IdentitySearchFactor]::DisplayName,
    "Team Foundation Service Accounts",
    [Microsoft.TeamFoundation.Framework.Common.MembershipQuery]::None,
    [Microsoft.TeamFoundation.Framework.Common.ReadIdentityOptions]::None
)

# Get user to add
$userToAdd = $securityService.ReadIdentity(
    [Microsoft.TeamFoundation.Framework.Common.IdentitySearchFactor]::AccountName,
    "domain\\username",
    [Microsoft.TeamFoundation.Framework.Common.MembershipQuery]::None,
    [Microsoft.TeamFoundation.Framework.Common.ReadIdentityOptions]::None
)

# Add member to group
$securityService.AddMemberToApplicationGroup($groupSid.Descriptor, $userToAdd.Descriptor)

Write-Host "User successfully added to Team Foundation Service Accounts group"

For on-premises TFS deployments, you can use the TFSConfig command-line tool:

TFSConfig identities /addidentity:domain\username 
/group:"Team Foundation Service Accounts" 
/collection:http://yourtfsserver:8080/tfs/DefaultCollection

After running either method, verify the addition with:

TFSSecurity /g+ "Team Foundation Service Accounts" n:domain\username /server:http://yourtfsserver:8080/tfs

1. The user added will have elevated permissions across TFS
2. Consider creating a dedicated service account instead of using personal accounts
3. Document all changes to this group for audit purposes
4. The changes might take a few minutes to propagate

Error: "TF30063: You are not authorized to access..."
Solution: Run PowerShell as Administrator and ensure your account has TFS Admin privileges.

Error: Assembly not found
Solution: Install TFS Power Tools or reference the DLL directly from your TFS install location.

Many administrators encounter grayed-out "Add" buttons when attempting to modify the Team Foundation Service Accounts group through the TFS Administration Console. This security measure exists because this particular group requires special handling due to its critical role in TFS operations.

The most reliable method is to use the TFSSecurity command-line utility. Here's the basic syntax:

TFSSecurity /g+ "[TEAM FOUNDATION]\Team Foundation Service Accounts" n:domain\username /server:http://tfsserver:8080/tfs

For teams managing multiple users, here's a PowerShell script that handles the process:

# TFS User Addition Script
$tfsCollectionUrl = "http://your-tfs-server:8080/tfs/DefaultCollection"
$groupName = "[TEAM FOUNDATION]\Team Foundation Service Accounts"
$userToAdd = "domain\username"

try {
    $tfsSecurityPath = "${env:ProgramFiles(x86)}\Microsoft Team Foundation Server\201*\Tools\TFSSecurity.exe"
    $exePath = (Get-Item $tfsSecurityPath).FullName
    
    & $exePath /g+ """$groupName""" "n:$userToAdd" "/server:$tfsCollectionUrl"
    
    if($LASTEXITCODE -eq 0) {
        Write-Host "Successfully added $userToAdd to $groupName"
    } else {
        Write-Error "Failed to add user. Exit code: $LASTEXITCODE"
    }
} catch {
    Write-Error "Error occurred: $_"
}

After adding the user, verify the change with:

TFSSecurity /g "[TEAM FOUNDATION]\Team Foundation Service Accounts" /server:http://tfsserver:8080/tfs
  • Members of this group gain significant permissions - only add service accounts
  • Document all additions to this group for audit purposes
  • Consider creating a custom group with limited permissions if possible

If you encounter "Access Denied" errors even as an administrator:

  1. Run the command prompt or PowerShell as Administrator
  2. Verify your account has "Edit instance-level information" permission
  3. Check if the TFS service account has sufficient permissions