Geeks With Blogs
ET's VS and TFS World Fascinating tidbits about VS and TFS and .NET (well I hope...)

This is post of is for all of you out there that due to security restriction can't be a Local Admin on your server but still need to be TFS Server Administrators.

This addresses the Domain installed TFS not the workgroup edition (WE).  I will comment on the WE were appropriate.

As we all remember there are three application that need our attention here, TFS (obviously), Windows Sharepoint Services (WSS) and SQL Server Reporting Services (SSRS).  For project level security I urge you to use the TFS Administration Tool available on codeplex here but in order to use TFSAT you need to be a TFS Administrator.  So how do we go about setting that up;

I have found that the simplest way to manage that particular group of users was to start by creating a Domain Windows Group and assigning you TFS admins to that group.  You will see why this is important when I talk about WSS.  You can assign individuals to the various Applications but I don't recommend it for manageability (it's easier with a group).

What is ironic about this post is the in order to initially setup TFS Admins you need to be a server admin... ;-)

Team Foundation Server

Step 1.  Create a Domain Windows group (for ex. TFS-Administrators)

Step 2.  Log in as Local Administrator and add the Domain\TFS-Administrators to the [SERVER]\Team Foundation Administrators.

a. From Team Explorer, right click on the server

b. Choose Team Foundation Server Settings

c. Choose Group Membership

d. Double-Click on [SERVER]\Team Foundation Administrators

e. Choose Windows User or Group and Click the Add button

f.  Enter Domain\TFS-Administrators and click ok, ok and close

So we are now setup ad TFS administrators.

Windows Sharepoint Services

Lets now focus on WSS.  Local Administrators are always able to manage WSS but since we don't want to or can't be Local administrators we need to give TFS-Administrators rights to administer WSS.  Rob blogged about this a week ago so let's do a step by step on what to do. Again we need to be a Local Administrator to do that.

Step 1. Go to the top level Sharepoint administration site usually http://tfsserver:17012, you can also start IIS Management Console and right-click on the Sharepoint Central Administration website and choosing browse.

Step 2. Choose Set SharePoint administration group from the security configuration section.

Step 3. In the Group Account name we need to enter Domain\TFS-Administrators and click ok, you'll go back to the top page of the Sharepoint admin site with no indication of success or failure.

Our TFS Admin Domain group will now be administrators of our TFS WSS site.  Remember that Local Administrators stay WSS administrators but our TFS Admins don't need to be.


SQL Server Reporting Services

Finally lets get our Domain Admin group admin access in SSRS.  Again we need to be a Local Admin on the SSRS server.

Step 1. We need to go the front page of the report server.  http://tfsserver/reports

Step 2. We need to give the Domain group Content Manager role on the Top Level Report site.  To do this click on the properties tab on top

Step 3. Click on "new role assignment" in the group or user name textbox type Domain\TFS-Administrators and select content manager and click ok.

Step 4. We also need to give our Domain user group System Administrator rights.  To do this we start by clicking Site Settings in the top right corner.

Step 5. Select Configure Site-Wide Security in the security section

Step 6. Click New Role Assignment, and in the group or user name textbox, type in Domain\TFS-Administrators then select system administrator role and click ok.

My experience has been that the group needs to be in both these locations for them to be able to create and manage reports.

After all this, you should be able to create project and administer a TFS server without being a Local administrator on that server.

Let me know if this works for you.




Posted on Wednesday, September 27, 2006 8:33 PM | Back to top

Comments on this post: TFS Server Administrators (when you can't be a Windows server administrator)

# Managing Team Foundation Server Administrators with Active Directory
Requesting Gravatar...
Etienne Tremblay has a post on his blog (TFS Server Administrators (when you can't be a Windows server...
Left by Rob Caron on Sep 28, 2006 12:14 PM

# TFS: During the VSTS Objective Domain Session and TechEd Chlak&Talks we had interesting discussions about "issues" ...
Requesting Gravatar...
Planning and Sizing The guidelines for planning and sizing are currently scattered across a number of
Left by Willy-Peter Schaub on Oct 26, 2006 2:02 AM

Your comment:
 (will show your gravatar)

Copyright © Etienne Tremblay | Powered by: