Clarification on TFS Setup with Admin Accounts


This is in regard to installing Team Foundation Server for Visual Studio Team System with the TFSSETUP, TFSSERVICE, and TFSREPORTS accounts, whether they must be Admins on the local machine or Active Directory domain.  It also includes my tips to installing TFS.

I’m here at Texas A&M University in the Computer Science department helping install TFS for students in the department.  There are a lot of uses for it here.  Dr. Salih Yurttas is a progressive teacher and would like his students to use it in his classes and student projects.  The other Software Engineering classes (headed up by Dr. Dick Simmons and Dr. Mac Lively) are primarily using IBM’s Rational suite, but are want to check out VSTS.  And last but not least, other students are simply interested in using it for their class projects.

So I encountered quite a bit of confusion around the accounts needed for TFS’ setup, services, and SQL reporting.  The TFS Installation Guide is really not clear, making sound like the three recommended accounts, TFSSETUP, TFSSERVICE, and TFSREPORTS should be admins on the AD domain.  Most IT shops wouldn’t stand for this and it is generally a bad practice.  So I did some digging around, talked to Bill Essary (the TFS Architect) & Jeff Beehler, checked out the “Team Foundation Server Administrator Permissions” MSDN article, and did a lot of trial and error.  Here’s what I found out…

This is in regards to installing in an Active Directory domain environment.  Workgroup config is easy and not all these tips apply.  Some of these may be obvious, but they are helpful to state clearly.

Note: These are NOT the complete setup instructions.  They are to suplement the TFS Install Guide.

  1. Follow the TFS Installation Guide to the letter; except for the part about user accounts, that’s what this blog post is about.  Don’t forget to unblock the file.
  2. You can use any account that is a local Admin to install SQL Server & TFS (it doesn’t have to be TFSSETUP).
  3. Be sure to verify the “TCP/IP” SQL protocol is Enabled (mentioned somewhere in the install guide), it isn’t by default.
  4. The account used for the TFS Service and the Reporting Service (typically TFSSERVICE & TFSREPORTS), can be named anything you want.  I’ll use the names here just for reference.
  5. TFSSERVICE & TFSREPORTS accounts should be “normal users” on the domain and Admins on the local machine

    Update: 
    The two accounts do not need to be administrators on the local machine, but they do need to be able to login and have permissions in thier propper directories.  (thanks to Etienne Tremblay for the update) 
    1. If you use local accounts (that are added to the local machine and do not exist in the domain) for TFSSERVICE/TFSREPORTS, every TFS user must have an additional account on the local machine.  This is not recommended in an active directory environment. 
    2. The account(s) used should be “normal users” on the active directory domain (not admins on the domain) and Administrators on the local machine.  It is necessary that the accounts are on the domain so that the services can look up users credentials on the domain.  It is necessary they are admin on the local machine to create new files, folders, settings, etc when working with Team Projects.
  6. You can create a group (say “TFS Admins”), which you will add users that should be able to administer TFS (add new Team Projects, change Iterations & Areas, etc).  The group needs to exist on the domain, but does not need to be an admin on the domain or local machine.  Then add users that should be admins on TFS to that group.  This prevents you having to go to three different locations to add TFS admins.
  7. If you’re installing inside a VPC, back it up before installing the ATDT (application tier & data tier).
  8. Read up and follow the MSDN article on “Team Foundation Server Administrator Permissions

So there you have it, some clarification on setting up TFS permissions when installing.  If you learn another caveat, or have a tweak to my notes, please let me know in a comment.  Thanks.

Related resources:

Comments (9)

  1. A lo largo de las instalaciones de TFS (Team Foundation Server) que he realizado o por las consultas

  2. El Bruno says:

    Buenas, cómo había comentado hace 2 días , el completo FAQ para la instalación y administración de TFS

  3. El Bruno says:

    Buenas, cómo había comentado hace 2 días , el completo FAQ para la instalación y administración de TFS

  4. El Bruno says:

    Buenas, cómo había comentado hace 2 días , el completo FAQ para la instalación y administración de TFS

  5. Michael says:

    Hi,

    Are you sure that TFSSERVICE and TFSREPORTS should be administrators on the TFS server? Nowhere in the TFS install guide is this mentioned. In fact it explicitly states they should just be normal users.

    I’ve followed the guide to the letter using domain accounts and I’m having project creation problems…

    Thanks

    Michael

  6. El Bruno says:

    Buenas, cómo había comentado hace 2 días, el completo FAQ para la instalación y administración de TFS…

  7. Carlos says:

    Question:

    When installing TFServer on Windows 2008 with No domain, only workgroups, do i need to create all accounts mentioned on Installation Guide? What permissions do i need to give those accounts? Can i do everything with my Administrator account?

    Tnx

  8. shahbaz Khan says:

    hello,

    nice post just want of know when before configuring and installing tfs 2010

    what exact permissions and roles does tfsservice account needs ??

    or after configuring does tfs gives all the permissions by itself . please clear on this issue

    thank you