Team Foundation Server on a Domain Controller

If you choose to install Team Foundation Server on a domain controller (less than optimal), you’re going to have some issues. The one I’d like to address here is this one, which happens when viewing reports (including through the team project portal site):

This by design and happens because members of the Builtin Users group on a domain controller include Domain Users. Members of this group do not have the right to logon locally (SeInteractiveLogonRight). The Reporting Logon Account (for example, TFSReports) is just a regular domain user account. As a result, the default behavior on a domain controller prevents it from impersonating the user requesting the report. For more information, see https://support.microsoft.com/kb/823659.

To get around this issue, you can just logon as an Administrator and add the needed right to that account:

C:\> ntrights -u TFSReports +r SeInteractiveLogonRight

Where TFSReports is the reporting data reader account specified during Team Foundation Server setup.

Update - you can find ntrights.exe in the Windows Server 2003 Resource Kit Tools.