TFS 2017 On Premise. Removing users from Project Admin Role. Security - by Steve Olner

Status : 

  Fixed<br /><br />
		This item has been fixed in the current or upcoming version of this product.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.

Sign in
to vote
ID 3115011 Comments
Status Closed Workarounds
Type Bug Repros 0
Opened 12/7/2016 8:02:22 AM
Access Restriction Public


TFS 2017 On Premise. When removing a user / AD group from a Project Administration role,  even if they Project Collection admin role can be locked out of the project.
Sign in to post a comment.
Posted by Microsoft on 3/20/2017 at 11:13 AM
There was bug that got introduced in TFS 2017 that upon upgrade deleted the permissions for collection administrators at the team project level and thus, collection admins are unable to access and administer existing team project resources. New project created after the upgrade should not be affected. This bug has already been addressed in our Update 1 release. Until then, here is a workaround you could follow to restore the missing permissions for the collection administrators:

To be executed once per affected collection:
1.    Run the following SQL script in your TFS Configuration DB (replace CollectionName with the name of your collection):
select LocalScopeId from tbl_GroupScope where PartitionId > 0 and ScopeType = 2 and Active = 1 and SecuringHostId in (select SecuringHostId from tbl_GroupScope where PartitionId > 0 and Name = 'CollectionName' and ScopeType = 1 and Active = 1)
2.    The results (without headers) should be copied to a file on the server, for example C:\LocalScopeIdList.txt
3.    Update the first three variables as needed and run the following power shell script on the server.

-----------------begin of pca_tfs.ps1 script---------------------

$url = "http://localhost:8080/tfs/defaultcollection"
$localScopeIdList = Get-Content C:\LocalScopeIdList.txt
$cmd = "C:\Program Files\Microsoft Team Foundation Server 15.0\Tools\TFSSecurity.exe"

$collection = "/collection:"+ $url
$permissions = "Read", "Write", "Delete", "ManageMembership", "CreateScope"

foreach($scopeId in $localScopeIdList) {
    foreach($permission in $permissions) {
        $token = $scopeId + "\"    

        $param = @("/a+", "Identity", $token, $permission, "adm:", "ALLOW", $collection)
        Write-Host $param

        & $cmd $param

-----------------end of pca_tfs.ps1 script---------------------