When using an Windows 2003 Server Domain Active Directory Group to assign Team Foundation permissions to multiple users, the group members do not have the selected permissions if the primary group (for POSIX and Macintosh applications) of the account in AD is set to the group to which the permissions are being assigned. If you double click on the group in the Team Explorer GUI or select the Properties... button, the accounts with primary group set to the assigned group do not appear. Only accounts with other primary group assignment appear. I have changed the primary group assignment on some test accounts and have confirmed that the accounts only appear in Team Foundation when the primary group is set to something else.
I noticed this problem in beta 2 as well and noticed this post that first reported it by Rosen: http://forums.microsoft.com/msdn/ShowPost.aspx PostID=53966. I still have this problem as well in beta 3 and now have a much firmer understanding of how to reproduce it.
Permissions Bug with Beta 3 and Active Directory Groups?
Hot Topic
- tfsbuild.exe.config AllowedTeamServer
- Sharepoint Services or Sharepoint Portal Server required?
- FxCop Rules Deployment
- The location of the file or directory xxx is not trusted.
- Context Parameters
- Error while running the script second time
- More ways to minimize instrumentation output?
- TFSDeleteProject/Add Project with Same Name in Beta 3
- Custom ValidationRule examples?[dnelson MSFT]
- Event log errors RTM Workgroup edition
VS Team System
- Unit Tests and Nightly Build
- Breaking on exceptions immediately
- Mapping between FxCop Rules and .NET Design Guidelines
- setupwarehouslog
- Show Differences
- Error when attempting to open Source Control
- team build of C# and C++ projects
- Labels and Builds
- .runconfig not picked up when excuting tests as part of a build
- Credentials probem connecting to TFS
Permissions Bug with Beta 3 and Active Directory Groups?
John Lawrence MSFT
Dan,
We would like to add our vote to this fix for 50+ developers. While no longer a blocking issue due to the workarounds identified here, this is also the cause of many of our problems previously discussed at http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=171407&SiteID=1&mode=1
Thank you.
AlexYe
I'll make sure that a product bug gets filed and we'll investigate this.
In the meantime (given that I'm not an AD expert), can you indicate how important it is for your organization for TFS to support Primary Groups How and why are they typically used
Thanks,
TareyWolf
Not quite. Use the following modification of your steps:
1) You have a Windows 2003 AD Security group, called ADGroup, with N windows identity accounts - Yes
2) In some of the N windows accounts, change the Primary Group in Active Directory Users and Computers on the "Members Of" tab so that the Primary Group is ADGroup. On the remainder of the accounts, let the Primary Group be Domain Users or something else. This step is very important.
3) You added ADGroup (via the Team Foundation Server Settings->Group Membership...) by adding the Windows Identity ADGroup to a Team Foundation Application Group (such as Team Foundation Administrators). - Yes, I used Contributors group for a specific project, however.
4) Click on properties for Team Foundation Administrators (project Contributors in my case), and does the ADGroup appear -- Here what happens is ADGroup appears, but if you use the Properties button to display its members, the accounts that are set to ADGroup as the Primary Group will not show but the ones that are set to another group will appear. Consequently, the permissions for the missing accounts are not what is desired.
tennisguy
Sérgio Brito
This bug has been fixed for RTM and the December CTP. Please note that the December CTP is NOT part of the go live license, and should NOT be used for production. There is no upgrade path from Beta 3/Beta 3 Refresh to the December CTP, and there will be no upgrade path from the December CTP to RTM.
--Matt Hoover
Visual Studio Team Foundation SDE
Anil15
wurriedbunny
Are you saying that in V1 you cannot see the members of a primary group that is added as a TFS application group Even though you cannot see them, do they still have the respective rights (I don't think they do) Are you saying to create another group that is not the primary group to basically mirror the primary group, and add that group into TFS
Thanks.
Evertone
With the current implementation in V1 primary groups' memberships cannot be viewed.
Have you tried adding the users who are in a primary group to a domain security group and included this security group into TFS application groups
Thanks,
Jonathan Kotthoff
So that I can understand this issue, can you just verify:
1) You have a Windows 2003 AD Security group, called ADGroup, with N windows identity accounts
2) You added ADGroup (via the Team Foundation Server Settings->Group Membership...) by adding the Windows Identity ADGroup to a Team Foundation Application Group (such as Team Foundation Administrators).
3) Click on properties for Team Foundation Administrators, and does the ADGroup appear Can you see the individual members of ADgroup by selecting it and clicking properties
yaron nahari
Can you create a mirror of the primary group and add that group to TFS
Jeff Dion
reesthil
That's basically what I've already done. Is this going to be fixed for RTM
PhillipM
The user is always a member of a primary group and if the wrong group is selected, even if you're not using Unix or Mac systems, he will experience this problem with permissions. It may be quite difficult for the end user to determine what the root cause of the problem is.
casaubon