TFS - Creating Team Projects / Viewing Documents in Team Explorer Permissions.

I have been fighting this issue (bug ) for the past couple of days with no luck in properly resolving this issue.

Quick run down of the naming. "localhost" refers to the TFS server, single tier install, using domain accounts on a seperate machine.

The general problem is that any user besided TFSSetup can not create a team project unless that given user is in the localhost\administrators group. I have tried "localhost\users", and "localhost\powerusers", and everything in between, but for one reason or another a users account must be in localhost\administrators group. This is the error message. Pretty self explanatory, something is not setup properly for permissions.

Event Description: TF30162: Task "SharePointPortal" from Group "Portal" failed
Exception Type: Microsoft.TeamFoundation.Client.PcwException
Exception Message: Insufficient permissions on the Windows SharePoint Services at irris32 to create a new site.
Exception Details: The permissions granted your user name and ID on the Windows SharePoint Services at irris32
do not allow you create a new portal site. You must be granted specific root
permission by the server administrator.

To Expand on this error message, the user domainuser\john is setup in the sharepoint site as being a Reader,Contributor,Web Designer,Administrator with both the Contributor and Web Designer able to create Web Sites (this was done to eliminate this option). In addition, utilizing http://localhost allows user domainuser\john to create sites all he wants (but not when creating a Team Project).

In addition, if a the domainuser\john is not in the administrative group they are not able to get logged into http://localhost:17012/ for sharepoint administration (which is not a bad thing) but once added to the localhost\adminastrators they can (which could be a bad thing .. with 200 or so users trying to use the TFS).

And to keep going. If say user domainuser\john is not part of localhost\administrators groups, he can not see the documents in any Team Projects using team explorer, unless he was the one that created the team project. And how he would have created it would have been by given localhost\administrator privledges.

I have searched up and down for a concrete answer to this issue and the best is "add the user to the administrator group" . Sorry, this is not going to cut it for SOX.

I did some testing with the SQLServer also. I would grant domainuser\john sysadmin privledges, and then attempt to create a team project. Same problem would occur the creation would fail at the point of Sharepoint site creation.

To play around even more, I attempted to create a local project to utilize the web services provided by http://localhost:17012/_vti_adm/admin.asmx and there again, was not able to access them unless I was in localhost\administrators groups.

What is ironic is that I just got back from attending the MS Workshop 2631A and after looking over there TFS virtual machines, they had everyone running around as administrators also. Every demo I have seen has the person giving the seminar as TFSSETUP.

Every other part of my TFS install works and it should, and the installation is correct and followed exactly as the installation guide.

So what is the secret permissions that needs to be granted to alow a user access to Sharepoint Central Administration http://localhost:17012 to allow him to create a team project and see documents without adding them to the localhost\administrators. A quick search on these Forums will reveal this problem over and over again.