TFS 2010 Security–How to determine if a User is a member of a TFS Group (or a Windows Group)

I recently was perplexed as we have a rather volatile TFS setup where users are often added to the system and taken out often.  Beyond that, we use Work Item Template (WIT) security scoping to say what users can do what and when.  For example, we have a group of engineers who are approved to move work from the operations team to the engineering team and this level of access is managed by TFS security.  In today’s post, I’m going to focus a bit of attention on how to utilize some tools to determine if a user is in fact a valid user for a system.

Determining if Domain user is Valid User for a Project Collection in TFS 2010

You might find yourself needing to determine if a user is a “valid user” of a TFS Project Collection.  As you know, there are individual projects that are members of a collection.  Thus, in this example, I’m going to who you how to determine if a user is a collection-level valid user.

NOTE:  To expedite and simplify your life, you might want to drop %programfiles%\Microsoft Team Foundation Server 2010\Tools to your %systempath%

  1. Open a Command-prompt (elevated isn’t required)
  2. Change to the directory %programfiles%\Microsoft Team Foundation Server 2010\Tools
  3. At the command-prompt, type the following:

tfssecurity /m “Project Collection Valid Users” n:{domain\username} /collection:{URL of TFS App Tier}

This will return a value that indicates whether a user is a valid user in the TFS project collection. 

Is not a Valid User:


Is a Valid User:


If they are, then you can move to further diagnosing permissions within TFS.

Determining User Membership in TFS Security Group in TFS 2010

As you know, it is often the Enterprise approach to scope projects to a particular set of users often around the development work getting done.  In our case, we do our breakdown by “Feature Team” who includes Program Managers, Developers, and Testers.  They are all valid users of the collection though they do not see every project that is a member of the collection, instead, just those they have reader or higher rights to.  You may want to determine, if a project is large enough, whether a user is in a specific project group such as X Feature Team.  In this example, I will share how to use tfssecurity.exe to determine if they are in a project-specific group.

  1. Open a Command-prompt (elevated isn’t required)
  2. Change to the directory %programfiles%\Microsoft Team Foundation Server 2010\Tools
  3. At the command-prompt, type the following:.

tfssecurity /m “{name of project group}” n:{domain\username} /collection:{URL of TFS App Tier}

For the {name of project group}, you enter the value like the following [ProjectName]\{GroupName}.  In the below example, the project name is Nassau and the group name is Nassau Feature Team.

Is not a Member of “X” group:


Is a member of “X” group:


imageThis is a really useful ability when you are using “Work Item Template” scoping such as the following examples:

    • When transition from Active –> Resolved, only allow "[Project]\Testers to be in Assigned To

    • When a work item is in Closed state, only allow “[Project]\Valid Users to re-open work item

    These often are needle in hay stack type of situations and you are frustrated quickly.  Let tfssecurity.exe do your work…


    Security is often planned out but even the most anal of security administrators has to ask the valid question – “Who has access to what?” and furthermore "who is member of what.”  In today’s post, we focused on a couple of scenarios that you can utilize tfssecurity.exe to determine security membership on a per user or per group basis.  In a recent event, I was able to utilize this to determine if users were valid in a TFS group and to find where holes existed in our security groups.

    Happy auditing…Enjoy!



    Skip to main content