Geeks With Blogs
ET's VS and TFS World Fascinating tidbits about VS and TFS and .NET (well I hope...)

So in this post I will revisit a post I wrote a while back TFS Server Administrators (when you can't be a Windows server administrator).

Is it possible to manage a TFS instance without being a windows administrator? Well I'm aware of one thing right now I can't do as a regular application administrator.  There are probably others but we are able to be pretty affective by following the steps in this and the previous post.

I wrote the first post about a year and half ago and after going through many upgrades, and setting up a management teams for TFS I stand by what was in there.  In the past month we have upgraded our infrastructure from 2005 to 2008 and pretty much everything still worked for our administrators except for WSS v3.  Now I could go and talk about my feelings about WSS but I won't ;-).  Here is where you need to add permissions in order to administrator WSS and be 1) be able to create Team Project 2) be able to see all the previously created project portal and all the newly created project portals.

So after our upgrade of WSS 2.0 to WSS 3.0 we tried creating a project and the PCW (project creation wizard) would fail immediately (after 5 sec) with an error that it couldn't access WSS.  Now at this point I started looking all over the WSS administration interface to try and figure out where to change security to let my windows group by SharePoint admins.  So you would think that it would be easy to find a menu entry that said "click here to add the Huber god windows group so that they can do everything in SharePoint" but sigh... it was not to be.  After adding my user (to start) to just about every submenu that said anything about security I still was failing immediately in PCW.  I then went to the event logs to find out if anything was showing up there... well a few information message about, a few warning about some TFS upgrade things I needed to look at and well nothing that jumped to my face really.  Well it turns out that the information ASP.NET message was actually talking about having an access denied on some web page... now if you're like me at this point you are shaking your head and saying why was it an information message well... I don't know.  I'm just trying to save you time here :-).  So that clued me into a nice new direction (I didn't tell you I spent %$#*^! hours looking for a direction) which after spending way to much time looking at a computer screen and being delirious with windows security dialogs was a welcome respite. I decided I was going to click just about anywhere to find something that would get me out of the jam, that error informational message was a ray of bright light at 2am... it had a link


Now you might think I should know about that url since it's used to provision new WSS site.  Well you'd be right I did know about this link but it worked for me.  in the error informational message there was some info on impersonation of users, specifically the user account that I was using to create new project (not me) so I ran IE as that user and tried navigating to that link... Access Denied... haHA!! and a new nice error informational message in the event log.  Great I can now repro easily and it looks like a permission thing... well I knew that?!?  So how to fix this. 

There are two ways to fix this. 

1) The easy way > Add you TFS administrator group to the WSS_ADMIN_WPG group (looks obvious in retrospect...)

2) The hard way that enabled the easy way > Open IIS Manager > ServerName > Web Sites > SharePoint Central Administration v3 > _vti_adm

- Right click on _vti_adm and select properties

- click on ASP.NET Tab

- Click on Edit Configuration...

- Select the Authorization Tab

Now at this point you might be asking yourself why did he go there... well it was 2am I can't recall.  but what you will see is this

- What you need to do is add you group to the Local authorization rules... what was happening was that as an administrator (first allow) or a member of the WSS_Admin_WPG (second allow) I can can create new sites but everyone else was deny!!!  I you go this route make sure that the deny * is the last one (it's order specific).  Note also that the users/group are in the roles column not users.  So you'll need to click the checkbox besides roles to enable the textbox to fill with your group/users.

-Click OK a few times and you should be good to go (changing the web.config which is what this does resets the appdomain so you don't need to do an IISReset).

Now that go me passed the first immediate failure... so the PCW started going...going...going... and failed on guess what access denied in SharePoint... WHAT! ... sigh... that means there must be another location to add users too.... well yes.

You need to add your group the the SharePoint Farm administrators here how to do this.

Navigate (as a server admin for now) to the SharePoint Admin V3 site http://mytfsserver:17013 (or whatever port you are using).


Central Administration > Operations > Update farm administrator's group > add and add your group to this section.


After I did that, the PCW completed successfully.  Great I can now create TFS Project and WSS site without being an administrator.

SharePoint security was really tightened in v3 and the way that TFS creates new project sites by creating a new site collection makes so that only the project creator can actually see the portal site until he manually adds all the other users on his group to the site.  Now that's ok for the site owner and I can live with that but it creates a little problem for the TFS server administrators where they can go to the site unless the project owner adds them.  If that is what you want than the default security in WSS will server you perfectly.  For we need our admin to be able to solve issues and they need to have access to those sub-sites.   Here is what you need to do in order to do that.


Central Administration > Application Management > Policy for Web application > add users and add your group to this section (make sure you select "all zones" and "full control" in the little add users wizard (you don't need operate as System)


Once you do that you should have all the rights you need to create new TFS project and view/monitor/administrate any sharepoint project on you TFS box.

I hope this will save you a lot of hours of hunting down all those locations.




Technorati Tags: ,,
Posted on Wednesday, April 16, 2008 3:27 PM TFS | Back to top

Comments on this post: TFS 2005 to 2008 upgrade: SharePoint v3 security changes (what you need in order to manage TFS without being a windows administrator revisited)

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Etienne Tremblay | Powered by: