tfstfs-2017

TFS2017: Project Collection Admin has insufficient permission to add a user to the Project Admin group

I am experiencing an issue where I can not add users to the Project Administrators group in a team project even though my user account is in the Project Collection Admins group. I've also tried with an account that is part of the Administration Console Users group with no success.

Insufficient permission error

This only affects some Team Projects. The permissions on the out-of-the-box security groups have not been modified.

This was working fine before we upgraded from TFS2015 so I assume something changed in TFS2017.

Interestingly, I can remove users from a Project Admin group just not add any.

I noticed that there is now a Security Service Group which seems to contain all of the other security groups. I'm wondering if this could be what is causing permission conflicts as a majority of them are 'Not set'.

Security Service Group permissions

Any suggestions would be greatly appreciated. :)

Solution

  • Rajesh Ramamurthy (MSFT) has supplied a fix (comment on Brian Harry's blog) for the issue that should also be fixed in the upcoming TFS 2017 Update 1 release.

    Here is how it is done:

    1. Run the following SQL in your TFS Configuration DB: select LocalScopeId from tbl_Groupscope where PartitionId > 0 and ScopeType = 2 and Active = 1
    2. The results should be copied to a file on the server, for example C:\LocalScopeIdList.txt
    3. Run the following power shell script on the server and update the first three values as needed.

    Script for step 3:

    $url = "http://localhost:8080/tfs/defaultcollection"
$localScopeIdList = Get-Content C:\LocalScopeIdList.txt
$cmd = "C:\Program Files\Microsoft Team Foundation Server 15.0\Tools\TFSSecurity.exe"

$collection = "/collection:"+ $url
$permissions = "Read", "Write", "Delete", "ManageMembership", "CreateScope"

foreach($scopeId in $localScopeIdList) {
    foreach($permission in $permissions) {
        $token = $scopeId + "\"    

        $param =  @("/a+", "Identity", $token, $permission, "adm:", "ALLOW", $collection)
        Write-Host $param

        & $cmd $param
    }
}

    I have tried the above on our pre-prod server with success so I expect to deploy it in production this weekend.