I am experiencing an issue where I can not add users to the Project Administrators group in a team project even though my user account is in the Project Collection Admins group. I've also tried with an account that is part of the Administration Console Users group with no success.
This only affects some Team Projects. The permissions on the out-of-the-box security groups have not been modified.
This was working fine before we upgraded from TFS2015 so I assume something changed in TFS2017.
Interestingly, I can remove users from a Project Admin group just not add any.
I noticed that there is now a Security Service Group which seems to contain all of the other security groups. I'm wondering if this could be what is causing permission conflicts as a majority of them are 'Not set'.
Any suggestions would be greatly appreciated. :)
Rajesh Ramamurthy (MSFT) has supplied a fix (comment on Brian Harry's blog) for the issue that should also be fixed in the upcoming TFS 2017 Update 1 release.
Here is how it is done:
select
LocalScopeId from tbl_Groupscope where PartitionId > 0 and
ScopeType = 2 and Active = 1
Script for step 3:
$url = "http://localhost:8080/tfs/defaultcollection"
$localScopeIdList = Get-Content C:\LocalScopeIdList.txt
$cmd = "C:\Program Files\Microsoft Team Foundation Server 15.0\Tools\TFSSecurity.exe"
$collection = "/collection:"+ $url
$permissions = "Read", "Write", "Delete", "ManageMembership", "CreateScope"
foreach($scopeId in $localScopeIdList) {
foreach($permission in $permissions) {
$token = $scopeId + "\"
$param = @("/a+", "Identity", $token, $permission, "adm:", "ALLOW", $collection)
Write-Host $param
& $cmd $param
}
}
I have tried the above on our pre-prod server with success so I expect to deploy it in production this weekend.