I am trying to use TFSSecurity to configure security on our new instance of TFS 2017. It works great when I test it by adding local user accounts on the TFS server into a TFS group but fails as soon as I change to trying to add domain groups or accounts. Here's the command and the results I am getting:
PS C:> &"E:\TFS 2017\Tools\tfssecurity.exe" /g+ "n:[Project1]\Contributors" n:"DOMAIN1\TFS-Developers" /collection:http://myTfsServer:8080/tfs/PrimaryCollection
Microsoft (R) TFSSecurity - Team Foundation Server Security Tool Copyright (c) Microsoft Corporation. All rights reserved.
The target Team Foundation Server is http://myTfsServer:8080/tfs/PrimaryCollection.
Resolving identity "n:[Project1]\Contributors"...
[A] [Project1]\ContributorsResolving identity "n:DOMAIN1\TFS-Developers"...
Error: The identity cannot be resolved.
I am running this command using an account on DOMAIN1 that can see the group in Active Directory Users and Computer so it seems like it should not have an issue resolving the identity. However, the server is not joined to the network on DOMAIN1. It is joined to a second domain called DOMAIN2 that has a one way trust with DOMAIN1. I suspect that this might be causing the problem but I'm not sure how to work around it if it is or how to diagnose the issue to know this for sure. Any ideas?
This turned out not to be a domain trust issue at all. I was using the wrong group names. Very embarrassing but a good reminder to check for the stupid stuff before you assume it's something complicated.