I have a security/permission issue with TFS (not the workgroup edition).

I have a active directory group call Proj1Cont

There are 5 users in it. (user1 till user5) Proj1Cont is designated with the Contibutor permission in TFS.

user1,2 and 3 where added last week. They can access TFS without a problem.

user 4 and 5 where added this morning to the Proj1Cont group. (I checked the domain controller and the replica's and everything is fine there, no significant errors in the eventviewer on the tfs server)

Until now

tfssecurity /m "Proj1Cont" /n:user4 /server:tfsserver

reports: user4 is NOT in Proj1Cont

Proj1Cont is recognized as an AD group

User4 is recognized as an AD user

user1 (or 2 or 3) reports: user1 is in Proj1Cont.

I already noticed that there is mention of some delay before persmissions are visible but how long is that delay, and is there a subtle way (not REBOOT the server :-) )to force an update of the TFS permission tables?

Any ideas/solution/troubleshooting hints?

Tnx

Rene

By default, the delay is up to an hour since the sync happens hourly. To force a sync if a user need access immediately, you can directly add the user to a Team Foundation group. If you've added many users in Active Directory, you can run iisreset on the AT (which will cause a short server outage, but will then start the sync process immediately).

After an hour, do the users still not have access?

Hope this helps-

Cheers,
Adam

Hi Adam,

It is solved now, but for sure it wasn't after one hour. (I stored the fact that it took two hours for permissions to propagate).

Unfortenately:

It sounds like the AT was trying to sync a very large group. We're working on improving our sync process for a future version.

In the mean time, you may want to avoid adding large domain groups (e.g. "MyDomain\Domain Users") if you can help it.

Note: When I say "large", I mean containing more than 30,000 users or so. If none of your groups are anywhere near this large, let us know - there may be something else going on that's causing your sink to timeout.

I think we would love to have 30.000 devs in our AD, but I'm not yet working for a top 100 company. ;-)

In our main domain there are at most 500 accounts. We have an OU TFS where the groups Project1Contributors, Project1Admins and Project1Readers resdie. At the time the group Project1Contributors held 3 accounts and 3 more were added. So that totals six accounts in the group.

Before I posted I checked the eventlog (application, system and security) of the Domain Controllers and the TFS AT to see if there were any issues relating to this behavior. I didn't find any clue indicating a root cause for the problem.

As we both agree that this scenario should work is there any further investigation I can perform to find out a root cause?

Tnx

Rene

If you're still seeing this issue, any other suspicious event log entries you're seeing might be helpful.

We're working on improving the overall AD sync experience for a future release, but I'm not sure what could cause the timeouts you're seeing off hand.

If it's still impacting you, let me know and I'll send you the information necessary to contact support and get a more thorough investigation started.