I am trying to add users of a different domain for TFS workgroup in the "Team Foundation Licensed Users" group and it is giving me :

"Team Foundation Server" could not resolve the user or group <different domain user name>. The user or group might be a member of different domain or the server might not have access to the domain. Verify domain memmership of the server and any domain trust."

I think the domain trust is OK. My question is can we add users from a different domain in the workgroup eidition? I tried this successfully in the beta 3 refresh and it used to work fine.

Well, this solutions seem to be pointing to when the users are in the same domain that the TFS is. In my case, the users are in a different domain. So, in this case "The server and the user are in the same domain" IS NOT TRUE. They are indeed in two different domains.

I remember with TFS beta 3 refresh, I was able to give this permission through the UI, even to users in two different domains. But now, when I try through the GUI, it tells me :

"Team Foundation Server could not resolve the user or group 'John Smith'. The user or group might be a member of a different domain, or the server might not have access to that domain. Verify the domain membership of the server and any domain trusts."

I tried to use TFSSecurity.exe. Of course I tried to use domain\user form as there no point using just the user as the users are indeed in a different domain. It can not resolve users from a different domain. But, on the TFS server machine, I can give access to the same user on a file by using file properties even if he is in a different domain. That means the trust between the domains are OK?

My question is, is it possible to give a user from different domain access to a TFS project?

Yes you can add users from different domains to TFS. The issue that you are running into is that the GUI client is able to retrieve information about the user you are adding from Active Directory, but the TFS server cannot retrieve the information.

Thanks Mathew. Well I hope by TFS Service Account you meant the TFSSERVICE account. Now, I do not have any other account to use really for this purpose. So, I have tried these options:

1. I used dsa.msc and checked the TFSSERVICE account. I then added Admin privilege to it.

2. After this, I used TFSAdminUtil for change account. But I changed account from domain\TFSSERVICE to domain\TFSSERVICE, which sounds ridiculous, but I wanted to try the command. It went through OK.

3. After this TFS stopped working. So I repaired it from add remove program in control panel. It came back alive.

4. Same problem persists when I try to add a user from a different domain.

So, I guess it is a problem of trust between forests? I will get the trust checked by network admin guys.

You are correct that when I said the service account, I was talking about TFSSERVICE. The rights that TFSSERVICE needs are to query users in the domain. In order to be able to add an user to TFS, the server needs to retrieve some information about the user, such as its SID, Display Name, and mail address, among other things.

If you run:
TFSSecurity /server:<server URL> /imx <domain>\<account name>
for a user that is already in the system, you will see all of the information that we query from AD.

To perform a query against AD that is simular to what the server does use the following command:
dsquery user -samid <account name> -d <domain> | dsget user -dn -samid -sid -display -email -L
The TFSSERVICE account needs to be able to perform this type of query for any user that is added to the system.

When a one way trust is configured between two forests, the TFSSERVICE account must normally be a user in the more truested forest. Since accounts from the less trusted forest are not allowed to query this information from the more truested forest, you are unable to add users from the more trusted forest when the TFSSERVICE account comes from the less trusted forest.

--Matt Hoover