Today I moved my TFS server from a workgroup to domain environment. When I run ActivateAT to start TFS, everything works fine. When I connect to the TFS from Team Explorer, I get several error logs in Windows event log in the machine for AT saying:
TF50309: The following account does not have sufficient permissions to complete the operation: Domain\tfsservice. Check the permissions for the account and grant the appropriate permissions to perform this operation. (type SecurityException)
Then I run TfsAdminUtil SID and found the TFS service account is not listed. This problem is solved by adding the service account TfsService to Service Accounts group by running TfsSecurity command:
TfsSecurity g+ “Service Accounts” Domain\TfsService
Well that is strange…I mean about a month ago I did the same thing–meaning moved MY TFS server from a workgroup to domain environment…but once I was done with the moving…everything was working fine…so maybe you should recheck your steps..cause I know I did nothing special..and yet everything went ok when I did it…
Comment by neongreen — November 27, 2008 @ 2:37 pm
Yes you are right. Something bad happened during the move. After I fixed many issues, the SIDs for several accounts are messed up. The SIDs stored in TfsWorkItemTracking database can’t be synchronized with AD. Struggling several days I finally descried to move TFS again yesterday. This problem didn’t occur and everything works fine now.
Comment by Bill — November 30, 2008 @ 6:22 am
When running
TfsSecurity g+ “Service Accounts” Domain\TfsService
I get the error I need to include the server, so I have tried
TfsSecurity g+ “Service Accounts” Domain\TfsService /server:sername.
No I get TfsSecurity g+ “Service Accounts” Domain\TfsService
Any ideas?
Comment by joey — April 10, 2009 @ 8:18 pm