TFSSecurity Identity and Output Specifiers

The input and output for the TFSSecurity command-line utility follows a standard format. The valid identity and output specifiers are described in the following tables.

Note

Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as Administrator. For more information, see the Microsoft Web site.

Identity Specifiers

An identity can be referenced by one of the following notations.

Identity specifier

Description

Example

sid:sid.

References the identity with the specified SID.

sid:S-1-5-21-2127521184-1604012920-1887927527-588340

n:[domain\]name

References the identity with the specified name. For Windows, name is the logon name. If domain is omitted and global catalog (GC) is available, the lookup operation will be performed by GC. If domain is omitted and GC is not available, the default domain context is used. For application groups, name is the group display name and domain is the containing project's URI or GUID. If domain is omitted the global scope is assumed.

To reference the identity of the user "John Peoples" in the domain "Datum1" at the fictitious company "A. Datum Corporation:"

n:DATUM1\jpeoples

If there is only one domain, or you are logged into the Datum1 domain, the following would work as well:

n:jpeoples

To reference application groups:

n:"Full-time Employees"

n:00a10d23-7d45-4439-981b-d3b3e0b0b1ee\Vendors

n:dn

References the identity with the specified distinguished name. The distinguished name can be prefixed by LDAP://.

dn:CN=John Peoples,CN=Users,DC=Datum1,DC=com

dn:LDAP://CN=Developers,OU=Groups,DC=Datum1,DC=com

dm:[scope]

References the administrative application group for the scope. The optional parameter scope is a project URI or GUID. If scope is omitted, the global scope is assumed, but the colon is still required.

dm:Team Foundation Administrators

srv:

References the service application group.

 NA

string

References an unqualified string. If string starts with S-1-, it is identified as a SID. If string starts with CN= or LDAP:// it is identified as a distinguished name. Otherwise, string is identified as a name.

"Team testers"

Type Markers

Identity Type Markers

The following identity type markers are used in output messages.

Identity type marker

Description

U

Windows user.

G

Windows group.

A

Team Foundation Server application group.

a [A]

Administrative application group.

s [A]

Service application group.

X

Invalid identity.

?

Unknown identity.

Access Control Entry Markers

The following access control entry markers are used in output messages.

Access control entry marker

Description

+

ALLOW access control entry.

-

DENY access control entry.

* []

Inherited access control entry.

See Also

Other Resources

TFSSecurity Command-Line Utility Commands

Managing Groups

Default Groups

Server-Level Groups

Team Project Groups