TFSSecurity Identity and Output Specifiers
The input and output for the TFSSecurity command-line utility follows a standard format. The tables later in this topic describe valid identity and output specifiers for this command. These specifiers apply to all of the TFSSecurity command-line utilities.
Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as Administrator. For more information, see this page on the Microsoft Web site: User Account Control.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.
You can reference an identity by using one of the notations in the following table.
References the identity that has the specified security identifier (SID).
References the identity that has the specified name. For Windows, Name is the account name. If the referenced identity is in a domain, the domain name is required. For application groups, Name is the group display name, and Domain is the URI or GUID of the containing project. In this context, if Domain is omitted, the scope is assumed to be at the collection level.
To reference the identity of the user "John Peoples" in the domain "Datum1" at the fictitious company "A. Datum Corporation:"
To reference application groups:
References the administrative application group for the scope, such as "Team Foundation Administrators" for the server level or "Project Collection Administrators" at the collection level. The optional parameter Scope is a project URI or URL, including its GUID and connection string. If scope is omitted, the server or collection scope is assumed based on whether the /instance or /server parameter is used. In either case, the colon is still required.
References the application group for service accounts.
References all groups and identities.
References an unqualified string. If String starts with S-1-, it is identified as a SID. If String starts with CN= or LDAP:// it is identified as a distinguished name. Otherwise, String is identified as a name.
Identity Type Markers
The following table lists identity type markers that are used in output messages.
Identity type marker
Team Foundation Server application group.
Administrative application group.
Service account application group.
Identity is not valid.
Identity is unknown.
Access Control Entry Markers
The following table lists access control entry markers that are used in output messages.
Access control entry marker
ALLOW access control entry.
DENY access control entry.
Inherited access control entry.