TFSSecurity Identity and Output Specifiers
The input and output for the TFSSecurity command-line utility follows a standard format. The valid identity and output specifiers are described in the following tables.
Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as Administrator. For more information, see the Microsoft Web site.
An identity can be referenced by one of the following notations.
References the identity with the specified SID.
References the identity with the specified name. For Windows, name is the logon name. If domain is omitted and global catalog (GC) is available, the lookup operation will be performed by GC. If domain is omitted and GC is not available, the default domain context is used. For application groups, name is the group display name and domain is the containing project's URI or GUID. If domain is omitted the global scope is assumed.
To reference the identity of the user "John Peoples" in the domain "Datum1" at the fictitious company "A. Datum Corporation:"
If there is only one domain, or you are logged into the Datum1 domain, the following would work as well:
To reference application groups:
References the identity with the specified distinguished name. The distinguished name can be prefixed by LDAP://.
References the administrative application group for the scope. The optional parameter scope is a project URI or GUID. If scope is omitted, the global scope is assumed, but the colon is still required.
dm:Team Foundation Administrators
References the service application group.
References an unqualified string. If string starts with S-1-, it is identified as a SID. If string starts with CN= or LDAP:// it is identified as a distinguished name. Otherwise, string is identified as a name.
Identity Type Markers
The following identity type markers are used in output messages.
Identity type marker
Team Foundation Server application group.
Administrative application group.
Service application group.
Access Control Entry Markers
The following access control entry markers are used in output messages.
Access control entry marker
ALLOW access control entry.
DENY access control entry.
Inherited access control entry.