Export (0) Print
Expand All

Managing and Resetting Service Accounts and Passwords

Team Foundation Server includes several services and service accounts that run on either the server or servers hosting the logical Team Foundation data-tier, or the server hosting the logical Team Foundation application-tier, or both. Your actual services will vary. It depends on which features of Team Foundation you have installed on your data tier and application-tier servers. For example, if you have opted for a single-server setup, you will have both logical data-tier and application-tier services that run on the same physical server.

Although there are several service accounts used in Team Foundation Server, you can choose to use the same physical account for all of the service accounts. For example, you can use the same domain account as the account for both the Team Foundation Server service account (TFSSERVICE) and for the Reporting Services data sources account (TFSREPORTS). For clarity, each of the service accounts is referred to explicitly by its functional service placeholder name. However, TFSSERVICE and TFSREPORTS have slightly different permission requirements. TFSSERVICE must have the Log on as a service permission. TFSREPORTS must have the Allow log on locally permission. If you use the same account for both, that account must have both of these permissions.

If you have deployed Team Foundation Server in an Active Directory domain, you should set the Account is sensitive and cannot be delegated option for service accounts. For example, in the following table, you should set that option for the Team Foundation Server service account TFSService. For more information about required service accounts and placeholder names used in Team Foundation Server documentation, see the topic "User Accounts Required for Installation" in the Team Foundation Installation Guide. For more information about the installation guide, see Installation Overview for Team Foundation Server. For more information about how to restrict account delegation in Active Directory, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=61995).

Service name

Service account

Logical Tier

Code Coverage Service

TFSService, which can be a local account, a domain account, Local Service in a workgroup, or Network Service in a domain

application tier

Team Foundation Server Web Services

TFSService

application tier

Report Server (MSSQLSERVER or InstanceName if using a named instance)

Network Service or a domain account

application tier

Report Web Service

Local System, Network Service, or a domain account

application tier

SharePoint Services

Domain account

application tier

Team Build Service (if Team Foundation Build is installed)

TFSBuild

build computer

TFS Server Scheduler

TFSService

application tier

Analysis Server (MSSQLSERVER or InstanceName if using a named instance)

Local System or a domain account

data tier

SQL Server Agent

Local System or a domain account

data tier

SQL Browser

Local System or a domain account

data tier

SQL Server

Local System or a domain account

data tier

For more information about service accounts for SQL Server, see the SQL Server Books Online on the Microsoft Web site. For more information about service accounts in Team Foundation, download the installation guide for Team Foundation from the Microsoft Web site.

NoteNote:

If you change the service account for Team Build Service, you must make sure that the account is a member of the Build Services group, and that the account has read/write permissions to the temporary folders and the ASP.NET temporary folder. Similarly, if you change the service account for the Team Foundation Server Proxy service, you must make sure that the account is a member of the appropriate groups. For more information, see Setting up a Build Computer and How to: Configure Cache Security for Team Foundation Server Proxy.

Community Additions

ADD
Show:
© 2014 Microsoft