Accounts required for installation of Team Foundation Server

Article
04/20/2015

You must use service accounts to install Team Foundation Server, Team Foundation Build, and Team Foundation Server Proxy. If you use reporting, you also need a report reader account when you install Team Foundation Server. This topic describes the requirements for service accounts and the report reader account for installation. For more information, see Service Accounts and Dependencies in Team Foundation Server.

Team Foundation Server requires multiple identities for installation, but you can use a single account for all the identities, as long as that account meets the requirements for all the identities for which you use it.

Tip

Confused about accounts? New for this release is a tutorial available for Team Foundation Server installation that covers how to create accounts and groups for a single server installation. For more information, see Set up groups for use in TFS deployments.

Best practices for accounts

If you use domain accounts for your service accounts, you should use a different identity for the report reader account.
If you are installing a component in a workgroup, you must use local accounts for user accounts.

Report reader account

The report reader account is the identity that is used to gather information for reports. If you use reporting, you must specify a report reader account when you install Team Foundation Server.

If you install Team Foundation Server with the default options, the report reader account is also used as the identity of the service account for SharePoint Foundation.

Feature	Sample user logon name ¹	Requirements
Reporting	TFSREPORTS	You must specify a user account that has the Allow log on locally permission. Default: You are prompted for this account. You cannot use a built-in account for the report reader account.

Reporting

TFSREPORTS

You must specify a user account that has the Allow log on locally permission.

Default: You are prompted for this account. You cannot use a built-in account for the report reader account.

Service accounts

Team Foundation Server, Team Foundation Build and Team Foundation Server Proxy all require a service account. These service accounts become the identity for the installed component. By default, every component uses a built-in account (such as Network Service) as its service account. You can change this account to a user account when you install the component, but you must ensure that any user accounts that you use have the Log on as a service permission.

Tip

Built-in accounts do not use passwords and already have the Log on as a service permission, making them easier to manage, especially in a domain environment.

Service accounts for Team Foundation Server

The service accounts in the following table are the identities for Team Foundation Server and its components.

The service account for Team Foundation Server is also used in Internet Information Services (IIS) as the identity of the application pool for Team Foundation Server.

Component	Sample user logon name ¹	Requirements
Team Foundation Server	TFSSERVICE	You can specify a built-in account or a user account. If you specify a user account, it must have the Log on as a service permission. You must not use the account that you use to install Team Foundation Server as the account for TFSSERVICE. For example, if you are logged in as domain\user1 when you install Team Foundation Server, do not use domain\user1 as the account for TFSSERVICE. If your SharePoint site was not installed at the same time as Team Foundation Server, you must add TFSSERVICE to the Farm Administrators group for the SharePoint Central Administration site. For more information, see Add the service account for Team Foundation Server to the Farm Administrators group. Default: Network Service
Team Foundation Build	TFSBUILD	You can specify a built-in account or a user account. If you use a user account, it must have the Log on as a service permission.
Team Foundation Server Proxy	TFSPROXY	You can specify a built-in account or a user account. If you use a user account, it must have the Log on as a service permission.

Team Foundation Server

TFSSERVICE

You can specify a built-in account or a user account. If you specify a user account, it must have the Log on as a service permission.

You must not use the account that you use to install Team Foundation Server as the account for TFSSERVICE. For example, if you are logged in as domain\user1 when you install Team Foundation Server, do not use domain\user1 as the account for TFSSERVICE.

If your SharePoint site was not installed at the same time as Team Foundation Server, you must add TFSSERVICE to the Farm Administrators group for the SharePoint Central Administration site. For more information, see Add the service account for Team Foundation Server to the Farm Administrators group.

Default: Network Service

Team Foundation Build

TFSBUILD

You can specify a built-in account or a user account. If you use a user account, it must have the Log on as a service permission.

Team Foundation Server Proxy

TFSPROXY

You can specify a built-in account or a user account. If you use a user account, it must have the Log on as a service permission.

Service accounts for Release Management for Visual Studio 2013

The service accounts in the following table are the identities for Release Management Server and the Microsoft Deployment agent.

Component	Sample user logon name ¹	Requirements
Release Management Server	RMSERVER	This is the identity used in Internet Information Service (IIS) for the application pool and the Release Management Monitor Windows service. Default: Network Service
Microsoft Deployment Agent	DEPLOY	This identity is used to configure the machines in your environment for release. Make sure the identity you use here has enough permission to do whatever tasks are required. For example, if you need to install your application on this machine as part of your release, add this identity to the local Windows Administrators security group. If this identity will need to access builds on the network, make sure it has access to the network drop location. For step-by-step procedure, go here: Install deployment agent and set up machines for an environment Default: you are prompted for an account.

Release Management Server

RMSERVER

This is the identity used in Internet Information Service (IIS) for the application pool and the Release Management Monitor Windows service.

Default: Network Service

Microsoft Deployment Agent

DEPLOY

This identity is used to configure the machines in your environment for release. Make sure the identity you use here has enough permission to do whatever tasks are required. For example, if you need to install your application on this machine as part of your release, add this identity to the local Windows Administrators security group. If this identity will need to access builds on the network, make sure it has access to the network drop location. For step-by-step procedure, go here: Install deployment agent and set up machines for an environment

Default: you are prompted for an account.

Connect Release Management to TFS account

If you connect Release Management to TFS, you need an account in TFS to act as an intermediary account. For a step-by-step procedure, go here: Connect Release Management to TFS

Component	Sample user logon name ¹	Requirements
Release Management Server (connected to TFS)	RMTFS	A TFS user that is a member of the Project Collection Administrators¹ group and has the Make requests on behalf of others permission set to allow in TFS.

¹ What are the necessary minimal permissions that this account must have? (blog post)

Service accounts for additional software

The following table lists the service accounts that are the identities that are used to run Windows services for SharePoint Products and SQL Server.

The service account for SharePoint Products is also the identity of the application pool for the SharePoint Central Administration site.

Software	Sample user logon name ¹	Requirements
SharePoint Products	WSSSERVICE	You must specify a user account. Default: If you install Team Foundation Server with the default options, the account that you specified as the report reader account is also used for this account.
SQL Server	SQLSERVICE	You can use a built-in system account or set up an account before you install SQL Server. Team Foundation Server has no requirements for this account.

SharePoint Products

WSSSERVICE

You must specify a user account.

Default: If you install Team Foundation Server with the default options, the account that you specified as the report reader account is also used for this account.

SQL Server

SQLSERVICE

You can use a built-in system account or set up an account before you install SQL Server. Team Foundation Server has no requirements for this account.

¹ To make it easier to discuss the different accounts that Team Foundation Server requires, this guide uses the placeholder names that are specified in the preceding tables. You do not have to use these placeholder names for any accounts that you might create.