|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Synchronizing Administrator Accounts
In any Team Foundation Server deployment, you must configure accounts and permissions in three separate places: within Windows SharePoint Services, within Microsoft SQL Reporting Services, and within the Team Foundation Server user interface. Depending on your Team Foundation Server deployment, you might need to configure administrative accounts on other computers, including build computers, Web servers, and test rigs, as well as Team Foundation application-tier and data-tier servers. Keeping track of all of those administrator accounts and passwords can be problematic. You can mitigate some of the administrative overhead of maintaining these accounts by synchronizing the users and groups that need these permissions across the separate computers.
Determining a Synchronization Strategy
Your synchronization strategy for Team Foundation Server depends primarily on two factors: the level of trust you want to extend to the users within your Team Foundation Server deployment, and whether Team Foundation Server is deployed within an Active Directory domain or within a workgroup. Having many administrators across the servers and software can minimize the administrative burden and make configuration simpler, but it greatly increases the security risks. For security reasons, you should limit the number of user accounts with administrative permissions to the absolute minimum.
Synchronizing Administrator Accounts in an Active Directory Domain
If you have deployed Team Foundation Server in an Active Directory domain, you can create an Active Directory group for user accounts that need administrative permissions for Team Foundation Server across servers and software. For example, you can create a group called TFSAdmins, and add that account to the Administrators group in Windows SharePoint Services, SQL Reporting Services, to the Team Foundation Administrators group in Team Foundation Server, and to the Team Foundation servers themselves. You can then add the users who need administrative permissions to that group, and not have to worry about managing a number of different administrator accounts. You can simply add or remove users from that group as necessary, and add that one administrative group as needed to other servers, such as build computers, as needed.
Synchronizing Administrator Accounts in a Workgroup
If you have deployed Team Foundation Server in a workgroup, you cannot create a single group account for all user accounts that need administrator permissions. You must add each user account to each Administrator group and computer separately. In this case, you might want to consider creating a master list of what user accounts need administrative permissions on which computers and within what software. This way you will have a record to refer to when you need to add, remove, or adjust administrative permissions.