TFSSecurity Identity and Output Specifiers
Important This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here. ArchiveDisclaimer

TFSSecurity Identity and Output Specifiers

The input and output for the TFSSecurity command-line utility follows a standard format. The valid identity and output specifiers are described in the following tables.

Identity Specifiers

An identity can be referenced by one of the following notations.

Identity specifier Description Example

sid: sid.

References the identity with the specified SID.



References the identity with the specified name. For Windows, name is the logon name. If domain is omitted and global catalog (GC) is available, the lookup operation will be performed by GC. If domain is omitted and GC is not available, the default domain context is used. For application groups, name is the group display name and domain is the containing project's URI or GUID. If domain is omitted the global scope is assumed.

To reference the identity of the user "John Peoples" in the domain "Datum1" at the fictitious company "A. Datum Corporation:"


If there is only one domain, or you are logged into the Datum1 domain, the following would work as well:


To reference application groups:

n:"Full-time Employees"



References the identity with the specified distinguished name. The distinguished name can be prefixed by LDAP://.

dn:CN=John Peoples,CN=Users,DC=Datum1,DC=com



References the administrative application group for the scope. The optional parameter scope is a project URI or GUID. If scope is omitted, the global scope is assumed, but the colon is still required.

dm:Team Foundation Administrators


References the service application group.



References an unqualified string. If string starts with S-1-, it is identified as a SID. If string starts with CN= or LDAP:// it is identified as a distinguished name. Otherwise, string is identified as a name.

"Team testers"

Type Markers

Identity Type Markers

The following identity type markers are used in output messages.

Identity type marker Description


Windows user.


Windows group.


Team Foundation Server application group.

a [ A ]

Administrative application group.

s [ A ]

Service application group.


Invalid identity.


Unknown identity.

Access Control Entry Markers

The following access control entry markers are used in output messages.

Access control entry marker Description


ALLOW access control entry.


DENY access control entry.

* [ ]

Inherited access control entry.

See Also

© 2015 Microsoft