Permissions for the Team Foundation Build Drop Folder
The Team Foundation Build drop folder is the location where the built binaries, build log files, and the test results log files are published during the build process. The build service account, under which the build process runs, must have the appropriate permissions for this drop folder. If you want to publish test results, the Visual Studio Team Foundation Server service account under which the Web services are running must have the same permissions to the drop location.
When you set up a build agent, you must be an administrator on that computer. You must also provide a valid build service account that will be used for the build process
Do not use the Team Foundation Server service account to run the build service.
The build service account:
Must be a member of the Build Services group. For more information, see How to: Establish Permissions for Team Foundation Build Agent.
Should not be an administrator on Team Foundation Server computers.
Should have the option Account is sensitive and cannot be delegated selected in the Properties pane of Active Directory Users and Computers. For more information, see "Enabling Delegated Authentication" ().
The build service account must have the following permissions:
For a particular build agent to copy builds to a drop, the build service account must have Full Control to the shared drop folder. In Windows Vista or Windows Server 2008, the account must be a Co-Owner of the drop folder.
If you include tests as a part of the build process, the build service account must have the Publish Test Results permission.
For Team Foundation Build to automatically publish unit test results, the application-tier service account must have Full Control to the drop folder.
For individual users to publish unit test results (from the Visual Studio IDE, from MSTest.exe, or from a desktop build of tfsbuild.proj), they must have the Write permission to the drop folder.