How to: Assign a New Account to a Team Foundation Server Service

  • Article

You can replace the Team Foundation Server service account that you specified when you installed Team Foundation Server (referred to as the TFSService account) with another account, such as domain\TFSSVC. To make this change, use the TFSAdminUtil utility with the ChangeAccount argument. This tool updates Team Foundation servers by replacing the old service account information with the new information. You must also make sure that the new service account has the Log on as a service permission. If you change the Reporting Services service account, you must also update the credentials for the Reporting Service data sources after you run TfsAdminUtil ChangeAccount. Finally, you must change the msiproperty.ini file to reflect the new service account name for the Team Foundation Server service account and the Reporting Services service account.

Note

The TFSAdminUtil utility does not physically create an account or change its password, it only updates Team Foundation Server to use the current credentials. The service account can be either a local or a domain account, and TFSAdminUtil can be scripted to allow for automated updates. For more information, see ChangeAccount Command.

Required Permissions

To perform this procedure, you must be a member of the Administrators group on the Team Foundation application-tier server, a member of the SQL Server Administrator group on the Team Foundation data-tier server, and a member of the Domain Administrators group in Active Directory (if you are running Team Foundation Server in an Active Directory domain). For more information about permissions, see Team Foundation Server Permissions.

Updating Service Account Information with TFSAdminUtil

To assign a new service account to all Team Foundation Server services

  1. From the command line, locate the TFSAdminUtil utility.

    By default, it is located in <drive>:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Tools.

  2. At the command line, type TFSAdminUtil ChangeAccount oldAccount newAccount newPassword, and then press ENTER.

    You must enter the user name for the old Team Foundation Server service account (oldAccount), in addition to the user name and password for the new account (newAccount and newPassword).

    Note

    Before you assign the new account by using TFSAdminUtil Changeaccount command, the account must have the Log on as a service permission on the application-tier server. For more information, see the next procedure in this topic, Granting the Log On As A Service Permission.

The TFSAdminUtil utility iterates through the services and only changes those that run under the old account.

Note

If you have configured e-mail alerts, you must manually change the web.config file and change the value of emailNotificationFromAddress from the old service account's e-mail address to the new service account's e-mail address. For more information, see How to: Configure SMTP Server and E-mail Notification Settings in the Services Web.Config File.

Granting the Log On As A Service Permission

After you have assigned the new service account, you must make sure that the service account has the Log on as a service permission. We recommend that you run Team Foundation Server in an Active Directory domain, but you can also run it in a workgroup. The procedures for both setups are described in the following section. For more information about how to grant the Log on as a service permission, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=62101).

To grant the log on as a service permission to a new service account on a Team Foundation Server in an Active Directory domain

  1. On the Windows Taskbar, click Start, and then click Run.

  2. In the Open box, type mmc, and then click OK.

  3. On File menu of the Console window, click Add/Remove Snap-in.

  4. On the Add/Remove Snap-in dialog box, click Add.

  5. On the Add Standalone Snap-in dialog box, double-click Group Policy Object Editor in the Available Standalone Snap-ins pane.

    The Group Policy Wizard starts.

  6. On the Select Group Policy Object page, click Browse.

  7. On the Browse for a Group Policy Object dialog box, locate the policy object you want to modify, and then click OK.

  8. Click Finish on the Select Group Policy Object page.

  9. On the Windows taskbar, click Start, point to Administrative Tools, and then click Local Security Policy.

  10. Expand Local Policies in the Explorer pane of the Local Security Settings window.

  11. Click User Rights Assignment.

  12. Double-click Log on as a service on the viewing pane.

  13. Click Add User or Group on the Log on as a service Properties dialog box.

  14. Type the name of the new service account in the Enter the object names to select box.

  15. Click OK.

To grant the log on as a service permission to a new service account on a Team Foundation Server in a workgroup

  1. On the Windows Taskbar, click Start, point to Administrative Tools, and then click Local Security Policy.

  2. Expand Local Policies in the Explorer pane of the Local Security Settings window.

  3. Click User Rights Assignment.

  4. Double-click Log on as a service in the viewing pane.

  5. Click Add User or Group on the Log on as a service Properties dialog box.

  6. Type the name of the new service account in the Enter the object names to select box.

  7. Click OK.

Changing the Team Foundation Server Report Service Account

When you change the reporting services service account (referred to by the placeholder account name TFSReports) for Team Foundation Server, you must also update credentials for the Reporting Service data sources after you run TfsAdminUtil ChangeAccount on the TFSService account. For more information about required service accounts, see the topic "User Accounts Required for Team Foundation Server Setup" in the Team Foundation Server Installation Guide. For more information about the installation guide, see Installation Overview for Team Foundation Server.

To update credentials for the Reporting Service data sources

  1. Start Internet Explorer.

  2. Open https://ApplicationTierServerName/Reports.

  3. On the Contents tab, select TfsReportDS.

  4. On the Properties tab, update the User name and Password for Credentials stored securely in the report server, and then click Apply.

  5. Repeat the steps three (3) and four (4) for TfsOlapReportDS.

Editing the MSIProperty.ini File

When you assign a new service account for Team Foundation Server, you must update the msiproperty.ini file after you run TfsAdminUtil ChangeAccount on the TFSService account or the TFSReports account. For more information about required service accounts, see the topic "User Accounts Required for Team Foundation Server Setup" in the Team Foundation Server Installation Guide. For more information about the installation guide, see Installation Overview for Team Foundation Server.

To change the msiproperty.ini file

  1. Open a text-based editor, such as Notepad. Start Notepad, click Start, click Run, type Notepad, and then click OK.

  2. Open the msiproperty.ini file in the text-based editor. The default path for the msiproperty.ini file is %programfiles%\Microsoft Visual Studio 2005 Team Foundation Server\Microsoft Visual Studio 2005 Team Foundation Server (databases).

  3. In the msiproperty.ini file, make the following changes:

    1. If you have changed the TFSService account, change the value of the following property to the new name of the account:

      VSTF_USERID= TFSService

    2. If you have changed the TFSReports account, change the value of the following property to the new name of the account:

      VSTF_RS_USERID= TFSReports

  4. Save the file and close the text-based editor.

See Also

Tasks

How to: View Team Foundation Server Services

Reference

ChangeAccount Command

Other Resources

Managing Team Foundation Server Services and Service Accounts