You can use the Identities command to list or change the security identifier (SID) of users and groups in your deployment of Visual Studio Team Foundation Server. You might need to change or update the SID for users and groups in one of the following scenarios:
changing the domain of your deployment
changing from a workgroup to a domain or from a domain to a workgroup
migrating accounts across domains in Active Directory
You do not need to run this command if you are changing domains within the same Active Directory forest. Team Foundation Server will automatically handle SID changes for moves within the same forest.
To use the Identities command, you must be a member of the Team Foundation Administrators security group on the application-tier server for Team Foundation. You must also be a member of the sysadmin security group for SQL Server on the data-tier server for Team Foundation. For more information, see Team Foundation Server Permissions.
Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as Administrator. For more information, see the following page on the Microsoft Web site: User Account Control.
TFSConfig Identities [/change /fromdomain:DomainName1 /todomain:DomainName2 [/account:AccountName] [/toaccount:AccountName]] [/sqlInstance:ServerName /databaseName:DatabaseName] [/account:AccountName]
Specifies the name of the domain from which (/fromdomain) or to which (/todomain) you are changing SIDs. If you must specify a workgroup, use the computer name as the domain name.
Specifies the name of the account that you want to list or change. When you use this parameter with /change, you specify the account from which you want to change after /account, and you specify the account to which you want to change after /toaccount. Do not include a domain or computer name with the account name.
Specifies the name of the server that hosts the configuration database for Team Foundation Server and the name of the instance if you want to use an instance other than the default instance. If you specify an instance, you must use the following format:
Specifies the name of the configuration database. By default, the name of this database is TFS_ConfigurationDB.
Specifies that you want to change identities instead of listing them.
Required when using /change. Specifies the original domain of the identities that you want to change. If you are changing from a workgroup environment, specifies the name of the computer.
Required when using /change. Specifies the domain to which you want to change identities. If you are changing to a workgroup environment, specifies the name of the computer.
Specifies the name of an account for which you want to list or change identities.
Specifies the name of an account to which you want to change identities.
Specifies the name of the server that is running SQL Server and the name of the instance if you want to use an instance other than the default instance. If you specify an instance, you must use the following format:
Specifies the name of the configuration database for Team Foundation Server.
You can optionally specify the database to change identities before you configure an application-tier server for the deployment. For example, you might specify the database to change the service account when you clone a deployment of Team Foundation Server.
When you change identities, the target account or accounts must already exist in Windows.
You must wait for the next identity synchronization with Windows before the properties of accounts that you change with this command will be updated. This requirement includes changes from group to user, user to group, and domain account to local account.
The following example shows how to list the names of all Windows users and groups that are stored in Team Foundation Server and to display whether the SID for each user or group matches the SID in Windows. The Contoso1 domain administrators created domain groups such as "Contoso1\Developers" and "Contoso1\Testers" to help ease the management of permissions across Team Foundation Server, SQL Server Reporting Services, and SharePoint Products.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.
TFSConfig - Team Foundation Server Configuration Tool Copyright © Microsoft Corporation. All rights reserved. Account Name Exists (see note 1) Matches (see note 2) -------------------------------------------------------------------- CREATOR OWNER True True Contoso1\hholt True True BUILTIN\Administrators True True Contoso1\Developers True True Contoso1\Testers True True Contoso1\PMs True True Contoso1\jpeoples True True Contoso1\Domain Admins True True Contoso1\SVCACCT1 True True 9 security identifiers (SIDs) were found stored in Team Foundation Server. Of these, 9 were found in Windows. 0 had differing SIDs.
The following example shows how to change the SIDs for all accounts in Team Foundation Server from the Contoso1 domain to the SIDs for accounts that have matching names in the ContosoPrime domain. Only account names that match will have their SIDs updated. For example, if the "hholt" account exists as Contoso1\hholt and ContosoPrime\hholt, the account SID will be changed to the SID for ContosoPrime\hholt. If the "ContosoPrime\hholt" account does not exist, the SID will not be updated for Contoso1\hholt.
TFSConfig Identities /change /fromdomain:Contoso1 /todomain:ContosoPrime
The following example shows how to change the account for a single user account, Contoso1\hholt, to the account for another user account, ContosoPrime\jpeoples.
TFSConfig Identities /change /fromdomain:Contoso1 /todomain:ContosoPrime /account:hholt /toaccount:jpeoples
The following example shows how to change the SID of the "NT AUTHORITY\NETWORK SERVICE" service account that is used in the deployment of Team Foundation Server when changing the domain of the deployment from Contoso1 to ContosoPrime. To change a system account such as Network Service, you must follow a two-stage process. You first change the service account from NT AUTHORITY\NETWORK SERVICE to a domain account in the new domain (TempSVC), and then you change the account back to NETWORK SERVICE on the server in the new domain. The configuration database is hosted on the server that is named "ContosoMain" on the named instance "TeamDatabases" in SQL Server.
TFSConfig Identities /change /fromdomain:"NT AUTHORITY" /todomain:ContosoPrime /account:"NETWORK SERVICE" /toaccount:TempSVC /SQLInstance:ContosoMain\TeamDatabases /DatabaseName:TFS_ConfigurationDB TFSConfig Identities /change /fromdomain:ContosoPrime /todomain:"NT AUTHORITY" /account:TempSVC /toaccount:"NETWORK SERVICE"