Assigning Active Directory Groups In Team Foundation Server 2012

I was setting up a project in Team Foundation Server Express 2012 (TFS) using the tutorial in the help document to get started.  The aspect of using Active Directory groups to manage members in TFS appealed to my since of simplifying the management of the server.  Using the groups to manage the membership permissions allows you to add members to the groups instead of adding/deleting members individually.  This creates more consistency in the security assignments and reduces the errors that may occur with individual assignment.

Everything was going well. I added three groups to the domain to manage the contributors, project administrators, and restricted access as recommended in the tutorial.  It was a little confusing as to where to put the names of the groups.  In the Active Directory group setup, you have a Group Name and a Group Name (pre-Windows 2000) to enter.  So what do I put where?

New Active Directory Group Dialog Box

Adding a group to Active Directory

I put the long name into the Group Name field and a shortened name into the pre-Windows 2000 field. Excuse my ignorance, but I didn’t know when you would use which.  I figured I didn’t really need to worry about the pre-Windows 2000 name because all my computers and servers were post-Windows 2000.  So the name I entered into the pre-Windows 2000 was simply a shortened version of the group name.

OK, so all my groups are setup, and I’m ready to create a project and assign the groups.  I start Team Explorer in Visual Studio 2012 and link to the Team Foundation Server.  I create a project and click on the security link.  I click on the groups tab to get to the TFS groups.  I click on the Contributors group to show the membership.  There is one TFS member prepopulated in the list.

I click on the members tab and then click the add button to add a user (or group).  It displays the dialog to select the user or group you want to add, and much to my surprise, the groups I created aren’t there.  I figured I must have set them up wrong.  The list showed some users and predefined groups, but not my groups.  I tried various things to move the groups around in AD, but nothing changed.

Add Windows User or Group Dialog

Entering a group that wasn’t on the list.

There was a message at the top of the dialog to enter the group name if it didn’t show, and it would find it.  So I entered the group name and…it gave me an error.  I checked the spelling, and it still gave me an error.  Again, I thought I had configured something wrong, so I searched for answers.

TFS Project Add Member Error Message

An error occurred. The Windows identity doesn’t exist.

I finally came upon a post that indicated that because TFS is now a web server, it doesn’t have access to AD until you post it.  This didn’t make much sense to me since it still verifies that you have a valid group.  But it did have some information about the group name.  Instead of using the post-Windows 2000 group name, use the pre-Windows 2000 group name.  OK, this didn’t make sense since this is a post-Windows 2000 environment, but I tried it anyway and it worked!

So, when setting up groups in TFS, make sure you use the pre-Windows 2000 name.  This also means that the name you give it is significant.  It doesn’t show in the AD list, but you need to use it in TFS.