locked
TFS 2012 Orphan Users RRS feed

  • Question

  • We have an ongoing Orphan User problem in Team Foundation Services. We have 9 TFS users that persist under the 2 top-level groups, [TEAM FOUNDATION]\Team Foundation Valid Users & [TCollection]\Project Collection Valid Users, although they have been successfully removed from all other project group memberships.

    Over 32 months, 99 TFS users have left the company.

    Upon leaving, users are "disabled" by company policy rather than being deleted. Typically, they are left with no AD group memberships outside of the Global Group membership "Domain Users."

    Throughout the 32 months, steps have been taken to remove all 99 from all group memberships.

    For this removal process, we review and take action to ensure:

    1. User not associated with a TFS Collection Project group
      User has no workspaces associated with their identity in TFS
      User has no shelvesets associated with their identity in TFS
      User has no items checked out (locked) in TFS
      User has no Work Items “Assigned To” their identity in TFS
      User has no Project Alerts associated with their identity in TFS

    The 9 Orphan Users persist to show under the 2 top-level groups in spite of removing all these possible dependencies.

    The other 90 users have been dropped successfully through command-line, through web interface and through the Administrator console.

    We have cleared cache on the TFS server. The TFS server is rebooted routinely. We monitor TFSSynchronizeIdentities routinely and it operates correctly consistently.

    The 9 "orphaned users" have occurred over the entire 32 months - it's neither a recent problem nor a problem from the past.

    We currently use Team Foundation Server 2012 Update 4.

    Any suggestions will be greatly appreciated.

    Tuesday, December 15, 2015 8:40 PM

All replies

  • Hi,

    i had some similar problems in the past. In our case some users had special rights (allow or deny) to some folders in Version Control. Some of these folders were deleted. I have checked the permissions with "tf permission" command line and removed the permissions for the old users.

    https://msdn.microsoft.com/en-us/library/0dsd05ft(v=vs.100).aspx

    Sample Export Permissions to File (with powershell)

    & 'C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\tf.exe' permission $/ /recursive /server:http://xxxxxx:8080/tfs/DefaultCollection | Out-File C:\temp\permissions.txt

    $/ is the Path in VersionControl

    /server is the url to your Team Project Collection

    In the export file you can search for your users and remove their permissions in Version Control. If the Folders don't exist you can remove permission with this sample:

    & 'C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\tf.exe' permission $/PATHTINVERSIONCONTROL /user:domain\username /remove:* /server:http://xxxxxx:8080/tfs/DefaultCollection

    After some Minutes the users disappear on our tfs.

    --

    Maik Hanns

    MCT, MCPD, MCSD

    http://blog.maikhanns.de

    Tuesday, December 15, 2015 9:56 PM
  • Thanks for the suggestion.

    I've generated the permissions.txt file from our top-level ($/) to search for any permissions granted directly to any of the 9 Orphan Users.

    I found no individual users to be granted permissions directly in TFS.

    I also extended the tf permission query to search for each individual Orphan User:
    & 'C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\tf.exe' $/ /user:username /recursive /server:http://xxxxxx:8080/tfs/DefaultCollection | Out-File C:\temp\permissions.txt

    These searches confirmed that none of the Orphan Users have any permissions set within TFS, so we can eliminate that factor.

    Thanks. I appreciate the shared knowledge.

    Michael Andrews

    Wednesday, December 16, 2015 3:25 PM
  • Hi Michael,

    As far as I know, there isn’t the specific users in the [TEAM FOUNDATION]\Team Foundation Valid users and [Project collection valid users] group.

    Are these users in these group? Could you reproduce that issue? Please provide the detail steps.

    What’s the result if you add these user to the TFS again, then remove.

    Regards

    Starain


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, December 17, 2015 6:54 AM
    Moderator
  • It is my understanding that membership in the 2 global groups, [TEAM FOUNDATION]\Team Foundation Valid users and [Project collection valid users], is automatic when a TFS user belongs to any specific project group within a project collection. But removal from the global groups is also supposed to be automatic any time a TFS user is removed from all of the specific project groups.

    When I run the tfssecurity command against a TFS user who has been removed from TFS group memberships, I get the following results:
    tfssecurity /imx domain\user.name  /server:tfsserver
    Microsoft (R) TFSSecurity - Team Foundation Server Security Tool
    Copyright (c) Microsoft Corporation.  All rights reserved.

    The target Team Foundation Server is http://tfsserver:8080/tfs.
    Resolving identity "domain\user.name"...

    SID: S-1-5-21-743256475-1194075624-108746347-33095

    DN: CN=name\, user,OU=Accenture,OU=Users,OU=domain,DC=domain,DC=net

    Identity type: Windows user
       Logon name: domain\user.name
     Mail address: user.name@domain.com
     Display name: name, user
      Description: Disabled per roll-off 10/30/2015 - BT

    Note that the user information is returned with no group memberships identified.

    But when I run the same tfssecurity command against one of the Orphan Users, I get the following:
    tfssecurity /imx domain\user1.name1 /server:tfsserver
    Microsoft (R) TFSSecurity - Team Foundation Server Security Tool
    Copyright (c) Microsoft Corporation.  All rights reserved.

    The target Team Foundation Server is http://tfsserver:8080/tfs.
    Resolving identity "domain\user1.name1"...

    SID: S-1-5-21-743256475-1194075624-108746347-17533

    DN: CN=name1\, user1,OU=Accenture,OU=Users,OU=domain,DC=domain,DC=net

    Identity type: Windows user
       Logon name: domain\user1.name1
     Mail address: user1.name1@domain.com
     Display name: name1, user1
      Description: Disabled 08/14/15 - JM

    Member of 2 group(s):
    e [A] [TEAM FOUNDATION]\Team Foundation Valid Users
    e [A] [domainCollection]\Project Collection Valid Users

    I have attempted adding the Orphan Users back to a specific project group and then removing them again, but the problem persists.

    Thanks.

    Michael

    Thursday, December 17, 2015 3:00 PM
  • Hi Michael,

    I'm trying to involve some senior engineers into this issue and it will take some time. Your patience will be greatly appreciated.

    Regards

    Starain


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, December 18, 2015 9:14 AM
    Moderator
  • Hi Michael,

    There is one internal job called Security Identity Cleanup which is responsible for removing orphaned users from global groups. If you check the http://tfsservername:8080/tfs/_oi page, you may see that job is failed to run. 

    You can check this blog for the detailed information on how to force TFS to sync with Active Directory. 


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Saturday, December 19, 2015 8:34 AM
    Moderator
  • Hello, Vicky,

    Thanks for the follow-up.

    I've gone back and checked the http://tfsservername:8080/tfs/_oi page and found no errors or failures for the Team Foundation Server Periodic Identity Synchronization job.

    I also used the command line to check status on the job:
     tfssyncidentities /server:http://tfsservername:8080/tfs /status
     
    These were the results from the query run at 1:37 p.m. today (12/21/2015):
         tfssyncidentities Command Line Utility, Version 2.0
         Copyright (c) 2012 Neno Loje. All Rights reserved.

         Forces TFS to synchronize identities immediately.

         Passed in parameters:
           server: http://tfsservername:8080/tfs
           status: true

         Last identity synchronization ended at 12/21/2015 1:00:38 PM

    Meanwhile, the Orphan Users persist.

    Let me know if you have any further questions.

    Michael


    • Edited by MikeRena77 Monday, December 21, 2015 9:05 PM
    Monday, December 21, 2015 8:40 PM
  • We still have the original nine orphaned users who persist in the groups [TEAM FOUNDATION]\Team Foundation Valid Users and [domainCollection]\Project Collection Valid Users despite having been removed from all group memberships.

    Eight of these nine orphaned users left the company in CY 2014. One left in CY 2015.

    All eight of these users (CY 2014 departures) are no longer found under any AD group membership. A query against the username only reports back "The user name could not be found."

    However, they do continue to persist under the 2 TFS groups [TEAM FOUNDATION]\Team Foundation Valid Users and [domainCollection]\Project Collection Valid Users.

    Is there any way to manually remove these users from TFS using the database?  Nothing seems to work from the TFS command-set.

    Please advise.

    Michael


    • Edited by MikeRena77 Wednesday, February 3, 2016 2:47 PM
    Monday, February 1, 2016 6:12 PM
  • We currently use TFS 2015 Update 3 and have the same issue where users are only members of [TEAM FOUNDATION]\Team Foundation Valid Users and [domainCollection]\Project Collection Valid Users.  I found that these users still had TFS Workspaces and Shelvesets.  After deleting these Workspaces and Shelvesets, some of the users were removed the next time the cleanup job ran.  What other items can a user own that prevents them from being "Garbage Collected"?


    • Edited by JPBrockway Friday, December 2, 2016 8:06 PM Additional information
    Thursday, December 1, 2016 7:44 PM