How do I remove a user from tfs?

6
votes

I have two users who are "stuck" in my tfs 2012 instance, so to speak. I've removed them from every conceivable group I can think of, yet they still have access to the portal (albeit with no projects).

Running the imx command found here yields the following information:

Microsoft (R) TFSSecurity - Team Foundation Server Security Tool Copyright (c) Microsoft Corporation. All rights reserved.

The target Team Foundation Server is mytfsserverurl.
Resolving identity "NT\username"...

SID: S-1-5-21-1715567821-1897051121-682003330-9628

DN: CN=User Name,OU=Win7_Desktop_Restricted,DC=nt,DC=domain,DC=com

Identity type: Windows user
Logon name: NT\username
Display name: User Name
Description: blahjblah

Member of 2 group(s):

e [A] [TEAM FOUNDATION]\Team Foundation Valid Users
e [A] [CollectionName]\Project Collection Valid Users

Done.

However, these users aren't in any other groups. When I look at the group membership for these groups on the server itself they aren't in there either. Neither user has any changesets, work items, or workspaces.

They appear in the web portal, but only when I search for them. I can't find them by navigating, and when I try to click "remove" I get the following error message:

Unable to remove the selected identity from this group.hide details TF50618: The Team Foundation Valid Users group cannot be modified directly.

enter image description here

How can I remove these users from these groups?

1
tfs
If they have no dedicated permission somewhere in TFS, they should be removed from valid users group usually during the night. Not sure if this process runs every 2 hours or only during the night, but the group is not directly updated for deleted users, only for new ones. Maybe you can force an update by adding new users.MikeR
Interesting. One of the users has been "removed" for a while, but the other one I just removed today. I did check the job logs and didn't see any errors related to this, so maybe I'll check again in a few hours and see if they're still there.Mansfield
@MikeR Is there any way I can kick off that process and verify that it ran successfully without adding a new user? I tried the AD sync script found here: gist.github.com/jstangroome/3753534 but it didn't seem to do anything.Mansfield
Did you ever find a solution to this? I have the same problem on TFS 2013 where the users deleted from Active Directory are 'stuck' in those two groups still.cvocvo
@cvocvo Unfortunately, not really. I think I did kick the scheduled job off manually but users remained stuck. Best of luck finding a solution.Mansfield

1 Answers

4
votes

There is a periodic clean-up job that is executed that removes people from the global groups. If you just wait they will disappear in a couple of days. They will not have access to any of the TFS assets however.

Now if you have more than 6k users synching into TFS you may find that the sync job is failing and they will never go away. If you look in http://tfs.mydomain.com:8080/tfs/_oi you should be able to see if the job is failing.

If you can't wait for the scheduled job you can kick it off: http://msmvps.com/blogs/vstsblog/archive/2011/02/17/force-tfs-to-sync-with-active-directory.aspx