I had a question from one of the Queensland customers about scripting the addition of Users to a TFS Server and indicated i didn't know but would look into it....

My first thought was to use Windows Security Groups and adding users to these groups, but since i knew the user interfaces dealing with ownership in Team Foundation Server shows only users not groups i didn't know how/if this would work.  (For instance editing a work item and looking at owners the drop down doesn't show the TFS groups only the accounts i installed TFS under and the accounts i later added via the Team Foundation Server Administration Tool but no groups....)

To see if this would work i started with a simple experiment; i created a Windows security group called TFS_Report_Group i then added a new user called "Justin" to this group. Then using the the Team Foundation Server Administration Tool I added the Windows Secruity Group (NOT Justin) to Reoprt Administrators, Team Foundation Server Contributors and Sharepoint Contributors.  Then opening Team Explorer i opened a work item and under the potential owners Viola i saw "Justin". 

So the answer is what we at Micrsoft have been telling customers since the invention of Windows: give permissions to groups and add users to these groups. The scripting process then becomes the same as any other Windows Group like that documented at:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1008.mspx

For more information on Security in TFS make sure and check out:

TFSAdminUtil

TFSSEcurity