This is in regard to installing Team Foundation Server for Visual Studio Team System with the TFSSETUP, TFSSERVICE, and TFSREPORTS accounts, whether they must be Admins on the local machine or Active Directory domain.  It also includes my tips to installing TFS.

I'm here at Texas A&M University in the Computer Science department helping install TFS for students in the department.  There are a lot of uses for it here.  Dr. Salih Yurttas is a progressive teacher and would like his students to use it in his classes and student projects.  The other Software Engineering classes (headed up by Dr. Dick Simmons and Dr. Mac Lively) are primarily using IBM's Rational suite, but are want to check out VSTS.  And last but not least, other students are simply interested in using it for their class projects.

So I encountered quite a bit of confusion around the accounts needed for TFS' setup, services, and SQL reporting.  The TFS Installation Guide is really not clear, making sound like the three recommended accounts, TFSSETUP, TFSSERVICE, and TFSREPORTS should be admins on the AD domain.  Most IT shops wouldn't stand for this and it is generally a bad practice.  So I did some digging around, talked to Bill Essary (the TFS Architect) & Jeff Beehler, checked out the "Team Foundation Server Administrator Permissions" MSDN article, and did a lot of trial and error.  Here's what I found out...

This is in regards to installing in an Active Directory domain environment.  Workgroup config is easy and not all these tips apply.  Some of these may be obvious, but they are helpful to state clearly.

Note: These are NOT the complete setup instructions.  They are to suplement the TFS Install Guide.

  1. Follow the TFS Installation Guide to the letter; except for the part about user accounts, that's what this blog post is about.  Don't forget to unblock the file.
  2. You can use any account that is a local Admin to install SQL Server & TFS (it doesn't have to be TFSSETUP).
  3. Be sure to verify the "TCP/IP" SQL protocol is Enabled (mentioned somewhere in the install guide), it isn't by default.
  4. The account used for the TFS Service and the Reporting Service (typically TFSSERVICE & TFSREPORTS), can be named anything you want.  I'll use the names here just for reference.
  5. TFSSERVICE & TFSREPORTS accounts should be "normal users" on the domain and Admins on the local machine

    Update: 
    The two accounts do not need to be administrators on the local machine, but they do need to be able to login and have permissions in thier propper directories.  (thanks to Etienne Tremblay for the update) 
    1. If you use local accounts (that are added to the local machine and do not exist in the domain) for TFSSERVICE/TFSREPORTS, every TFS user must have an additional account on the local machine.  This is not recommended in an active directory environment. 
    2. The account(s) used should be "normal users" on the active directory domain (not admins on the domain) and Administrators on the local machine.  It is necessary that the accounts are on the domain so that the services can look up users credentials on the domain.  It is necessary they are admin on the local machine to create new files, folders, settings, etc when working with Team Projects.
  6. You can create a group (say "TFS Admins"), which you will add users that should be able to administer TFS (add new Team Projects, change Iterations & Areas, etc).  The group needs to exist on the domain, but does not need to be an admin on the domain or local machine.  Then add users that should be admins on TFS to that group.  This prevents you having to go to three different locations to add TFS admins.
  7. If you're installing inside a VPC, back it up before installing the ATDT (application tier & data tier).
  8. Read up and follow the MSDN article on "Team Foundation Server Administrator Permissions"

So there you have it, some clarification on setting up TFS permissions when installing.  If you learn another caveat, or have a tweak to my notes, please let me know in a comment.  Thanks.

Related resources: