When upgrading an older version Team Foundation server to TFS 2010, you may encounter the following error:

Error TF50374 "Project group XXXX cannot be added to global group YYYY."

If you do, please read on for instructions to resolve the problem.

We have had a long standing restriction in TFS that global TFS groups (a.k.a server groups) cannot contain team project groups. The error that is the subject of this post indicates that the server that you are upgrading contains data that precedes this restriction. This post explains how to remove these membership(s) and upgrade successfully.

There is nothing in the product that requires this membership, and they are custom ones created by the customer. As a result of the membership, the project group will acquire permission(s) granted the parent global group. The reason why we don't automatically remove them during upgrade is so that they can be examined. If necessary any permissions can be granted directly to the project group(s), and then the memberships removed.

The recommended method is to use the UI or tfssecurity command line tool against the old server (if available still).

  1. Get global TFS groups from UI (Team Explorer server -> Settings -> Group Membership).
  2. Record permissions on these groups from Security dialog.
  3. Examine membership of these groups. 
  4. Remove team project groups that they contain.
  5. Directly grant required permissions to those team project groups.

There are 3 standard server groups in TFS 2005 / 2008: "Team Foundation Administrators", "Service Accounts" and "Team Foundation Valid Users", and perhaps additional custom groups. The Valid Users group is a system managed umbrella group which we don't have to worry about. After removing any member(s) which are project groups, take a fresh back up of the TFS Integration database, restore onto the new server and run upgrade again (be sure to uninstall TFS2010 on the new server to remove the configuration and then re-run setup again and select the Upgrade Wizard to start the upgrade again).

If the old TFS server is no longer available/running, as in the case of an in-place upgrade, then please contact Microsoft Customer Support Services for a SQL script for removing the membership(s), reference article 2266305 (you may be asked to provide a credit card number depending on the type of support contract you have, but ultimately the support case will be free). After successfully running the script you can go to the TFS 2010 Administration console on the Application Tier, navigate to the Team Project Collection node and select the "retry" button to resume the upgrade.