Identities Command
The Identities command lists or changes the security identifier (SID) of users and groups in your deployment of Team Foundation Server (TFS). You might need to change or update the SID for users and groups in one of the following scenarios:
changing the domain of your deployment
changing from a workgroup to a domain or from a domain to a workgroup
migrating accounts across domains in Active Directory
Note
You do not need to run this command if you are changing domains within the same Active Directory forest. TFS will automatically handle SID changes for moves within the same forest.
Requirements
You must be a member of the Team Foundation Administrators security group on the application-tier server for Team Foundation.
You must also be a member of the sysadmin security group for SQL Server on the data-tier server for Team Foundation. For more information, see Set administrator permissions for Team Foundation Server.
Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function.
TFSConfig Identities [/change /fromdomain:DomainName1 /todomain:DomainName2 [/account:AccountName] [/toaccount:AccountName]] [/sqlInstance:ServerName /databaseName:DatabaseName] [/account:AccountName] [/usesqlalwayson]
Parameters
Placeholder |
Description |
---|---|
DomainName |
Specifies the name of the domain from which (/fromdomain) or to which (/todomain) you are changing SIDs. If you must specify a workgroup, use the computer name as the domain name. |
AccountName |
Specifies the name of the account that you want to list or change. When you use this parameter with /change, you specify the account from which you want to change after /account, and you specify the account to which you want to change after /toaccount. Do not include a domain or computer name with the account name. |
ServerName |
Specifies the name of the server that hosts the configuration database for TFS and the name of the instance if you want to use an instance other than the default instance. If you specify an instance, you must use the following format: ServerName\InstanceName |
DatabaseName |
Specifies the name of the configuration database. By default, the name of this database is TFS_ConfigurationDB. |
Option |
Description |
---|---|
/change |
Specifies that you want to change identities instead of listing them. |
/fromdomain:DomainName |
Required when using /change. Specifies the original domain of the identities that you want to change. If you are changing from a workgroup environment, specifies the name of the computer. |
/todomain:DomainName |
Required when using /change. Specifies the domain to which you want to change identities. If you are changing to a workgroup environment, specifies the name of the computer. |
/account:AccountName |
Specifies the name of an account for which you want to list or change identities. |
/toaccount:AccountName |
Specifies the name of an account to which you want to change identities. |
/SQLInstance:ServerName |
Specifies the name of the server that is running SQL Server and the name of the instance if you want to use an instance other than the default instance. If you specify an instance, you must use the following format: ServerName\InstanceName |
/DatabaseName:DatabaseName |
Specifies the name of the configuration database for TFS. |
/usesqlalwayson |
Specifies that the databases are part of an AlwaysOn Availability Group in SQL Server. If configured, this option sets MultiSubnetFailover in the connection string. For more information, see AlwaysOn Availability Groups (SQL Server). |
Remarks
You can optionally specify the database to change identities before you configure an application-tier server for the deployment. For example, you might specify the database to change the service account when you clone a deployment of TFS.
When you change identities, the target account or accounts must already exist in Windows.
You must wait for the next identity synchronization with Windows before the properties of accounts that you change with this command will be updated. This requirement includes changes from group to user, user to group, and domain account to local account.
Examples
The following example shows how to list the names of all Windows users and groups that are stored in TFS and to display whether the SID for each user or group matches the SID in Windows. The Contoso1 domain administrators created domain groups such as "Contoso1\Developers" and "Contoso1\Testers" to help ease the management of permissions across TFS, SQL Server Reporting Services, and SharePoint Products.
Note
The examples are for illustration only and are fictitious. No real association is intended or inferred.
TFSConfig Identities
Sample output:
TFSConfig - Team Foundation Server Configuration Tool
Copyright © Microsoft Corporation. All rights reserved.
Account Name Exists (see note 1) Matches (see note 2)
--------------------------------------------------------------------
CREATOR OWNER True True
Contoso1\hholt True True
BUILTIN\Administrators True True
Contoso1\Developers True True
Contoso1\Testers True True
Contoso1\PMs True True
Contoso1\jpeoples True True
Contoso1\Domain Admins True True
Contoso1\SVCACCT1 True True
9 security identifiers (SIDs) were found stored in Team Foundation Server. Of these, 9 were found in Windows. 0 had differing SIDs.
The following example shows how to change the SIDs for all accounts in Team Foundation Server from the Contoso1 domain to the SIDs for accounts that have matching names in the ContosoPrime domain. Only account names that match will have their SIDs updated. For example, if the "hholt" account exists as Contoso1\hholt and ContosoPrime\hholt, the account SID will be changed to the SID for ContosoPrime\hholt. If the "ContosoPrime\hholt" account does not exist, the SID will not be updated for Contoso1\hholt.
TFSConfig Identities /change /fromdomain:Contoso1 /todomain:ContosoPrime
The following example shows how to change the account for a single user account, Contoso1\hholt, to the account for another user account, ContosoPrime\jpeoples.
TFSConfig Identities /change /fromdomain:Contoso1 /todomain:ContosoPrime /account:hholt /toaccount:jpeoples
The following example shows how to change the SID of the "NT AUTHORITY\NETWORK SERVICE" service account that is used in the deployment of Team Foundation Server when changing the domain of the deployment from Contoso1 to ContosoPrime. To change a system account such as Network Service, you must follow a two-stage process. You first change the service account from NT AUTHORITY\NETWORK SERVICE to a domain account in the new domain (TempSVC), and then you change the account back to NETWORK SERVICE on the server in the new domain. The configuration database is hosted on the server that is named "ContosoMain" on the named instance "TeamDatabases" in SQL Server.
TFSConfig Identities /change /fromdomain:"NT AUTHORITY" /todomain:ContosoPrime /account:"NETWORK SERVICE" /toaccount:TempSVC /SQLInstance:ContosoMain\TeamDatabases /DatabaseName:TFS_ConfigurationDB
TFSConfig Identities /change /fromdomain:ContosoPrime /todomain:"NT AUTHORITY" /account:TempSVC /toaccount:"NETWORK SERVICE"
See Also
Concepts
Service accounts and dependencies in Team Foundation Server