Wednesday, December 05, 2007

Changing the Team Foundation Server Services Accounts Users and Users’ Credentials

Important Note:

To perform this procedure, you must be a member of the Administrators group on the Team Foundation application-tier server, a member of the SQL Server Administrator group on the Team Foundation data-tier server, and a member of the Domain Administrators group in Active Directory (if you are running Team Foundation Server in an Active Directory domain). For more information about permissions

While you installing your team foundation server, there are couple of users that you need to tell the installer about; The Team foundation server services account which usually referred to at Microsoft officials as TFSService account, and the Reporting Services Service Account. These account are used by the main nine services of the TFS AT (Application Tier) as well as the TFS DT (Data Tier) in order to perform all TFS activities.

Sometimes, you need to update these services account passwords, or change them for any operational needs. This article will guide you in how to do that.

You can replace the Team Foundation Server service account that you specified when you installed Team Foundation Server (referred to as the TFSService account) with another account, such as domain\TFSSVC. To make this change, use the TFSAdminUtil utility with the ChangeAccount argument. This tool updates Team Foundation servers by replacing the old service account information with the new information. You must also make sure that the new service account has the Log on as a service permission. If you change the Reporting Services service account, you must also update the credentials for the Reporting Service data sources after you run TfsAdminUtil ChangeAccount. Finally, you must change the msiproperty.ini file to reflect the new service account name for the Team Foundation Server service account and the Reporting Services service account.

What is TFSAdminUtil?

TFSAdminUtil is one of the command-line tools that comes with TFS in order to register new services accounts or change the services account’s password. Usually you will find it under the following relative Path:

%programfiles%\Microsoft Visual Studio 2005 Team Foundation Server\Tools

If accepted the default path while installing the TFS you will find it at the following Exact Path:

C:\Program Files\Microsoft Visual Studio 2005 Team Foundation Server\Tools

What is important to be noted here is that this tool helps only in making the TFS feels of the new services account credentials (completely new account, or change in password) but, it can’t change the password of the current account or even create new account by itself. You have to do that from the regular windows tools and then use the TFSAdminUtil tool to make the TFS feels of the updates.

TFSADminUtil can be scripted to allow for automated updates.
How does it work?
In genral, whenyou update the account credentials, you have to update this in TFS, as well as The reporting services at the Application Tier. Updating the credentials in TFS will be done using the TFSAdminUtil, while updating the credentials SQL Server Reporting Services same account credentials should be done by the reporting services interface itself.
a- Create your new account
b- Grant this account has Log On as a Service permission
c- Use the TFSAdminUtil command-line tool in order to update the TFS with the new account credentials

d- If you have configured e-mail alerts, you must manually change the web.config file and change the value of emailNotificationFromAddress from the old service account's e-mail address to the new service account's e-mail address. For more information,
e- Go and Update the service account credentials into the Reporting Services account then you must update the account credentials of reporting services data sources(both the TFSReportDS, and TFS OlapReportDS). For more details please read my related article :Changing the Team Foundation Server Report Service Account

f- At all cases you need to update the configuration file of the installer which is the msiProperty.ini this will help the installer to keep track of the udates of the services account if it requires to install extra features later that is not installed currently

To change the msiproperty.ini file
Open a text-based editor, such as Notepad. Start Notepad, click Start, click Run, type Notepad, and then click OK.

Open the msiproperty.ini file in the text-based editor. The default path for the msiproperty.ini file is %programfiles%\Microsoft Visual Studio 2005 Team Foundation Server\Microsoft Visual Studio 2005 Team Foundation Server (databases).

In the msiproperty.ini file, make the following changes:

If you have changed the TFSService account, change the value of the following property to the new name of the account:


If you have changed the TFSReports account, change the value of the following property to the new name of the account:


Save the file and close the text-based editor.

No comments: