Home » Microsoft Technologies

Rename security groups in Active Directory - Will it affect TFS ?


We need to rename some of our security groups in Active Directory - we use these groups to grant privilages to users use TFS

on some projects/folders etc.

Does it going to affect the permissions and privilages in TFS ? Will I need to fix it in TFS ?




3 Answers Found


Answer 1

Renaming AD objects won't affect  the structure in TFS, the names will change accordingly.


Answer 2

Hi Demix,

TFS records SID of the groups  in the AD,  no matter how the account name change, its SID remains the same.  TFS synchronizes with AD depend on SID.  So if you rename  the groups in AD,  it will not affect  the permissions  in TFS.

For more information about synchronization,you can refer to http://support.microsoft.com/kb/906951

Hope it helps!

Cathy Kong



Answer 3

My company is in the process of renaming groups  in AD that are used in TFS.

The structue we are using is based on AGDLP and we have TFS groups that map to the AGDLP groups

For example

Contributor -> DL-TFSServer-<Team>-Contributor -> GL-TFSServer-<Team>-Contributor -> user(s)

When the DL and GL groups where changed I noticed the following

When I access the TFS Grougp (ie contributor) through security  groups

DL group was changed correctly
GL group showed old value, not new value in TFS 
Members are still correct

Group name is not updated at all (sites settings->advanced permissions)

Reporting Services
Names seem to be updated correctly

It does not appear to break anything but it will become confusing if someone is reviewing the groups.

Has anyone else noticed this...if so how have you handled it...





I have a set of sales data arranged into territories. There will be multiple sales people and managers looking at the report, so my aim is to be able to filter the dataset base on the user's group membership active directory.

I tried creating a function in the report's custom code to check whether they belong to that group or not. I thought this worked before but it doesn't seem to be the case. I dont have the code in front of me now but from the top of my head it is like below:

Public function (By Val RoleName as string) as Boolean
 If my.user.isinrole(RoleName) then
   Return True
   Return False
End Function

I created a test windows form application in Visual Studio 2008 and it works fine. I am unsure why this doesn't work in the report.

Anyone have any idea how I can acchieve this?


How can we schedule at different times, the general sync of AD users as Project Server users (Team Members) then a specific sync between an AD Group and a Project Server security Group such as Project Manager?


Ok, the SQL Server service is running under a domain account, and I am able to add individual users, just not a securty group. Does anyone have any thoughts as to why?


if login has sysadmin on server and it's containing group has only public which one will override

does user can access server as sysadmin irrespective on his owning group or the group has the final role which is public and prevent user from being sysadmin

thank you


Over the weekend we deployed some Microsoft security updates to all the servers in the shop.
This forced the restart of all hosts including the domain controllers at various times.
Today, all Active Directory groups have been removed from TFS.
Is it typical behavior that TFS would do this if it cannot connect to the domain to get authorized users?
The only relevant error I see is this.

Detailed Message: TF200035: One or more errors occurred when Team Foundation Server attempted to synchronize with the following Active Directory identity: Administrators. Number of errors that occurred: 3.

An error occurred when synchronizing the following Active Directory identity: *********. Exception message: Logon failure: unknown user name or bad password.

An error occurred when synchronizing the following Active Directory identity: *********. Exception message: Logon failure: unknown user name or bad password.

An error occurred when synchronizing the following Active Directory identity: **********. Exception message: Logon failure: unknown user name or bad password.




Can somebody provide me with a book reference, webpage or literature where I can read how to implement integrated security and form-based security in a .NET Windows application?

Things like: how to do it, best practices, advantages and disadvantages of both approaches, samples.

Best regards.


........... SCENERIO   :-   

                                WHEN  'Active Directory'  is in " windows server 2008 -32bit " on a virtual box  AND   'Sharepoint 2010'    is  in " windows server 2008 -64bit " on a Desktop machine 64bit ............... ????   Reply



Can someone point me to an article or blog that discusses the pros and cons of setting groups (owner, full control, contributor, read only) in the Active Directory verus just connecting MOSS 2007 to the AD and building the groups directly in MOSS?  MOSS 2007 only.  Is there any functionality that is lost by building the groups in AD and adding people there rather than building groups in MOSS and adding people there?



Is it possible to programatically add an Active Directory Distribution Group as an Office Communicator Group with the Automation API?

Thanks in advance!



I am prepareing for move a workgroup TFS to an Actice Directory Domain TFS which is also a new hardware.

I'v read the refference info in msdn about Team Foundation Server Move Types.

Here it is


Unfortunately, I didn't find an appropriate way for moving a workgroup TFS to an Active Directory Domain TFS which is also a new physical server.

Here is my situation.

1, the orignal server is a workgroup server A (TFS2010)

2, the new server is a Active Directory Domain Server B (TFS2010)

3, B is a different physical server from A

4, the user accounts and passwords in A are totally different form B

Can this case be done?

If TFS2010 Move Types  couldn't support this case, is there a way to move takes in work items and histories of version control in the original TFS to the new one.

btw, just moving source in the present is easy to be implemented. I also wanna moving the history of version control.

Thanks a lot



I want to rename some security groups. Easy, right? So, what's my dilemma?

I can easily rename the group.

For the sites that inherit, the group name is automatically updated.

For the sites that do not inherit, the group name is automatically updated.

For code we have, the change should be trivial.

For Audience Targeting, the group name becomes underscored with the red squiggly lines.

I have a feeling that I will need to check and replace Audience Targeting on web parts and navigation. (no folders in use for the affected sites) am i missing something else?

Anybody have a less time-consuming idea?




Hi everyone. I have just started to work on the active directory. Am a new fresh man to work on this AD concept. i have a series of questions. moreover these things are confusing me a lot.

In the user properties of Active directory there is a security tab. Can anyone explain how that security tab works?

i mean,

1)If am assigning allow permission in one group1 and assigning deny permission in group2 and making the user1 as a member of these two groups (group1 and group 2). What will be result.

2) what does the advanced tab means?. If am opening that advanced tab there are lot of group names with the word allow  and  deny . what does it means

3) What does these groups tells us.. are they all the member of the user?.. or they are just available for all users?

4)If the term SELF denotes the property of the same object, y it is possible that we can add the same group once again to that list. Actually what does this list inferes

5) Finally that edit option. Only this makes me to feel very frustrated. :(.. what does all it means.


can anyone please explain these things?!  please help me to make me clear.




While installation of Microsoft fore front server security, in windows 2003 server with standalone, it is connected with domain controller, User has administrative privileges, IIS 6.0, ASP.Net 2.0, Message queue trigger,


The error it shows:


Microsoft Forefront Server Security Management Console -- Error 1001. The installation failed, and the rollback has been performed. --> Current security context is not associated with an Active Directory domain or forest., (NULL), (NULL), (NULL).



Please any one can help out of this issue,



Rahman Khan



I need to update active directory properties(attributes) through console application like Title,mail,sn,passwordQuestion,passwordAnswer.

DirectoryEntry.Properties["passwordQuestion"].Value = "What is your Favorite Color?";
DirectoryEntry.Properties["passwordAnswer"].Value = "green";

after updating , i check the attributes in Active Directory. All its fine.

the "password answer" saved as plan text.

After logged into asp.net portal with user's credential, it is working fine. After logout, When i goto click forgot password link, it ask the email address after that display the security password question and need to be enter the security password answer.

when i enter the security password answer in the text box , after click submit, it throw the error.

Invalid length for a Base-64 char array. Exception Stack Trace: at System.Convert.FromBase64String(String s) at System.Web.Security.ActiveDirectoryMembershipProvider.Decrypt(String encryptedString) at System.Web.Security.ActiveDirectoryMembershipProvider.ResetPassword(String username, String passwordAnswer) at System.Web.Security.MembershipUser.ResetPassword(String passwordAnswer) at


But i update the passwordQuestion,passwordAnswer through web application(portal), the "passwordAnswer" saved as encrypted value.

membershipUser.ChangePasswordQuestionAndAnswer("password", "What is your Favorite Color?", "green");

The encrypted value is "c6iK2b4kYx+vjORFbeOKPZK9Guv2V5fhLDkXbQsFX/A="

When i goto forgot password link, it ask the email after that display the security password question and need to be enter the security password answer.

when i enter the security password in the field it send the temp. password to users mail and its working fine.

My question is , why update the attributes from console application, the security password saved as plain text. But through web portal it saved as encrypted format.

 Please help us , how we achieve the security password as encrypted format through console application , it will equal to web portal encrypted format ?

Any algorthim or hash technique it follows ?

Please help me ... it s urgent


I am currently having problems with getting Active Directory groups to work with Sharepoint and the Reporting Services Add-in. We have our SQL 2008 database, Sharepoint Central Admin (Sharepoint Serices 3.0), and Reporting Services running on one machine in 64 bit and then our web front end on a separate machine. Both belong to the same domain which is where the active directory is pulling from. On the database side of things, both the individual users and the AD group have permission to the database we are trying to access.

Our users are able to log in and see the the Sharepoint site regardless of the following problem, so it appears to be an issue with the reporting services add-in. In Central Administration, when we add users, if we use the Active Directory Group then none of the users belonging to that group can access the report. All that displays is "The permissions granted to user 'DOMAIN\username' are insufficient for performing this operation. (rsAccessDenied)" and an error icon. However, if I add each user from the exact same domain individually to the list with the exact same permission level they can clearly see and run the report. Has anyone had this issue before?

Any help would be greatly appreciated, thank you in advance!

Hi All, Can anybody help me out how to fetch all Groups and all Users from Windows Active Directory? I am developing Windows C# .Net Application. Thnx, Alex

SharePoint Server 2010 Enterprise RTM. W2K8R2 w/multi-server setup:

AD/DNS SQL 2008 WFE APP Claims Mode Web App only using Windows Integrated Auth

So, this was never a problem in 2007, and I didn't even realize it was a problem in 2010 until I started to build a solution that utilized my blog article: InfoPath - User Roles in Browser-Enabled Forms Using AD Groups.  I went to utilize the same web method of the same web service, but I noticed that no data was showing up at all.  Typically, the GetUserMembership/GetCommonMembership methods return the specified user's memberships: AD Security Groups, AD Distribution Lists, and SharePoint Sites (not SharePoint Groups, though).

My user profile sync is working.  All AD users are pulled in with the proper profile data. "Users and Groups" is selected in the Synchronization Entities section of my Sync Settings. Security groups are working for permissions and audience targeting.  Confirmed my users are affected properly by the use of Security Groups. My query to the GetUserMemberships web method (and GetCommonMemberships) is running (not failing), but it's not returning anything even though my user is in some Security Groups and has explicit membership to multiple sites. The GetUserProfileByName method of the same UserProfileService.asmx web service returns all the regular profile data like expected, so the web service works and my profile database is populated

Basically, I'm not seeing my AD groups or any membership data populated in the profile database.  I did use MIISCLIENT.exe to see what I could find, and here is what I saw:

Using the Metaverse Search, I searched for the "person" type and saw all of the users in my profile sync connection (single OU) Using the same tool, I searched for the "group" type and saw nothing, but the message said 4 items were retrieved I realized that the only column showing was displayName, and they were blank, so I added other columns to be sure objectGUID, objectType, distinguishedName all showed values, and I could now see all the Security Groups from the OU where I'm doing my profile sync My "person" objects all have displayNames showing but none of the groups do.  In SharePoint, the GetUserMemberships method relies on displayName and accountName, but neither are coming through the profile import

So, it does seem like the groups are coming in with the profile import, but I can't see them.  I also can't verify that the groups are being associated with my users in the profile database, because doing a query to the membership methods returns nothing...not even blank rows.


I have a active directory group departname and have added create a aspx departname1. i created a navigation menu item depart. i need to  restrict the navigation menu for the users in the department.

I dont want to use sharepoint groups . Is there a workaround

Thanks guys in advance.




I am not a sharepoint expert by any means. We had a consultant set this up for us and they haven't provided good ongoing support.

We have a single domain, all servers on same local network with local domain controllers. Sharepoint Server runs Windows 2003; Local Domain Controller is Win Server 2008.

Sharepoint version is 2007 with MOSS. We have SSP set up.

We have over 300 staff people. All staff people don't show up in Sharepoint's "People and Groups: All People". I have tried importing via ssp about 20 times.

We use the popular plugin for service requests. It uses People Picker. If someone who is not in All People submits a service request, their name DOES appear. However, we have workflows set up to send emails, and the workflows won't work if the person isn't in All People.

Picking their name puts them into All People, but the first time, no emails are sent from their request.

So, either, I need help getting everyone into All People programmatically OR

I need the workflows to work even if a user isn't in All People.

(note that in All People I am able to go into Add New and add people, but do I really have to do this for all 300 staff?)

thanks very much in advance.

Julie VanDore


I have an additional requirement for the Employee Directory I have created to pull all the records from the People – Jacksonville/Rockford folders (show below).  I have been trying to find examples on the Internet and not having a lot of success in using the ones I have.  I feel I must not have the syntax right.  I have created a web part using Visual Studion 2010 using System.DirectoryService to access Active Directory.  My web part is being used in SharePoint and all is working fine except for the additional requirement. 

I am only retrieving records that are of type “user” (searchString = "(&(ObjectClass=user)(ObjectCategory=person)" + searchString + ")").  But now I need to also limit the search to just the People – Jacksonvillle/Rockford containers and that is where I am having difficulty.  I have tried code similiar to this but it is not working.  Can anyone help me get the syntax correct.

searchString = "(&(ObjectClass=user)(ObjectCategory=person)(CN=Jacksonville,CN=People,DC=dev,DC=landstar,DC=com)" + searchString + ")";

Thanks, Patrica

This is what the structure of our active directory looks like. 

Active Directory Users and Computers [abc123.dev.land.com]
_ dev.landstar.com
+ Groups
+ Machines
- People
  - Jacksonville
       + LLM
  - NLM
  - Rockford


<< Previous      Next >>

Microsoft   |   Windows   |   Visual Studio   |   Sharepoint   |   Azure