Special Types
There are three special types of Team Foundation Server application groups: administrative groups, service account groups, and Team Foundation valid user groups.
Administrative Groups
These application groups have implicit irrevocable rights associated with them. The application automatically creates them. The user cannot delete them. For more information, see Permissions.
There is one administrative group per Team Foundation Server and one administrative group per team project. You cannot add these groups manually. The former is created at setup time, while the latter is created at the same time as the project. The Windows user who creates the project is added to the group automatically (this initial user can be removed later).
Service Accounts
Service account groups are also created at setup time and cannot be deleted. There is always one service application group named Service Accounts per Team Foundation Server. You cannot add these groups manually.
Team Foundation Valid Users
The Team Foundation Valid Users is a special type of Team Foundation Server-scoped application group. It is pre-created at setup time and cannot be deleted. It cannot be created manually. It contains all other application groups on the Team Foundation Server. Therefore, it contains—both directly or indirectly—all identities registered to the Team Foundation Server. Its members are maintained dynamically and cannot be modified by the user.
The Team Foundation Valid Users group also contains all of the Windows users and groups that are referenced in an ACL.