How to: Update the Security Identifier (SID) of the Service Account for Team Foundation Server

Functions that require a valid service account for Visual Studio Team System Team Foundation Server might fail if the security identifier (SID) for the account is not valid. You must update the SID of the account after you restore data to a server that has had Team Foundation Server reinstalled, unless you used a domain account for the service account and the domain did not change. When you reinstall Team Foundation Server, the SID for the service account changes. However, the change cannot be propagated to the restored data, and if you used a system account (such as Network Service) or a local account as the service account, the current SID will differ from the SID that is recorded in the data. To update the SID so that it matches what is recorded in the data, you must delete the login object for that account in SQL Server and then use the TFSAdminUtil command to update the service account.

Required Permissions

To perform these procedures, you must be a member of the sysadmin security group for SQL Server on the data-tier server for Team Foundation. You must also be a member of the Team Foundation Administrators group on the application-tier server. For more information, see Team Foundation Server Permissions.

To delete the SQL Server login of the service account for Team Foundation Server

  1. Log on to the data-tier server for Team Foundation.

  2. Click Start, point to All Programs, point to Microsoft SQL Server, and then click SQL Server Management Studio.

    The Connect to Server dialog box opens.

  3. In Server type, click Database Engine.

  4. In Server name, click or type the name of the data-tier server and database instance, and then click Connect.


    If SQL Server is installed on a cluster, the server name is the name of the cluster and not the computer name.

    SQL Server Management Studio opens.

  5. In Object Explorer, expand Security, and then click Logins.

  6. In Object Explorer Details, right-click the login for the service account, and then click Delete.

  7. In the Delete Object dialog box, click OK.

  8. At the prompt that appears before you delete a server login, click OK.

To update the SID of the service account for Team Foundation Server

  1. Log on to the application-tier server for Team Foundation.

  2. On the Start menu, open the Command Prompt window, and change directories to the Tools directory for Team Foundation.

    For example, type the following command:

    cd Drive**:\Program Files\Microsoft Visual Studio 2008 Team Foundation Server\Tools**


    Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as administrator. For more information, see the Microsoft Web site.

  3. In the Command Prompt window, type the following command, and press ENTER:

    TFSAdminUtil ChangeAccount OldTFSSVC NewTFSSVC TFSPassword


    • OldTFSSVC is the name of the service account before you reformatted the computer.

    • NewTFSSVC is the name of the service account that you want to use.

    • TFSPassword is the password for the service account:


      To avoid possible permission issues, use the same service account for the restored deployment as the one for the previous deployment. If you want to use a different account from the previous deployment, complete this step using the old account and then complete the steps in How to: Change the Service Account or Password for Team Foundation Server.

See Also


How to: Restore Data for Team Foundation

How to: Move from a Single-Server to a Dual-Server Deployment

Other Resources

Managing Data