TFSSecurity Identity and Output Specifiers

The input and output for the TFSSecurity command-line utility follows a standard format. The tables later in this topic describe valid identity and output specifiers for this command. These specifiers apply to all of the TFSSecurity command-line utilities.


Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function.


The examples are for illustration only and are fictitious. No real association is intended or inferred.

Identity Specifiers

You can reference an identity by using one of the notations in the following table.

Identity specifier




References the identity that has the specified security identifier (SID).



References the identity that has the specified name. For Windows, Name is the account name. If the referenced identity is in a domain, the domain name is required. For application groups, Name is the group display name, and Domain is the URI or GUID of the containing project. In this context, if Domain is omitted, the scope is assumed to be at the collection level.

To reference the identity of the user "John Peoples" in the domain "Datum1" at the fictitious company "A. Datum Corporation:"


To reference application groups:

n:"Full-time Employees"



References the administrative application group for the scope, such as "Team Foundation Administrators" for the server level or "Project Collection Administrators" at the collection level. The optional parameter Scope is a project URI or URL, including its GUID and connection string. If scope is omitted, the server or collection scope is assumed based on whether the /instance or /server parameter is used. In either case, the colon is still required.



References the application group for service accounts.

Not applicable


References all groups and identities.

Not applicable


References an unqualified string. If String starts with S-1-, it is identified as a SID. If String starts with CN= or LDAP:// it is identified as a distinguished name. Otherwise, String is identified as a name.

"Team testers"

Type Markers

Identity Type Markers

The following table lists identity type markers that are used in output messages.

Identity type marker



Windows user.


Windows group.


Team Foundation Server (TFS) application group.

a [A]

Administrative application group.

s [A]

Service account application group.


Identity is not valid.


Identity is unknown.

Access Control Entry Markers

The following table lists access control entry markers that are used in output messages.

Access control entry marker



ALLOW access control entry.


DENY access control entry.

* []

Inherited access control entry.

See Also

Other Resources

Change groups and permissions with TFSSecurity