Team Foundation Server Application Groups
Team Foundation Server application groups are at the heart of the Group Security Service. They are the containers for all users and groups. No user can connect to a Team Foundation Service without being a member, directly or indirectly, of some application group on the server.
Members
Application groups can contain Windows and Active Directory identities. For example, suppose a Windows user AdventureWorks\JAaberg is a member of the AD security group AdventureWorks Staff. In this case, AdventureWorks\JAaberg is a member of the Team Foundation Server application group Users if AdventureWorks Staff is a member of this group. The following list shows the supported members.
Other Team Foundation Server application groups
Any Active Directory object
Active Directory Security Groups (no other Active Directory container types)
Windows User on the Local Computer
Windows Group on the Local Computer
Name and SID
Every application group has a friendly name and an SID. The name can be changed later, but the SID is generated when the application group is first created. The SID can never be changed.
An application group name can contain any Unicode character except these:
\ / : * ? " < > | 0x09 (Horizontal Tab)
Application group SIDs are guaranteed to be unique on a Team Foundation Server.
Scope
Application groups can be scoped to a Team Foundation Server or a team project. Those scoped to a team project are not visible in other team projects on the server. Application group names are unique within their scope.