Managing and Resetting Service Accounts and Passwords

Artykuł
12/06/2010

Team Foundation Server includes several services and service accounts that run on either the server or servers hosting the logical Team Foundation data-tier, or the server hosting the logical Team Foundation application-tier, or both. Your actual services will vary. It depends on which features of Team Foundation you have installed on your data tier and application-tier servers. For example, if you have opted for a single-server setup, you will have both logical data-tier and application-tier services that run on the same physical server.

Although there are several service accounts used in Team Foundation Server, you can choose to use the same physical account for all of the service accounts. For example, you can use the same domain account as the account for both the Team Foundation Server service account (TFSSERVICE) and for the Reporting Services data sources account (TFSREPORTS). For clarity, each of the service accounts is referred to explicitly by its functional service placeholder name. However, TFSSERVICE and TFSREPORTS have slightly different permission requirements. TFSSERVICE must have the Log on as a service permission. TFSREPORTS must have the Allow log on locally permission. If you use the same account for both, that account must have both of these permissions.

If you have deployed Team Foundation Server in an Active Directory domain, you should set the Account is sensitive and cannot be delegated option for service accounts. For example, in the following table, you should set that option for the Team Foundation Server service account TFSService. For more information about required service accounts and placeholder names used in Team Foundation Server documentation, see the topic "User Accounts Required for Installation" in the Team Foundation Installation Guide. For more information about the installation guide, see Installation Overview for Team Foundation Server. For more information about how to restrict account delegation in Active Directory, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=61995).

Service name	Service account	Logical Tier
Code Coverage Service	TFSService, which can be a local account, a domain account, Local Service in a workgroup, or Network Service in a domain	application tier
Team Foundation Server Web Services	TFSService	application tier
Report Server (MSSQLSERVER or InstanceName if using a named instance)	Network Service or a domain account	application tier
Report Web Service	Local System, Network Service, or a domain account	application tier
SharePoint Services	Domain account	application tier
Team Build Service (if Team Foundation Build is installed)	TFSBuild	build computer
TFS Server Scheduler	TFSService	application tier
Analysis Server (MSSQLSERVER or InstanceName if using a named instance)	Local System or a domain account	data tier
SQL Server Agent	Local System or a domain account	data tier
SQL Browser	Local System or a domain account	data tier
SQL Server	Local System or a domain account	data tier

For more information about service accounts for SQL Server, see the SQL Server Books Online on the Microsoft Web site. For more information about service accounts in Team Foundation, download the installation guide for Team Foundation from the Microsoft Web site.

Note

If you change the service account for Team Build Service, you must make sure that the account is a member of the Build Services group, and that the account has read/write permissions to the temporary folders and the ASP.NET temporary folder. Similarly, if you change the service account for the Team Foundation Server Proxy service, you must make sure that the account is a member of the appropriate groups. For more information, see Setting up a Build Computer and How to: Configure Cache Security for Team Foundation Server Proxy.

Udostępnij za pośrednictwem

Managing and Resetting Service Accounts and Passwords

See Also

Tasks

Other Resources

Dodatkowe zasoby