TFSSecurity Identity and Output Specifiers
The input and output for the TFSSecurity command-line utility follows a standard format. The valid identity and output specifiers are described in the following tables.
Note
Even if you are logged on with administrative credentials, you must open an elevated Command Prompt to perform this function on a server that is running Windows Server 2008. To open an elevated Command Prompt, click Start, right-click Command Prompt, and click Run as Administrator. For more information, see the Microsoft Web site.
Identity Specifiers
An identity can be referenced by one of the following notations.
Identity specifier |
Description |
Example |
|---|---|---|
sid:sid. |
References the identity with the specified SID. |
sid:S-1-5-21-2127521184-1604012920-1887927527-588340 |
n:[domain\]name |
References the identity with the specified name. For Windows, name is the logon name. If domain is omitted and global catalog (GC) is available, the lookup operation will be performed by GC. If domain is omitted and GC is not available, the default domain context is used. For application groups, name is the group display name and domain is the containing project's URI or GUID. If domain is omitted the global scope is assumed. |
To reference the identity of the user "John Peoples" in the domain "Datum1" at the fictitious company "A. Datum Corporation:" n:DATUM1\jpeoples If there is only one domain, or you are logged into the Datum1 domain, the following would work as well: n:jpeoples To reference application groups: n:"Full-time Employees" n:00a10d23-7d45-4439-981b-d3b3e0b0b1ee\Vendors |
n:dn |
References the identity with the specified distinguished name. The distinguished name can be prefixed by LDAP://. |
dn:CN=John Peoples,CN=Users,DC=Datum1,DC=com dn:LDAP://CN=Developers,OU=Groups,DC=Datum1,DC=com |
dm:[scope] |
References the administrative application group for the scope. The optional parameter scope is a project URI or GUID. If scope is omitted, the global scope is assumed, but the colon is still required. |
dm:Team Foundation Administrators |
srv: |
References the service application group. |
NA |
string |
References an unqualified string. If string starts with S-1-, it is identified as a SID. If string starts with CN= or LDAP:// it is identified as a distinguished name. Otherwise, string is identified as a name. |
"Team testers" |
Type Markers
Identity Type Markers
The following identity type markers are used in output messages.
Identity type marker |
Description |
|---|---|
U |
Windows user. |
G |
Windows group. |
A |
Team Foundation Server application group. |
a [A] |
Administrative application group. |
s [A] |
Service application group. |
X |
Invalid identity. |
? |
Unknown identity. |
Access Control Entry Markers
The following access control entry markers are used in output messages.
Access control entry marker |
Description |
|---|---|
+ |
ALLOW access control entry. |
- |
DENY access control entry. |
* [] |
Inherited access control entry. |