Should you use Active Directory Groups or Users when managing users in TFS?

June 2007 - One decision you'll have to make when implementing TFS is whether to use Active Directory Groups or Active Directory Users when setting up users in TFS. There are advantages and disadvantages of using both and I'll discuss them below.

Active Directory (AD) Groups - AD groups are typically setup and managed by system administrators or setup by system administrators and managed by help desks. Though I've never used the AD tooling to manage users, I can't imagine it being more difficult than how you manage users in TFS. Remember TFS permissions must be managed in TFS, SharePoint, and Reporting Services. Although the TFS Administration Tool makes things easier, even it can be unbearable at times. We're hopeful Microsoft will produce a more robust administrative tool for TFS in the near future. In the mean time, when using AD Groups all you do is add the group once in each Team Project and you're done messing with TFS administration.

AD groups also off loads the administrative process of adding/removing users from TFS. As a development team, we have little interest in adding/removing users all day. We're paid to develop software, not manage users.

Active Directory (AD) Users - Users give you a bit more control. Unlike the use of AD Groups, you get to control who is added to your TFS Team Projects and who is not. No need to worry about the help desk adding a third-party consultant to the wrong AD group and thus giving away your intellectual capital to someone who should not see it. You also have more flexibility on what TFS groups you want to assign users to. For example we have a Testing TFS group in each of our Team Projects. Using AD Users we can add the specific testers to the specific Testing groups in their respected Team Project. If we used AD Groups we'd need one AD Group for each Testing group in each Team Project. If you use a number of TFS Groups, you can create quite a mess.

Using AD Users also helps when troubleshooting rights. At our company, finding out who is part of what AD Group involves a call to the help desk and a 2-4 hour turn around. If a user is having issues getting access to something or getting too much access to something, it can be very difficult to find out why. If you use AD Users, you can see what permissions that specific user has.

The use of AD Users is not without it's faults though. The biggest issue is what a pain it is to add the users. Again the TFS Administration Tool helps, but it's still not the easiest tool to use. By using AD Groups, you avoid fighting with TFS.

In conclusion, we decided to use AD Users as having 100% control over who sees what is very important to us. We have a billion dollar product in TFS with some very sensitive code that we only want select developers to see. With the number of contractors we have coming and going, we need to safeguard our priceless assets. Though the use of AD Groups would be easier, since we need to have tight control, using AD Users works better. Since this will not change anytime soon, we'll look forward to when Microsoft gives us a more robust TFS administration tool.