Just today I had the extremely frustrating task of forcing a synchronization between AD and TFS. The background of the problem was the inclusion of a user in an Active Directory group. The AD group was already associated with a TFS permission group.
After looking around on the net for a while, I came across this forum thread:
http://forums.microsoft.com/MSDN/showpost.aspx?postid=1403304&siteid=1
I invoked the web service to return the last time the ACL synchronization occurred and was a bit surprised to see that it was actually a lot longer than 1 hour ago. From what I read, if the web.config setting was not explicitly declared, it would default to 1 hour.
What I had to do was create a new TFS group, associated an Active Directory group with it, then delete the TFS group.
It's not a very elegant solution but there are many times where you must force the synchronization due to support requirements. I'm not impressed that no TFS web service exists to manually invoke the synchronization.
Subscribe to:
Post Comments (Atom)
1 comment:
There is actually a tool for both TFS 2008 and 2010 that forces the sync job. You read more details about it here: http://www.tfsserver.com/Blog/post/2011/04/01/Force-AD-Replication-When-Adding-Users.aspx
Post a Comment