Making the build service account an admin on the build box would be a VERY bad thing to do :)
See my presentation: http://ozgrant.com/2007/10/13/securing-your-tfs-server/ Overview: * Create a separate account DOMAIN\TFSBUILD * Grant it "log on as a service" permissions (the installer/services.msc will do this for you) * Grant it "full control" to C:\Builds (or continue to use $(Temp) as the default) * Grant it "full control" to C:\Drop * Grant TFSSERVICE "full control" on C:\Drop Share C:\Drop as a UNC share * Give TFSBUILD read + change permissions on the share * Give TFSSERVICE read + change permissions on the share TFSSERVICE requires permissions, because it is TFS that publishes the test results to the drop location - not the build server. Enjoy. Regards, Grant Holliday | Team System MVP<https://mvp.support.microsoft.com/profile/Grant.Holliday> Email: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> | Blog: http://ozgrant.com<http://ozgrant.com/> | Mobile: +61 (0)402 414 446 ________________________________ From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steven Nagy [EMAIL PROTECTED] Sent: Friday, 11 April 2008 2:32 PM To: [email protected] Subject: [OzTFS] Team Build service account permissions I just built a dedicated server for team build. I COULD make the service account an admin to the box, but would rather not. What privileges should it have? I've tried with no privileges but with write access to the drops location: no love (service won't start, 'access denied'). Cheers, Steve OzTFS.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. View the web archives at http://www.mail-archive.com/[email protected]/ Powered by mailenable.com, supported by www.readify.net OzTFS.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. View the web archives at http://www.mail-archive.com/[email protected]/ Powered by mailenable.com, supported by www.readify.net
