Automating the Creation of TFS Service Accounts

When setting up new virtual machines for Team Foundation Server 2010, I find myself having to manually create the four amigos: TFSSERVICE, TFSREPORTS, TFSBUILD, and WSSSERVICE (per the installation guide). Needless to say, this gets quite old, so I set out to automate this process.

First, I checked out Grant Holliday’s post from 2007 on Hands Free TFS Installation. I was only interested in the part where he creates the accounts and sets the permissions. His approach uses a (.bat) batch file, so he’s limited to using “NET USER” commands such as “net user TFSSERVICE * /DOMAIN /ADD /EXPIRES:NEVER”. I wanted to specify account description and have more control, so I decided to integrate his ideas with mine into a (.vbs) VBScript file. I also added code to create groups, such as the TFS Administrators group, which I always suggest having.

1. Download my script

It’s at the bottom of this post.

2. Obtain Microsoft’s ntrights.exe utility

It’s part of the free download of the Windows Server 2003 Resource Kit Tools. Download the tools and then install. Since you only need the ntrights.exe tool, it seems silly to install everything else, especially when I try to keep my VMs as small as possible. I used a snapshot VM so I could revert back, then installed the tools, copied out the one file, and reverted. If you trust me, then you can just download the at the bottom (just don’t tell Microsoft).

3. Customize the script

You may want to change the computer name, password, and account names. These are easy search/replace operations.

4. Keep the files together

I opted to put the tfsaccounts.vbs and ntrights.exe in the root of C:Program Files for simplicity and to not clutter up my C: root folder.