Change TFSService password - tfs-2015

We would like to change the password for our TFSService account. This is the domain account that was used install TFS and has several Windows services running under it.
I did review the link below on changing the TFS service password. Is it as simple as updating the password in Active Directory and then using the TFS administration console to update the account password? Are both steps above required? Are there any additional tasks required?
https://learn.microsoft.com/en-us/tfs/server/admin/change-service-account-password
thanks

Yes, it should just be that.
As with any production environment, there may things in your setup strangers on the internet are not aware of, so it would be best to test this process on a non-production copy if possible first.
Although I know setting up a non-production copy of TFS will end up probably end up running on a different domain.

Related

Hi, I have one for any DBA's out there about the superuser account.

Is there any database that comes with NO default superuser account, or is there a way to have no superuser at all. I have extensively researched this for the past week and I can find nothing on this topic. My manager is keen on having no superuser by the time the system I'm working on is in deployment, however I feel this is not possible?
With MS SQL Server you can install it to use windows accounts. So you set up superuser tied to windows account. After deployment just disable this account in Windows and you are good to go.
To make sure it works properly you enable audit on user enabling, so you know when someone tries to enable the user account and use it to access DB.
It is bad idea to remove sysadmin completely because you might run into lot of troubles in the future.
Just yesterday our intern set up SQLServer and didn't add a database administrator at the relevant step in the setup, so it installed but was rather useless..
Questions like this are from a similar side of the fence:
https://dba.stackexchange.com/questions/11299/how-to-add-sysadmin-to-user-in-sql-server-2008-when-no-sysadmin-accounts-exist

How to inquire StarTeam login credentials

As custom action of a WiX-based installer (MS Windows 7), I need to check out some files from a StarTeam server. stcmd seems to provide all functionality and I am able to perform the checkout with UID and password provided via parameter -p.
Since the installer is run by different users, I obviously need a mechanism to inquire the StarTeam login credentials at run-time instead of hard-coding UID/pw.
I was browsing the StarTeam manual but was not able to figure out if the StarTeam programs provide a solution to that problem. Any suggestions?
Sorry, this just doesn't make sense to me. Typically you include files from source control in the MSI at build time not install time. What does install time buy you other then complexity? Now application runtime would make sense to me. You could create and install an application that prompts the user for creds and then periodically polls star team for updated files. (Windows service, scheduled task, logon autorun...)
Couldn't you could prompt your users for the login information during the install and then pass them to the stcmd.exe?
Meh, the solution is trivial. When using an empty password, stcmd automatically asks for the password. Example:
stcmd connect username:#hostname:portnumber
Using the stateful commands is recommended since the credentials are stored internally for all subsequent commands.

How to configure the publish profiles to use NTLM authentication

In Visual Studio 2012, using publish profiles along with web deploy simplifies the deployments quite a bit. However it still is missing few things or may be I don't know how to use it yet.
I prefer to use the NTLM authentication without storing the username and password (especially) in the publish profiles. How can this be done? If I leave the username and password empty, I am prompted for it. Is there a way like manually modifying the .pubxml files?
Why is the username/password stored in PublishProfileName.pubxml that I have checked in the source control and not in PublishProfileName.pubxml.user that is local to each user? I could at least save the username but obviously don't want that to be checked in.
The Configuration itself is not part of PublishProfileName.pubxml but is stored in PublishProfileName.pubxml.user as LastUsedBuildConfiguration.
Same for the Platform as last point.
I am also missing support for multi-server deployments. I am currently forced to use batch files in addition to Publish Profiles.
EDIT
The command line that works fine for publishing is
MSBuild.Exe MyProject.sln /p:Configuration=QA /p:DeployOnBuild=true;PublishProfile=PublishToQA;AllowUntrustedCertificate=true /p:authType=NTLM /p:UserName=
In this I would like to omit the /p:Configuration=QA if the configuration becomes part of the publish profile itself.
Some answers to your questions.
I prefer to use the NTLM authentication without storing the username and password (especially) in the publish profiles. How can
this be done? If I leave the username and password empty, I am
prompted for it. Is there a way like manually modifying the .pubxml
files?
Your authentication is typically driven by how Web Deploy is hosted. By default if you are using the Web Management Service then you are using IIS users for auth. With IIS users you can control which users have permissions to specific sites/apps. You can configure WMSVC to use windows auth as well though. If you have issues using VS for those scenarios let me know.
If you are using the Remote Agent service to host Web Deploy then in this case you'll be using windows auth.
Why is the username/password stored in PublishProfileName.pubxml that I have checked in the source control and not in
PublishProfileName.pubxml.user that is local to each user? I could
at least save the username but obviously don't want that to be checked
in.
We have another mechanism for you to determine what information is private/shared. With the exception of the password all publish info is shared (and checked in by default). In order to simplify the design you can either have a publish profile which is shared, or one which is not shared at all. There is no in-between in which you have a profile that some fields are shared and other not. Password is special cased here and encrypted on a per-user/per-machine basis in the .pubxml.user file.
If you'd like to have a private publish profile then you can simply not check in the .pubxml file which corresponds to the publish profile. These are stored in the Properties\PublishProfiles (or My Project\PublishProfiles for VB) and just exclude them from the project and don't check the files in. The publish dialog looks for the profiles on disk, not just the ones which are in the project. Everything should continue to work.
We don't support the concept of selectively storing values in the .pubxml.user file. The publish dialog will only store a set number of values in that file. Instead of
The Configuration itself is not part of PublishProfileName.pubxml but is stored in
PublishProfileName.pubxml.user as LastUsedBuildConfiguration.
Same for the Platform as last point.
This was a mistake it should have been stored in the .pubxml file, not the .pubxml.user file. We have since fixed this, but haven't had a chance to release the update yet.
The Configuration property cannot be set in the publish profile. The Configuration property is a core part of the build process. To be more specific, the reason why we didn't call this property Configuration is because the .pubxml file is imported into the definition of the .csproj/.vbproj during a build & publish. Since other properties are defined based on Configuration you cannot change the value once it's been set. I just blogged with way too much detail on this subject at http://sedodream.com/2012/10/27/MSBuildHowToSetTheConfigurationProperty.aspx. This limitation is an MSBuild thing not a publish limitation. For command line you should specify Configuration in the following way:
msbuild.exe myproj.csproj /p:...(other properties)... /p:Configuration=
I am also missing support for multi-server deployments. I am currently forced to use batch files in addition to Publish Profiles.
We don't have direct support for this, but if you expand on your needs I may be able to help. FYI I have an extension which you may be interested in. I have posted a 5 min video to http://sedodream.com/2012/03/14/PackageWebUpdatedAndVideoBelow.aspx.
You are free (and encouraged) to manually edit your pubxml files, so feel free to remove the password.
To switch to NTLM, change AuthType to NTLM in the first PropertyGroup.
Platform and Configuration remain build configuration, the user file just stores them so Visual Studio knows what the last configuration you deployed was.
By multi-server, do you mean a web farm? If so, you might try looking at the Web Farm Framework which basically performs MSDeploy syncs from the primary server to the others.
Alternatively, you could switch to the command line and use postSync to upload and execute a batch file on the remote server that triggers the other deployments from there.

Allow a TFS 210 User to Change Their Password

We work with a group of contractors that need access to our TFS 2010 server. I've got Active Directory running for our office, so every user has an AD account. Is there a way the TFS users can change their passwords through TFS? I've changed passwords before by having users RDP into computers and changing their account information there, but I'd rather not give the contractors RDP access (they just don't need it).
I tried selecting "user mush change password at next login", but TFS seems not to respond to that.
The only login vehicle the contractors use is TFS.
Thanks
That's correct, TFS doesn't provide a mechanism to change passwords. Your users will need to use some integration to Active Directory to change their password. It needn't necessarily be through an RDP session, as long as they can hit Active Directory's LDAP server, you should be able to allow this.
IIS ships with a tool called IISADMPWD that lets users change their password over the web.
In addition, you can build your own tool to change the password, like other people have done in PowerShell or perl. In addition, there appear to be various commercial tools to enable this.

Can Hudson be configured to prevent certain users from accessing certain projects?

I have various projects being built and tested periodically on a Hudson server, but I don't want every employee in the company to see published artifacts for every project.
Project-based matrix security seemed at first the key, but after many tests I find that granting overall read permissions is mandatory if you want users to be able to read anything in the hudson server.
So, in the end read permissions are binary: either you grant global read permission or you block everything, am I right?
Haven't it tested with the newest release, but I use the matrix setup. I gave Anonymous the overall read. This way they can see the login screen when they type {{http://servername:port/}} but does not give them access to the jobs. In the jobs themselves I configured the users that should actually see the job. Works like a charm.
UPDATE:
Meanwhile I found out that you can use authenticated instead of Anonymous. This enabled access to Hudson/Jenkins through the links in the Build failed messages. Now everyone gets the logon dialog and after signing in, they are right away at the job run of interest.
After trying to do something similar to you with Hudson's authorization settings, I came to the same conclusion you did.