This is post of is for all of you out there that due to security restriction can't be a Local Admin on your server but still need to be TFS Server Administrators.
This addresses the Domain installed TFS not the workgroup edition (WE). I will comment on the WE were appropriate.
As we all remember there are three application that need our attention here, TFS (obviously), Windows Sharepoint Services (WSS) and SQL Server Reporting Services (SSRS). For project level security I urge you to use the TFS Administration Tool available on codeplex here but in order to use TFSAT you need to be a TFS Administrator. So how do we go about setting that up;
I have found that the simplest way to manage that particular group of users was to start by creating a Domain Windows Group and assigning you TFS admins to that group. You will see why this is important when I talk about WSS. You can assign individuals to the various Applications but I don't recommend it for manageability (it's easier with a group).
What is ironic about this post is the in order to initially setup TFS Admins you need to be a server admin... ;-)
Team Foundation Server
Step 1. Create a Domain Windows group (for ex. TFS-Administrators)
Step 2. Log in as Local Administrator and add the Domain\TFS-Administrators to the [SERVER]\Team Foundation Administrators.
a. From Team Explorer, right click on the server
b. Choose Team Foundation Server Settings
c. Choose Group Membership
d. Double-Click on [SERVER]\Team Foundation Administrators
e. Choose Windows User or Group and Click the Add button
f. Enter Domain\TFS-Administrators and click ok, ok and close
So we are now setup ad TFS administrators.
Windows Sharepoint Services
Lets now focus on WSS. Local Administrators are always able to manage WSS but since we don't want to or can't be Local administrators we need to give TFS-Administrators rights to administer WSS. Rob blogged about this a week ago so let's do a step by step on what to do. Again we need to be a Local Administrator to do that.
Step 1. Go to the top level Sharepoint administration site usually http://tfsserver:17012, you can also start IIS Management Console and right-click on the Sharepoint Central Administration website and choosing browse.
Step 2. Choose Set SharePoint administration group from the security configuration section.
Step 3. In the Group Account name we need to enter Domain\TFS-Administrators and click ok, you'll go back to the top page of the Sharepoint admin site with no indication of success or failure.
Our TFS Admin Domain group will now be administrators of our TFS WSS site. Remember that Local Administrators stay WSS administrators but our TFS Admins don't need to be.
SQL Server Reporting Services
Finally lets get our Domain Admin group admin access in SSRS. Again we need to be a Local Admin on the SSRS server.
Step 1. We need to go the front page of the report server. http://tfsserver/reports
Step 2. We need to give the Domain group Content Manager role on the Top Level Report site. To do this click on the properties tab on top
Step 3. Click on "new role assignment" in the group or user name textbox type Domain\TFS-Administrators and select content manager and click ok.
Step 4. We also need to give our Domain user group System Administrator rights. To do this we start by clicking Site Settings in the top right corner.
Step 5. Select Configure Site-Wide Security in the security section
Step 6. Click New Role Assignment, and in the group or user name textbox, type in Domain\TFS-Administrators then select system administrator role and click ok.
My experience has been that the group needs to be in both these locations for them to be able to create and manage reports.
After all this, you should be able to create project and administer a TFS server without being a Local administrator on that server.
Let me know if this works for you.