When TFS Administrator Is On Multiple Teams

Working with Team Foundation Server permissions can be tricky when Deny is the king.  We have recently run into this when one of our administrators is also a member of an active directory group we use for development.  By default each TFS team is a member of the Contributors group.  Because of how we lock down root structures this has locked this admin out of several source code locations.

So for the area they need access to they are a member of the Project Administrators group and the Contributors group.  Both permissions on this area are being set through inheritance.  As an administrator you get all inherited allows.  As a contributor this area has been locked down as it has password information stored.  Thus a contributor gets a deny on read.  Because this is a deny this takes precedence and the administrator gets a permission error when trying to get Latest.  Well it is not really an error but it says all files are up to date but it is grayed out.

The Solution

This is becoming more routine which may be a bad thing.  To allow access to the administrator you must stop inheritance on the area.  After than just remove the Contributors group.  At this point you don't really even need to set a deny on read for the contributors group because they have no access at all.  This allows the Project Administrators group's allow to kick in.  Note that once you stop inheritance what was once an Inherited Allow is not just an Allow.