TFS 2012 Orphan users

Question

Over the past 18 months, we've had 85 TFS users leave the company. 8 persist to show as both [TEAM FOUNDATION]\\Team Foundation Valid Users & [Collection]\\Project Collection Valid Users although they have no other project group memberships.

In our enterprise, TFS users are identified by their AD/network ID and are "disabled" upon departure by company policy rather than being deleted. Typically, they are left with no group memberships outside of the Global Group membership "Domain Users."

We currently use Team Foundation Server 2012 Update 3 in production. We have begun testing in our test environment and plan to move production to Update 4 within the next 6 months.

We have continually expanded our criteria for ensuring no "entanglements" exist for disabled users to prevent this " orphaned user " situation. We currently review and take action upon the departure of a TFS user to ensure:

1.  User is not associated with a TFS Collection Project group
2.  User has no workspaces associated with their identity in TFS
3.  User has no shelvesets associated with their identity in TFS
4 . User has no items checked out (locked) in TFS
5.  User has no Work Items “Assigned To” their identity in TFS
6.  User has no Project Alerts associated with their identity in TFS

We have dropped all users through either command-line or through web interface. We ensure they don't show up through the Administrator console. We have cleared cache on the TFS server. We monitor TFSSynchronizeIdentities routinely and have seen it operate correctly consistently. The TFS server is rebooted routinely.

The longest persistent " orphaned user " has continued under the TeamFoundation and Collection Valid Users' groups now for 18 months while 77 other users have dropped with little additional action required. The problem persists. The 8 " orphaned users " have occurred over the entire 18 months - not just an old problem where all 8 persist from 18 months ago and the other 77 have been successfully removed since that point.

Current testing results using Update 4 indicate that the "orphaned users" persist across the upgrade from Update 3 to Update 4. Update 4 has not resolved the problem of the "orphaned users."

Answer 1

we had a similiar issue with TFS2013 Update 4. Users, that have left the Company still existed in the Assigned To Dropdown list of Team Web Access. Setting a "ninja like" registry key inside the TFS Configuration did the trick for us. Heres the code:

using Microsoft.TeamFoundation.Client;
using Microsoft.TeamFoundation.Framework.Client;

// Get TfsConfigurationServer
var cs = new Microsoft.TeamFoundation.Client.TfsConfigurationServer(new Uri("http://YourTfs:YourPort/tfs"));
cs.EnsureAuthenticated();
// Get reg service of configuration server
var regService = cs.GetService<ITeamFoundationRegistry>();
//Set value
regService.SetValue("/Service/Integration/Settings/IdentitySyncFull", true);

Afterwards trigger a new synchronization an watch the result.