Duplicate User Accounts in Active Directory

We have just had a major Active Directory issue that has affected the Team Foundation Server instance that all the developers at the client that I am working at use. The problem occured when some users where erased in the Active Directory and were subsequently recreated with the same user names. These new user accounts cannot access the Team Foundation Server.

A large part of the problem was solved by just removing users from TFS and then putting them back in again. This recreates all the wiring under the surface in TFS so that the users can access the server but all their existing workspace info, pending checkins and so on are lost locally yet exist in Team Foundation Server with a different Owner under the same user name… The only way to tell them apart is by their SID and that the original account may get suffixed with a number in workspace lists: AD\username:61.

My first thought was to remove all the workspaces and pending checkins and let people manually resynch their projects. When I clicked undo pending change for a bunch of changes in Attrice Sidekicks an unhandled exception popped up: “Object reference not set to an instance of an object”. I just can’t undo these changes, there is a clue to the problem when I try to unlock a changed file, I get an Unlock error:

Failed to unlock $/Project/Path/file (TF14061: The workspace COMPUTERNAME; AD\username does not exist.)

I can’t search for workspaces by username either, even doing a simple TFSSecurtiy /i “ad\username” /server:TFSName for one of the affected accounts returns “Error: The identity cannot be resolved.” Since the original accounts have been removed from Active Directory I cannot easily get hold of their SIDs for querying with TFSSecurity. Attempting to delete the workspaces from the command line return the following error:

TF14061: The workspace WORKSPACENAME;AD\username does not exist.

Things seemed pretty messed up… I found some clues as to what was required to get things working again:

According to the KnowledgeBase articles trying to create a new project while TFS is in this state may result in the following error:

TF30170: the plugin Microsoft.ProjectCreationWizard.WorkItemTracking Failed during task WITS from group WorkItemTracking

Basically Team Foundation Server has a bug that causes deleted accounts to not be resynched correctly and SharePoint doesn’t handle recreated user accounts at all – you have to resynch them manually. Unfortunately in addition to this there is a bug in TFS SP1 which prevents TfsAdminUtilI from correcting the SIDS! You get the following error:

ERROR: Could not access database.

In the end I managed to correct all the problems, here are the steps required:

  1. Contact Microsoft Support and request the hotfix for http://support.microsoft.com/kb/934216
  2. Install the hotfix…
  3. Follow the steps in http://support.microsoft.com/kb/948679to resynch the users SIDs in TFS
  4. Follow the steps in http://support.microsoft.com/kb/823278to resynch the users in SharePoint
  5. Recycle the TFS App Pool to force an update of all users and groups in TFS.

Look out with users who have their workspaces mapped to “c:\documents and settings\” the new user accounts cannot necessarily access their old files there since they now log on with a new account (which just happens to have the same name).

