public static void ListAndRemoveGitNamespacePermissions() { SecurityHttpClient securityClient = connection.GetClient <SecurityHttpClient>(); Guid g = Guid.Parse("2e9eb7ed-3c0a-47d4-87c1-0ffdd275fd87"); //Git security namespace IEnumerable <Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription> namespaces = securityClient.QuerySecurityNamespacesAsync(g).Result; Microsoft.VisualStudio.Services.Security.SecurityNamespaceDescription gitNamespace = namespaces.First(); IEnumerable <Microsoft.VisualStudio.Services.Security.AccessControlList> acls = securityClient.QueryAccessControlListsAsync( g, string.Empty, descriptors: null, includeExtendedInfo: false, recurse: true).Result; using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"c:\TFSAdminAutomationData\out_GitAccessControlLists.txt")) { int counter = 0; file.WriteLine("token | inherit? | count of ACEs"); file.WriteLine("------+----------+--------------"); foreach (Microsoft.VisualStudio.Services.Security.AccessControlList acl in acls) { counter++; string[] tokenParser = acl.Token.Split('/'); if (tokenParser.Length != 2) //we are interested in team project level git security { continue; } file.WriteLine(); file.WriteLine(); file.WriteLine("{0} | {1} | {2} ACEs", acl.Token, acl.InheritPermissions, acl.AcesDictionary.Count()); file.WriteLine("Project Name: " + GetProjectName(tokenParser[1])); file.WriteLine("Expanding ACL for {0} ({1} ACEs)", acl.Token, acl.AcesDictionary.Count()); // get the details for Git permissions Dictionary <int, string> permission = GetGitPermissionNames(); // use the Git permissions data to expand the ACL foreach (var kvp in acl.AcesDictionary) { // in the key-value pair, Key is an identity and Value is an ACE (access control entry) // allow and deny are bit flags indicating which permissions are allowed/denied string identity = kvp.Key.Identifier.ToString(); file.WriteLine("Identity {0}", identity); string identityName = GetNameFromIdentity(identity); file.WriteLine("Identity Name {0}", identityName); if (!identityName.EndsWith("Project Administrators")) { continue; } string allowed = GetPermissionString(kvp.Value.Allow, permission); string denied = GetPermissionString(kvp.Value.Deny, permission); file.WriteLine(" Allowed: {0} (value={1})", allowed, kvp.Value.Allow); file.WriteLine(" Denied: {0} (value={1})", denied, kvp.Value.Deny); if (allowed.Contains("4096")) { //Remove "remove others' locks permission from project administrators" try { securityClient.RemovePermissionAsync(g, acl.Token, kvp.Key, 4096); file.WriteLine("Removed permission"); } catch (Exception ex) { file.WriteLine("Could not remove permission"); } } } } } }