I asked this question originally on ServerFault.com, but there seems to me more activity regarding TFS 2010 on StackOverflow.com, so I decided to re post it here...

It is my understanding that "Project Collection Valid Users" TFS group can no longer be modified directly.

However, I would like to grant all of my domain users (Windows group called "DOMAIN\Domain Users") a "reader" level access to TFS project Collection...

I know I can go to each Project and add "DOMAIN\Domain Users" to [Project]\Readers group but I am wondering if this is possible to achieve in "one shot" so that future projects are already accessible when set up.

To have this AD group added to a TFS group for your upcoming projects you have to modify your project template. There you can preconfigure your projects, exspecially set permissions to groups and users.

For the existing projects you have to do it by hand. I don't know any other way than that.

My approach is based on the fact that TFS permissions are inherited unless explicitly denied.

To create an user group that will automatically access with read only permissions to all existent projects as well as the futures ones, follow those steps:

1. Create a new security group at the project collection level. You can do it in Visual Studio using the "Team/Team Project Collection Settings/Group Membership" menu.

2. Add the new group as a member of the "Project Collection Administrators" group. This will grant access to all projects in the collection, including the futures ones.

3. Limit the permissions of the new group to remove the administrator permissions inherited. To force the read only access, Deny all permisisons except "Create a workspace", "View build resources" and "View collection-level information".

The users of this group will have read access to source code, work items, and build definitions of all projects in the collection.