We have a group of contractors that need to have limited access to source control under TFS. I added the contractors to an Active Directory group and explicitly denied all permissions to Source Control for that group on the root folder $/ and can see that the permissions are being inherited by the project folders, but when logged in as one of the contractors the folder/file structure of source control is still visible.
The contractor accounts can't actually download files from source control, but I need to completely hide the folder structure as well. I've verified with Attrice TFS sidekicks that the effective permissions for one of the contractors is as desired but no luck. What would cause the folder structure to be viewable when the Read permission is explicitly denied for a user?
Which TFS group are you adding the AD group to? It sounds like you're adding users at the server or Team Project Collection level (If you're using TFS 2010). I would say that it's better to add users at the Team Project level.
When you create a new Team Project TFS will create 4 groups. I.e. If you create a Team Project called "Luke" then there will be groups called "Luke Project Administrators", "Luke Contributors", "Luke Readers" and "Luke Build Services"
If you add the contractors to "Luke Contributors" then they will only be able to see the "Luke" Team Project in Source Control. $/Luke/
It turns out that a previous administrator had granted some permissions to the Team Foundation Valid Users group that affected visibility of Source Control (this surprised me because the permissions settings to fix this were actually in the Server security settings rather than Source Control). I reset the permissions back to the defaults from the page below and things are working as expected now.
http://msdn.microsoft.com/en-us/library/ms253077(v=VS.90).aspx