Problem

If you use Active Directory Groups in TFS a background job synchronizes the users with the AD. If some users have invalid characters in some AD Properties (i.e. Description, DisplayName etc.) the job may fail and you cannot remove a group. The following error can be found in the log:

TF20507: The string argument contains a character that is not valid:’u65279′. Correct the argument, and then try the operation again. Parameter name: value

ResultMessage
Identity sync completed. 1 errors occurred while syncing identities.    Details:
[Error] TF200035: One or more errors occurred when Team Foundation Server attempted to synchronize the following identity: Domain Users. Number of errors that occurred:
1.  ++++++++++++++++++++++  Sync error for identity: Domain Users  TF20507: The string argument contains a character that is not valid:'u65279'. Correct the argument, and then try the operation again.  Parameter name: value     at
Microsoft.VisualStudio.Services.Common.ArgumentUtility.CheckStringForInvalidCharacters(String stringVar, String stringVarName, Boolean allowCrLf)     at
Microsoft.VisualStudio.Services.Common.PropertyValidation.ValidatePropertyValue(String propertyName, Object value)     at
Microsoft.VisualStudio.Services.WebApi.PropertiesCollection.set_Item(String key, Object value)     at
Microsoft.VisualStudio.Services.Identity.WindowsProvider.GetIdentityFromSearchResult(SearchResult result, IVssRequestContext requestContext, SyncErrors syncErrors)     at
Microsoft.VisualStudio.Services.Identity.WindowsProvider.GetMembersPrimary(Boolean getProperties, SecurityIdentifierInfo groupSecurityIdInfo, Dictionary`2 members, IIdentitySyncHelper syncHelper, SyncErrors syncErrors, IVssRequestContext requestContext)     at
Microsoft.VisualStudio.Services.Identity.WindowsProvider.SyncADGroup(Identity group, IIdentitySyncHelper syncHelper, Dictionary`2 syncAgents, IVssRequestContext requestContext, SyncErrors syncErrors)     at
Microsoft.VisualStudio.Services.Identity.WindowsProvider.SyncMembers(IdentityDescriptor descriptor, IIdentitySyncHelper syncHelper, Dictionary`2 syncAgents, String providerInfo, IVssRequestContext requestContext, SyncErrors syncErrors)     at
Microsoft.VisualStudio.Services.Identity.IdentitySynchronizer.SyncOneGroup(IVssRequestContext requestContext, Identity groupToSync)

Solution

The only solution is to remove the invalid characters from the users. You can use the solution from GitHub. The tool asks for two parameters:

• Domain name: the AD domain name that contains the target group.
• Group name: the target group name that the customer wants to search for invalid chars, for instance “domain users”.

The tool should be executed in a target domain joined machine. It will scan all the users in the target group and output invalid characters found.

Once all the invalid chars are removed, wait for your AD to synchronize and start the synchronization job again.