It is common to be asked for performing a security audit on Team Foundation Server, and it is not a nightmare as it would seem…
The easiest way is to download the Audit Log. You can find it in the Access Levels administration page:
What you are going to get is a .csv file, containing all the groups and accounts allowed into Team Foundation Server, each with its unique internal URI (vstfs://…), the last access date and its access level.
But this is just the beginning – you get a list of flat users and groups, without their relationships. In order to get these, you can use the TFSSecurity command with the /i, /im and /imx switches.
These will give you all the informations about each user/group and its relationships and privileges, so wrapping their outputs and creating a very simple report is just a matter of time 