16. August 2011 22:03
It would be great is TFS had a nice Web Service to do this, logged to the event log, etc, and there is some additional logging you can turn on but I've always found this a pain. One thing you can do (especially if you know what you are looking at for commands that suspect have been run) is the tbl_command table in the Collection DB. For instance if you suspect a witadmin command has been run you can use something like this SQL query:
1: select * from tbl_Command with (nolock)
2: where useragent LIKE 'Team Foundation (witadmin.exe%'
The usual precautions would apply here, like not running direct DB queries durring peak production times etc. but it allows you to quicly see a list of whats been run against TFS. The Command column has a record of the command that was run. When I had an issue at client of someone running unauthorized commands I was able to use this to track down the person quickly.