Security needed for TFS Windows Machine File Copy

I am having some troubles with the windows machine file copy in TFS 2015.

We are using machine file copy to move our artefacts to the web server and then running IIS deploy. This works fine when it is run under my credentials. However when I try and run it using an admin on the local machine I get the following error.

---

2017-08-03T09:26:52.4173924Z ROBOCOPY :: Robust File Copy for Windows
2017-08-03T09:26:52.4173924Z ------------------------------------------------------------------------------- 2017-08-03T09:26:53.6518030Z Started : 03 August 2017 10:26:52
2017-08-03T09:26:53.6518030Z 2017/08/03 10:26:53 ERROR 5 (0x00000005) Getting File System Type of Destination \Server\C$\Deployment Folder\Release\ 2017-08-03T09:26:53.6518030Z Access is denied.
2017-08-03T09:26:53.6518030Z Source : C:\Agent\agent_work\03f953eca\Release CI Test\drop_PublishedWebsites\Site_Package\
2017-08-03T09:26:53.6518030Z Dest - \Server\C$\Deployment Folder\Release\ 2017-08-03T09:26:53.6518030Z Files : .
2017-08-03T09:26:53.6518030Z 2017-08-03T09:26:53.6674336Z
Options : . /S /E /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
2017-08-03T09:26:53.6674336Z ------------------------------------------------------------------------------ 2017-08-03T09:26:53.9643156Z 2017/08/03 10:26:53 ERROR 5 (0x00000005) Creating Destination Directory \Server\C$\Deployment Folder\Release\ 2017-08-03T09:26:53.9643156Z Access is denied.
2017-08-03T09:26:53.9955634Z \Serverwas deleted successfully.
2017-08-03T09:26:54.0268146Z ##[error]Copying failed for resource : Server 2017-08-03T09:26:54.0268146Z ##[error]Copying failed. Consult the robocopy logs for more details.

I understood that to perform a windows machine file copy the admin user only needed admin access to the target server, do they in fact need access to the build server as well?

The reason this may be a problem is that some servers live inside the DMZ and so have no access to our Active Directory. I don't see how I could have a user that has admin access to a server in our network and one in the DMZ. And if that is the case I wonder how I would deploy our artefacts to these servers using TFS release management.

For the Access is denied error in Windows Machine File Copy task. Just as comment discussed above, you need to give enough permission for the shared folder on the web server for the service account.

As for deploying to servers in the DMZ with local admin account. There is two option:

Option 1 - using WMF-v5 and a PowerShell task

To send files over a WinRM session in WMF v5 you can use the Copy-Item cmdlet. For example,

$session = New-PSSession -ComputerName <computername>
Copy-Item <yourfile> -Destination 'C:' -ToSession $session

Option 2

Do the machines in DMZ have line-of-sight to TFS on-premises? If yes, the simplest like Daniel suggested, you could deploy an agent on the servers and configure it with the TFS. You can use similar shadow accounts approach to configure the agents with the TFS.

Once configured, the agents auto download the associated artifacts to local machine.

More details please refer Roopesh Nair's answer in this question: TFS 2015 Update 2 Release Management - Deploying across untrusted domains and to servers in the DMZ