I was recently connected to a client’s TFS through VPN and the Team Explorer interface didn’t let me add users from their domain into one of the TFS groups. I could only see users from my local domain. In order to get around this, I used TFSSecurity.exe (http://msdn.microsoft.com/en-us/library/ms252504.aspx). It lets you create and modify groups as well as add permissions for groups and users.
This command added the user to the “Contributors” group in the specified Team Project:
tfssecurity.exe /collection:http://tfsserver:8080/tfs/Collection /g+ “[Team Project Name]\Contributors” n:”someDomain\SomeUser”