I was reading through my feeds today and I noticed one from Tiago Pascoal that sparked my interest.   One of the most common questions that I get when consulting around TFS is how to restrict the list of people that you can assign a work item to.    After reading his post, I liked what I saw.   By making a slight modification to the process template (see below) you can restrict the list of people that are in the list.  

As part of my default installation I normally setup AD groups and assign them to Project\Contributers and Project\Project Administrators.   Doing this allows the infrastructure people to use their normal group management tools to manage the access to TFS.   I need to do some investigation to see if making this change to the process template will still work if named accounts are not in the Contributors group.

From Tiago’s post.

But i prefer a more restrictive view. Only list users that have access to the project. So when customizing process templates, I typically use this definition for the assigned to field:

<FIELD name="Assigned To" refname="System.AssignedTo" type="String">   
       <ALLOWEDVALUES expanditems="true" filteritems="excludegroups">            
          <LISTITEM value="[Project]\Contributors" />       
          <LISTITEM value="[Project]\Project Administrators" /> 
      <PROHIBITEDVALUES expanditems="true">   
         <LISTITEM value="tfsservice" /> 

This definitions, states that only users who are contributors or project administrator of the project will be listed. (will exclude the tfsservice account from the listing. tfsservice being the account name that runs the service. By default Microsoft recommends tfsservice name, but your installation may vary). I also use the allowexisting value to allow us to edit work items assigned to users who no longer have access to the project.