When setting up permissions on TFS2012 Team Portal, TFS Inherits all members of the servers "local administrators group" and grants them all Administrative permissions to the server.
These members may consist of individual user accounts or active directory groups - for example operations and systems teams. They show up under the "Windows Groups" menu for the Team Project Collection.
As there is no mechanism to exclude individual Windows users and groups, the result is quite a few people end up having administrative access to TFS.
It is necessary to be able to choose which groups to include and which to be able to exclude.