When you create a branch in TFS, the explicit TFS source control permissions from the source branch are copied to the target branch. Let's change that...
In order to adhere to the principle of least privilege, we needed to change the behavior so that permissions granted on the “Main” branch for developers would NOT propagate to staging and production branches (we’re using the code promotion branching model). A lot of people who are in this position seem to be removing the explicit permissions manually, but let's automate it.
Download the BranchSecurityInheritOnly.dll and copy it to your %Program Files%\Microsoft Team Foundation Server 11.0\Application Tier\Web Services\bin\Plugins folder on your TFS Server. Since it's using the Event Subscriber, that's it!
Supports only TFS 2012 Update 1, but you could easily recompile for earlier versions.
Works only with first class branches.