Recently a customer wrote to make sure that the TFS Service accounts they were using were permissioned with the bare minimum of privileges required to run TFS. This is smart. When dealing with permissions and service accounts, less is always best.
You never want to give your service account more permissions than required to run the application on which its setup. Why? Prudence. If someone manages to compromise your service account—or any account you manage, for that matter—your data and assets are at less risk, if the compromised account only has access to exactly the permissions it needs.
For the service accounts of the various components that come on the TFS 2010 DVD, that mostly means giving the service account the Log on as a Service permission. For the service account for the TFS application tier, you have to do a little more—it needs to appear in the Content Manger role on the Report Server (if you are using a report server) and the Farm Administrators group on SharePoint (if you’re using SharePoint).
All this information is documented in this topic, in the TFS installation guide.
Remember: You don’t want to give your service accounts too little permission, or the application won’t function correctly. But you don’t want to give your service accounts too much permission, because it’s risky. Instead you want to give your service accounts the exact amount of permissions they require.