Active Directory Groups for BizTalk
Group (Proposal) | Description |
grp_biz_sso.admins | The SSO Administrators group created for Enterprise Single Sign-On. |
grp_biz_ssoaff.admins | The SSO Affiliate Administrators group created for Enterprise Single Sign-On. |
grp_biz.admins | The BizTalk Server Administrators Group has the least privileges necessary to perform administrative tasks included in the Configuration Framework Wizard and to administer the BizTalk Server environment after installation. |
grp_biz.ops | The BizTalk Server Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server environment after installation. |
grp_biz_host.users | Group for accounts with access to the In-Process BizTalk hosts (hosts processes in the BizTalk Server). |
grp_biz_isohost.users | Group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP) |
grp_biz_b2b.ops | The BizTalk Server B2B Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server B2B environment after installation. |
Active Directory Users for BizTalk
Name (Proposal) | Group Assignment | Description |
svc_biz.sso | grp_biz_sso.admins | Enterprise Single Sign-On Service |
svc_biz.host | grp_biz_host.users | BizTalk Host Instance Account |
svc_biz.isohost | grp_biz_isohost.users | BizTalk Isolated Host Instance Account |
svc_biz.ruleengine | | Rule Engine Update Service |
developer/admin | grp_biz.admins | User account of developer/administrator using the BizTalk Machine |
Active Directory Groups for SQL
Group (Proposal) | Description |
grp_sql.admins | The SQL Server Administrators Group has the least privileges necessary to perform administrative tasks. |
Active Directory Users for SQL
Name (Proposal) | Group Assignment | Description |
svc_biz_sql.dbe | | The service account for the SQL Server relational Database Engine |
svc_biz_sql.agent | | The service account for the SQL Server Agent. Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks |
svc_biz_sql.ssas | | The service account for the SQL Server Analysis Services. Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications. |
svc_biz_sql.ssrs | | The service account for the SQL Server Reporting Services. Provides comprehensive reporting functionality for a variety of data sources. |
svc_biz_sql.ssrsea | | The service account for referencing external images in a report and if permission is required to access the image file.(SSRS Execution Account) |
svc_biz_sql.ssrsfsa | | The service account for accessing file shares (SSRS File Share Account) |
svc_sql.ssis | | The service account to provide management support for Integration Services package storage and execution. |
Active Directory Users for inSyca Monitoring
Name (Proposal) | Group Assignment | Description |
svc_monitoring | Administrators grp_biz.admins grp_biz_sso.admins | The service account for the inSyca Monitoring components |
Additional User to Group Mapping
Name | Group Assignment | Description |
All BizTalk Host Instance Users | Performance Log Users (local group) | Avoid Kernel-EventTracing error: Session "BizTalkDefaultTrace" failed to start... |
Powershell script to create users and groups locally:
$Computer = $env:COMPUTERNAME
$ADSI = [ADSI]("WinNT://$Computer")
# BizTalk Server accounts and groups
$User = $ADSI.Create("User", "svc_biz.ruleengine")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "Rule Engine Update Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$User = $ADSI.Create("User", "svc_biz.sso")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "Enterprise Single Sign-On Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$Group = $ADSI.Create('Group', 'grp_biz_sso.admins')
$Group.SetInfo()
$Group.Description = 'The SSO Administrators group created for Enterprise Single Sign-On.'
$Group.SetInfo()
$Group.Add(("WinNT://$Computer/" + $User.Name))
$Group = $ADSI.Create('Group', 'grp_biz_ssoaff.admins')
$Group.SetInfo()
$Group.Description = 'The SSO Affiliate Administrators group created for Enterprise Single Sign-On.'
$Group.SetInfo()
$Group = $ADSI.Create('Group', 'grp_biz.admins')
$Group.SetInfo()
$Group.Description = 'The BizTalk Server Administrators Group has the least privileges necessary to perform administrative tasks included in the Configuration Framework Wizard and to administer the BizTalk Server environment after installation.'
$Group.SetInfo()
$Group = $ADSI.Create('Group', 'grp_biz.ops')
$Group.SetInfo()
$Group.Description = 'The BizTalk Server Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server environment after installation.'
$Group.SetInfo()
$Group = $ADSI.Create('Group', 'grp_biz_host.users')
$Group.SetInfo()
$Group.Description = 'Group for accounts with access to the In-Process BizTalk hosts (hosts processes in the BizTalk Server).'
$Group.SetInfo()
$User = $ADSI.Create("User", "svc_biz.host")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "BizTalk Host Instance Account"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$Group.Add(("WinNT://$Computer/" + $User.Name))
$Group = $ADSI.Create('Group', 'grp_biz_isohost.users')
$Group.SetInfo()
$Group.Description = 'Group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP)'
$Group.SetInfo()
$User = $ADSI.Create("User", "svc_biz.isohost")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "BizTalk Isolated Host Instance Account"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$Group.Add(("WinNT://$Computer/" + $User.Name))
$Group = $ADSI.Create('Group', 'grp_biz_b2b.ops')
$Group.SetInfo()
$Group.Description = 'The BizTalk Server B2B Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server B2B environment after installation.'
$Group.SetInfo()
# SQL Server accounts and groups
$Group = $ADSI.Create('Group', 'grp_biz_sql.admins')
$Group.SetInfo()
$Group.Description = 'The SQL Server Administrators Group has the least privileges necessary to perform administrative tasks'
$Group.SetInfo()
$User = $ADSI.Create("User", "svc_biz_sql.dbe")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server relational Database Engine"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$User = $ADSI.Create("User", "svc_biz_sql.agent")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Agent. Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$User = $ADSI.Create("User", "svc_biz_sql.ssas")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Analysis Services. Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$User = $ADSI.Create("User", "svc_biz_sql.ssrs")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Reporting Services. Provides comprehensive reporting functionality for a variety of data sources."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$User = $ADSI.Create("User", "svc_biz_sql.ssrsea")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for referencing external images in a report and if permission is required to access the image file.(SSRS Execution Account)"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$User = $ADSI.Create("User", "svc_biz_sql.ssrsfsa")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for accessing file shares (SSRS File Share Account)"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$User = $ADSI.Create("User", "svc_sql.browser")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the name resolution service that provides SQL Server connection information for client computers"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$User = $ADSI.Create("User", "svc_sql.ssis")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account to provide management support for Integration Services package storage and execution."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
# inSyca monitoring account
$User = $ADSI.Create("User", "svc_monitoring")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "inSyca Monitoring Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
$Group = $ADSI.Children.Find('Administrators', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))
$Group = $ADSI.Children.Find('grp_biz.admins', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))
$Group = $ADSI.Children.Find('grp_biz_sso.admins', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))