Active Directory Groups for BizTalk

Group (Proposal) Description
grp_biz_sso.admins The SSO Administrators group created for Enterprise Single Sign-On.
grp_biz_ssoaff.admins The SSO Affiliate Administrators group created for Enterprise Single Sign-On.
grp_biz.admins The BizTalk Server Administrators Group has the least privileges necessary to perform administrative tasks included in the Configuration Framework Wizard and to administer the BizTalk Server environment after installation.
grp_biz.ops The BizTalk Server Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server environment after installation.
grp_biz_host.users Group for accounts with access to the In-Process BizTalk hosts (hosts processes in the BizTalk Server).
grp_biz_isohost.users Group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP)
grp_biz_b2b.ops The BizTalk Server B2B Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server B2B environment after installation.

Active Directory Users for BizTalk

Name (Proposal) Group Assignment Description
svc_biz.sso grp_biz_sso.admins Enterprise Single Sign-On Service
svc_biz.host grp_biz_host.users BizTalk Host Instance Account
svc_biz.isohost grp_biz_isohost.users BizTalk Isolated Host Instance Account
svc_biz.ruleengine   Rule Engine Update Service
developer/admin grp_biz.admins User account of developer/administrator using the BizTalk Machine

Active Directory Groups for SQL

Group (Proposal) Description
grp_sql.admins The SQL Server Administrators Group has the least privileges necessary to perform administrative tasks.

Active Directory Users for SQL

Name (Proposal) Group Assignment Description
svc_biz_sql.dbe   The service account for the SQL Server relational Database Engine
svc_biz_sql.agent   The service account for the SQL Server Agent. Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks
svc_biz_sql.ssas   The service account for the SQL Server Analysis Services. Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.
svc_biz_sql.ssrs   The service account for the SQL Server Reporting Services. Provides comprehensive reporting functionality for a variety of data sources.
svc_biz_sql.ssrsea   The service account for referencing external images in a report and if permission is required to access the image file.(SSRS Execution Account)
svc_biz_sql.ssrsfsa   The service account for accessing file shares (SSRS File Share Account)
svc_sql.ssis   The service account to provide management support for Integration Services package storage and execution.

Active Directory Users for inSyca Monitoring

Name (Proposal) Group Assignment Description
svc_monitoring Administrators
grp_biz.admins
grp_biz_sso.admins 		The service account for the inSyca Monitoring components

Additional User to Group Mapping

Name Group Assignment Description
All BizTalk Host Instance Users Performance Log Users (local group) Avoid Kernel-EventTracing error: Session "BizTalkDefaultTrace" failed to start...

Powershell script to create users and groups locally:


$Computer = $env:COMPUTERNAME
$ADSI = [ADSI]("WinNT://$Computer")
 
# BizTalk Server accounts and groups
 
$User = $ADSI.Create("User", "svc_biz.ruleengine")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "Rule Engine Update Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz.sso")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "Enterprise Single Sign-On Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$Group = $ADSI.Create('Group', 'grp_biz_sso.admins')
$Group.SetInfo()
$Group.Description  = 'The SSO Administrators group created for Enterprise Single Sign-On.'
$Group.SetInfo()
 
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Create('Group', 'grp_biz_ssoaff.admins')
$Group.SetInfo()
$Group.Description  = 'The SSO Affiliate Administrators group created for Enterprise Single Sign-On.'
$Group.SetInfo()
 
$Group = $ADSI.Create('Group', 'grp_biz.admins')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server Administrators Group has the least privileges necessary to perform administrative tasks included in the Configuration Framework Wizard and to administer the BizTalk Server environment after installation.'
$Group.SetInfo()
 
$Group = $ADSI.Create('Group', 'grp_biz.ops')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server environment after installation.'
$Group.SetInfo()
 
$Group = $ADSI.Create('Group', 'grp_biz_host.users')
$Group.SetInfo()
$Group.Description  = 'Group for accounts with access to the In-Process BizTalk hosts (hosts processes in the BizTalk Server).'
$Group.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz.host")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "BizTalk Host Instance Account"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Create('Group', 'grp_biz_isohost.users')
$Group.SetInfo()
$Group.Description  = 'Group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP)'
$Group.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz.isohost")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "BizTalk Isolated Host Instance Account"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Create('Group', 'grp_biz_b2b.ops')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server B2B Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server B2B environment after installation.'
$Group.SetInfo()
 
# SQL Server accounts and groups
 
$Group = $ADSI.Create('Group', 'grp_biz_sql.admins')
$Group.SetInfo()
$Group.Description  = 'The SQL Server Administrators Group has the least privileges necessary to perform administrative tasks'
$Group.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.dbe")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server relational Database Engine"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.agent")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Agent. Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.ssas")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Analysis Services. Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.ssrs")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Reporting Services. Provides comprehensive reporting functionality for a variety of data sources."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.ssrsea")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for referencing external images in a report and if permission is required to access the image file.(SSRS Execution Account)"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.ssrsfsa")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for accessing file shares (SSRS File Share Account)"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_sql.browser")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the name resolution service that provides SQL Server connection information for client computers"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_sql.ssis")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account to provide management support for Integration Services package storage and execution."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
 
# inSyca monitoring account
 
$User = $ADSI.Create("User", "svc_monitoring")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "inSyca Monitoring Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$Group = $ADSI.Children.Find('Administrators', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Children.Find('grp_biz.admins', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Children.Find('grp_biz_sso.admins', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))