BizTalk Groups and User accounts.

Active Directory Groups for BizTalk

Group (Proposal)	Description
grp_biz_sso.admins	The SSO Administrators group created for Enterprise Single Sign-On.
grp_biz_ssoaff.admins	The SSO Affiliate Administrators group created for Enterprise Single Sign-On.
grp_biz.admins	The BizTalk Server Administrators Group has the least privileges necessary to perform administrative tasks included in the Configuration Framework Wizard and to administer the BizTalk Server environment after installation.
grp_biz.ops	The BizTalk Server Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server environment after installation.
grp_biz_host.users	Group for accounts with access to the In-Process BizTalk hosts (hosts processes in the BizTalk Server).
grp_biz_isohost.users	Group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP)
grp_biz_b2b.ops	The BizTalk Server B2B Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server B2B environment after installation.

Active Directory Users for BizTalk

Name (Proposal)	Group Assignment	Description
svc_biz.sso	grp_biz_sso.admins	Enterprise Single Sign-On Service
svc_biz.host	grp_biz_host.users	BizTalk Host Instance Account
svc_biz.isohost	grp_biz_isohost.users	BizTalk Isolated Host Instance Account
svc_biz.ruleengine		Rule Engine Update Service
developer/admin	grp_biz.admins	User account of developer/administrator using the BizTalk Machine

Active Directory Groups for SQL

Group (Proposal)	Description
grp_sql.admins	The SQL Server Administrators Group has the least privileges necessary to perform administrative tasks.

Active Directory Users for SQL

Name (Proposal)	Group Assignment	Description
svc_biz_sql.dbe		The service account for the SQL Server relational Database Engine
svc_biz_sql.agent		The service account for the SQL Server Agent. Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks
svc_biz_sql.ssas		The service account for the SQL Server Analysis Services. Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.
svc_biz_sql.ssrs		The service account for the SQL Server Reporting Services. Provides comprehensive reporting functionality for a variety of data sources.
svc_biz_sql.ssrsea		The service account for referencing external images in a report and if permission is required to access the image file.(SSRS Execution Account)
svc_biz_sql.ssrsfsa		The service account for accessing file shares (SSRS File Share Account)
svc_sql.ssis		The service account to provide management support for Integration Services package storage and execution.

Active Directory Users for inSyca Monitoring

Name (Proposal)	Group Assignment	Description
svc_monitoring	Administrators grp_biz.admins grp_biz_sso.admins	The service account for the inSyca Monitoring components

Additional User to Group Mapping

Name	Group Assignment	Description
All BizTalk Host Instance Users	Performance Log Users (local group)	Avoid Kernel-EventTracing error: Session "BizTalkDefaultTrace" failed to start...

Powershell script to create users and groups locally:


$Computer = $env:COMPUTERNAME
$ADSI = [ADSI]("WinNT://$Computer")
 
# BizTalk Server accounts and groups
 
$User = $ADSI.Create("User", "svc_biz.ruleengine")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "Rule Engine Update Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz.sso")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "Enterprise Single Sign-On Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$Group = $ADSI.Create('Group', 'grp_biz_sso.admins')
$Group.SetInfo()
$Group.Description  = 'The SSO Administrators group created for Enterprise Single Sign-On.'
$Group.SetInfo()
 
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Create('Group', 'grp_biz_ssoaff.admins')
$Group.SetInfo()
$Group.Description  = 'The SSO Affiliate Administrators group created for Enterprise Single Sign-On.'
$Group.SetInfo()
 
$Group = $ADSI.Create('Group', 'grp_biz.admins')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server Administrators Group has the least privileges necessary to perform administrative tasks included in the Configuration Framework Wizard and to administer the BizTalk Server environment after installation.'
$Group.SetInfo()
 
$Group = $ADSI.Create('Group', 'grp_biz.ops')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server environment after installation.'
$Group.SetInfo()
 
$Group = $ADSI.Create('Group', 'grp_biz_host.users')
$Group.SetInfo()
$Group.Description  = 'Group for accounts with access to the In-Process BizTalk hosts (hosts processes in the BizTalk Server).'
$Group.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz.host")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "BizTalk Host Instance Account"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Create('Group', 'grp_biz_isohost.users')
$Group.SetInfo()
$Group.Description  = 'Group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP)'
$Group.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz.isohost")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "BizTalk Isolated Host Instance Account"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Create('Group', 'grp_biz_b2b.ops')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server B2B Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server B2B environment after installation.'
$Group.SetInfo()
 
# SQL Server accounts and groups
 
$Group = $ADSI.Create('Group', 'grp_biz_sql.admins')
$Group.SetInfo()
$Group.Description  = 'The SQL Server Administrators Group has the least privileges necessary to perform administrative tasks'
$Group.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.dbe")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server relational Database Engine"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.agent")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Agent. Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.ssas")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Analysis Services. Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.ssrs")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Reporting Services. Provides comprehensive reporting functionality for a variety of data sources."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.ssrsea")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for referencing external images in a report and if permission is required to access the image file.(SSRS Execution Account)"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_biz_sql.ssrsfsa")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for accessing file shares (SSRS File Share Account)"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_sql.browser")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the name resolution service that provides SQL Server connection information for client computers"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$User = $ADSI.Create("User", "svc_sql.ssis")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account to provide management support for Integration Services package storage and execution."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
 
# inSyca monitoring account
 
$User = $ADSI.Create("User", "svc_monitoring")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "inSyca Monitoring Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()
 
$Group = $ADSI.Children.Find('Administrators', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Children.Find('grp_biz.admins', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))
 
$Group = $ADSI.Children.Find('grp_biz_sso.admins', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))

Login to your account

Active Directory Groups for BizTalk

Active Directory Users for BizTalk

Active Directory Groups for SQL

Active Directory Users for SQL

Active Directory Users for inSyca Monitoring

Additional User to Group Mapping

Powershell script to create users and groups locally: