Active Directory Groups for BizTalk

Group (Proposal) Description
grp_biz_sso.admins
The SSO Administrators group created for Enterprise Single Sign-On.
grp_biz_ssoaff.admins
The SSO Affiliate Administrators group created for Enterprise Single Sign-On.
grp_biz.admins
The BizTalk Server Administrators Group has the least privileges necessary to perform administrative tasks included in the Configuration Framework Wizard and to administer the BizTalk Server environment after installation.
grp_biz.ops
The BizTalk Server Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server environment after installation.
grp_biz_host.users
Group for accounts with access to the In-Process BizTalk hosts (hosts processes in the BizTalk Server).
grp_biz_isohost.users
Group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP)
grp_biz_b2b.ops
The BizTalk Server B2B Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server B2B environment after installation.

Active Directory Users for BizTalk

Name (Proposal) Group Assignment Description
svc_biz.sso
grp_biz_sso.admins
Enterprise Single Sign-On Service
svc_biz.host
grp_biz_host.users
BizTalk Host Instance Account
svc_biz.isohost
grp_biz_isohost.users
BizTalk Isolated Host Instance Account
svc_biz.ruleengine
 
Rule Engine Update Service
developer/admin
grp_biz.admins
User account of developer/administrator using the BizTalk Machine

Active Directory Groups for SQL

Group (Proposal) Description
grp_sql.admins
The SQL Server Administrators Group has the least privileges necessary to perform administrative tasks.

Active Directory Users for SQL

Name (Proposal) Group Assignment Description
svc_biz_sql.dbe
 
The service account for the SQL Server relational Database Engine
svc_biz_sql.agent
 
The service account for the SQL Server Agent. Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks
svc_biz_sql.ssas
 
The service account for the SQL Server Analysis Services. Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications.
svc_biz_sql.ssrs
 
The service account for the SQL Server Reporting Services. Provides comprehensive reporting functionality for a variety of data sources.
svc_biz_sql.ssrsea
 
The service account for referencing external images in a report and if permission is required to access the image file.(SSRS Execution Account)
svc_biz_sql.ssrsfsa
 
The service account for accessing file shares (SSRS File Share Account)
svc_sql.ssis
 
The service account to provide management support for Integration Services package storage and execution.

Active Directory Users for inSyca Monitoring

Name (Proposal) Group Assignment Description
svc_monitoring
Administrators
grp_biz.admins
grp_biz_sso.admins
The service account for the inSyca Monitoring components

Powershell script to create users and groups locally:

$Computer = $env:COMPUTERNAME
$ADSI = [ADSI]("WinNT://$Computer")

# BizTalk Server accounts and groups

$User = $ADSI.Create("User", "svc_biz.ruleengine")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "Rule Engine Update Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$User = $ADSI.Create("User", "svc_biz.sso")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "Enterprise Single Sign-On Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$Group = $ADSI.Create('Group', 'grp_biz_sso.admins')
$Group.SetInfo()
$Group.Description  = 'The SSO Administrators group created for Enterprise Single Sign-On.'
$Group.SetInfo()

$Group.Add(("WinNT://$Computer/" + $User.Name))

$Group = $ADSI.Create('Group', 'grp_biz_ssoaff.admins')
$Group.SetInfo()
$Group.Description  = 'The SSO Affiliate Administrators group created for Enterprise Single Sign-On.'
$Group.SetInfo()

$Group = $ADSI.Create('Group', 'grp_biz.admins')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server Administrators Group has the least privileges necessary to perform administrative tasks included in the Configuration Framework Wizard and to administer the BizTalk Server environment after installation.'
$Group.SetInfo()

$Group = $ADSI.Create('Group', 'grp_biz.ops')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server environment after installation.'
$Group.SetInfo()

$Group = $ADSI.Create('Group', 'grp_biz_host.users')
$Group.SetInfo()
$Group.Description  = 'Group for accounts with access to the In-Process BizTalk hosts (hosts processes in the BizTalk Server).'
$Group.SetInfo()

$User = $ADSI.Create("User", "svc_biz.host")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "BizTalk Host Instance Account"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$Group.Add(("WinNT://$Computer/" + $User.Name))

$Group = $ADSI.Create('Group', 'grp_biz_isohost.users')
$Group.SetInfo()
$Group.Description  = 'Group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP)'
$Group.SetInfo()

$User = $ADSI.Create("User", "svc_biz.isohost")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "BizTalk Isolated Host Instance Account"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$Group.Add(("WinNT://$Computer/" + $User.Name))

$Group = $ADSI.Create('Group', 'grp_biz_b2b.ops')
$Group.SetInfo()
$Group.Description  = 'The BizTalk Server B2B Operators Group has the least privileges necessary to perform tasks required for operating the BizTalk Server B2B environment after installation.'
$Group.SetInfo()

# SQL Server accounts and groups

$Group = $ADSI.Create('Group', 'grp_biz_sql.admins')
$Group.SetInfo()
$Group.Description  = 'The SQL Server Administrators Group has the least privileges necessary to perform administrative tasks'
$Group.SetInfo()

$User = $ADSI.Create("User", "svc_biz_sql.dbe")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server relational Database Engine"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$User = $ADSI.Create("User", "svc_biz_sql.agent")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Agent. Executes jobs, monitors SQL Server, fires alerts, and enables automation of some administrative tasks"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$User = $ADSI.Create("User", "svc_biz_sql.ssas")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Analysis Services. Provides online analytical processing (OLAP) and data mining functionality for business intelligence applications."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$User = $ADSI.Create("User", "svc_biz_sql.ssrs")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the SQL Server Reporting Services. Provides comprehensive reporting functionality for a variety of data sources."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$User = $ADSI.Create("User", "svc_biz_sql.ssrsea")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for referencing external images in a report and if permission is required to access the image file.(SSRS Execution Account)"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$User = $ADSI.Create("User", "svc_biz_sql.ssrsfsa")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for accessing file shares (SSRS File Share Account)"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$User = $ADSI.Create("User", "svc_sql.browser")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account for the name resolution service that provides SQL Server connection information for client computers"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$User = $ADSI.Create("User", "svc_sql.ssis")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "The service account to provide management support for Integration Services package storage and execution."
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()


# inSyca monitoring account

$User = $ADSI.Create("User", "svc_monitoring")
$User.SetPassword("YourSuperSecretPassword")
$User.SetInfo()
$User.FullName = "inSyca Monitoring Service"
$User.SetInfo()
$User.UserFlags.Value = 64 + 65536 # ADS_UF_PASSWD_CANT_CHANGE + ADS_UF_DONT_EXPIRE_PASSWD
$User.SetInfo()

$Group = $ADSI.Children.Find('Administrators', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))

$Group = $ADSI.Children.Find('grp_biz.admins', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))

$Group = $ADSI.Children.Find('grp_biz_sso.admins', 'group')
$Group.Add(("WinNT://$Computer/" + $User.Name))