2 out of 2 rated this helpful - Rate this topic

Windows Group and User Accounts in BizTalk Server

This section provides information about BizTalk Server local and domain group and user accounts. The Configuration Wizard creates the necessary BizTalk group accounts for you by default if you install BizTalk Server and all prerequisite software on a single computer. The information contained in this section applies to multiple computer topologies.

Important BizTalk Server supports local group and user accounts only in single computer configurations. BizTalk Server supports domain group and user accounts in both single and multiple computer configurations.

Important When configuring Enterprise Single Sign-On (SSO) Service, use domain group accounts.

To create Windows Group and User Accounts in BizTalk Server

Using Active Directory, from the Start menu, point to Programs, point to Administrative Tools, and select Active Directory Users and Computers.
In the Active Directory Users and Computers window, right-click at the bottom of the right pane, or right-click the Users folder in the navigation tree in the left pane.
Select New, then select Group or User.
Enter the group or user information outlined in the following table.

The following table lists the Windows group and their associated user accounts used by BizTalk Server. It also identifies their SQL Server membership roles. You can assign any name for the user accounts identified in brackets in the table.

Group	Group Description	User	User Description	SQL Server/Analysis Server Role Membership for the Group
SSO Administrator(s)*	Administrator of the Enterprise Single Sign-On (SSO) Service. The default name for the Windows account created for this group is SSO Administrators.	<Enterprise Single Sign-On Service> <SSO Administrator>	Account name under which the Single Sign-On (SSO) service should run. User account for the SSO Administrator.	Member of the db_owner SQL Server role for the Credential database.
SSO Affiliate Administrator(s)	Must be able to create affiliate applications. The BizTalk Administrator must be a member of this group. The default name for the Windows account created for this group is SSO Affiliate Administrators.	<SSO Affiliate Administrators>	User accounts for SSO Affiliate Administrators
BizTalk Administrators Group	Has the least privileges necessary to perform administrative tasks in the Configuration Wizard and to administer the BizTalk Server environment after installation. The default name for the Windows account created for this group is BizTalk Server Administrators.	<BizTalk Server Administrator> <BizTalk BAS Management Web Service Account>	User accounts for BizTalk Server Administrators. BAS Management Web service runs under this service account.	Member of BTS_ADMIN_USERS SQL Server role in the following databases: Configuration MessageBox Rule Engine Tracking BAM Primary Import Member of HWS_ADMIN_USER SQL Server role in the following databases Human Workflow Services Tracking Member of the db_owner SQL Server role for the following databases: BAM Archive BAM Primary Import BAM Star Schema Member of the OLAP Administrator group on the computer hosting the BAM Analysis database
BizTalk Host Users Group	Windows group for accounts with access to the In-Process BizTalk hosts (hosts processes in BizTalk Server). Use one BizTalk Host Group for each In-Process host in your environment. The default name for the Windows account created for the first Host Users group is BizTalk Application Users.	<BTS Host Instance account>	Windows account with access to a specific In-Process BizTalk host instance. This account has Log on as Service rights.	Member of the BTS_HOST_USERS SQL Server role in the following databases: Configuration MessageBox Rule Engine Tracking BAM Primary Import Member of the BTS_<in-process host name>_USERS SQL Server role for the MessageBox database Member of the BAM_EVENT_WRITER SQL Server role in the BAM Primary Import database.
BizTalk Isolated Host Users Group	Windows group for accounts with access to the Isolated BizTalk hosts (hosts processes not running on BizTalk Server, such as HTTP and SOAP). Use one BizTalk Isolated Host Group for each Isolated Host in your environment. The default name for the Windows account created for the first Isolated Host Users group is BizTalk Isolated Host Users.	<BTS Isolated Host Instance Account> <Human Workflow Services User Account>	Windows account with access to a specific Isolated BizTalk host instance. This account has Log on as Service rights. Windows account that the Human Workflow Services runtime services run under.	Member of the BTS_HOST_USERS SQL Server role in the following databases: Configuration MessageBox Rule Engine Tracking BAM Primary Import Member of the BTS_<isolated host name>_USERS SQL Server role for the MessageBox database. The Human Workflow Services User Account must be a member of the HWS_WS_USER SQL Server role in the following databases: Configuration Tracking Human Workflow Services
BizTalk Base EDI Users group	Windows NT group that has access to the EDI database. The default name for the Windows account created for this group is EDI Subsystem Users.	<BizTalk Base EDI service>	Handles all EDI-related transactions for BizTalk Server.	Member of the edi_admin_users SQL Server role in the Base EDI database.
BizTalk BAS Web Services Group**	For non-interactive user accounts under which BAS Web services run. The default name for the Windows account created for this group is BizTalk BAS Web Services Group.	<BizTalk BAS Management Web Service Account> <BizTalk BAS Publishing Web Service Account>	BAS Management Web service runs under this service account. Business Activity Publishing Web service runs under this service account.	Member of the tpm_user SQL Server role in the TPM database.
BizTalk BAS Users**	Has the fewest privileges necessary to perform basic tasks in BAS not requiring the capability to configure business processes (for example, read access to partner profiles and agreements). The default name for the Windows account created for this group is BizTalk BAS Users.	<BAS user accounts>**
BizTalk BAS Managers**	Has higher privileges than BAS Users group, including tasks to configure business processes such as deploy and activate partners and agreements. The default name for the Windows account created for this group is BizTalk BAS Managers.	<BAS manager user accounts>**
BizTalk BAS Administrators**	Has privileges to perform all tasks and operations in BAS including administrative tasks such as Business Activity Site repair and synchronization. The default name for the Windows account created for this group is BizTalk BAS Administrators.	<BAS administrative user accounts>**
				SQL Server Role Membership for the User
		<Rule Engine Update Service>	Notifies for deployment/undeployment of policies. No group affiliation.	Member of the RE_HOST_USERS SQL Server role in the Rule Engine database.
		<BizTalk BAM Query Web service user>	Windows account with permission to access the data in the BAM Primary Import database during Business Activity searches. No group affiliation.	Member of the BAM_QueryWS SQL Server role in the BAM Primary Import database.
		<BizTalk Server BAS Application Pool Account>	For application pools that host SharePoint Services, Trading Partner Manager (TPM) Web services and the STSReceive Web service. No group affiliation.

*Ensure that the service account running the Enterprise Single Sign-On (SSO) service is a member of the SSO Administrators group on each computer.

*The account you are using when you install BizTalk Server must also be a member of the SSO Administrators group, if the installation is also a SSO master secret server.

**These groups and user accounts are required for access to Business Activity Services (BAS).

This section contains:

To download updated BizTalk Server 2004 Help from www.microsoft.com, go to http://go.microsoft.com/fwlink/?linkid=20616.

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)