Create BizTalk Groups and Accounts using PowerShell

You could find this article on TechNet gallery as well here

### 1. Purpose

One of the task that we need to do in all our new BizTalk environment over and over again is creating BizTalk security groups and service accounts. Although this will be handled by Domain Administrator from customer’s organization, BizTalk admin user is supposed to provide all the detail required prior to BizTalk installation. You could hand this script along with spreadsheet here and make communication between yourself and Domain administrator easier.

### 2. Assumptions

* BizTalk security groups and service accounts will be created in following Organization Unit by default.


Target OU path is to be generated in following format.


OU={something},OU={something-branch},OU={Organization},DC={subdomain},DC={domain},DC={TopLevelDomain}
</pre> </div> Sample domain doesn't have a subdomain. Therefore, target path for the example will be <div class="highlight"> <pre>OU=BizTalk,OU=DEV,OU=Service Accounts,DC=aklab,DC=com

  • Service Accounts will be created in the form of svc-BTS-{Env}-{Role}
  • Security groups will be created in the form of BTS-{Env} {Group name}

3. Features

Here is the list of what this script does

3.1. Create BizTalk admin user account

At least one BizTalk admin user account(most likely for yourself) is necessary to install and configure BizTalk farms but probably already create in AD. Therefore, creation of this is commented out by default. This account should become a local administrator on BizTalk servers at least for installation and configuration period. In case customer’s organization has a security concern for allowing user account to be a local administrator, you could uncomment and create this account, leverage as a dedicated setup account and remove it later.

3.2. Add BizTalk admin user account into a Local Administrator group on BizTalk server

BizTalk admin user will be added into Local Administrator group on BizTalk server.

3.3. Create security groups and service accounts

3.4. Add service accounts into appropriate BizTalk security groups

3.5. Add Domain Admins group into every BizTalk security groups

4. Spreadsheet

Spreadsheet here gives instant visibility of what domain groups and accounts will be created. Ask Domain Administrator to update the password section and return it to you so that you could build the BizTalk farms.

5. Script

You can download the script here. I would really appreciate your feedback and more than welcome to help if you find any issue. Please feel free to leave a comment or contact me.

<#
.SYNOPSIS

.DESCRIPTION
This script is written to help domain administrator to create BizTalk security groups and service accounts
with naming standard following in mind. Using this, you could segregate environments from one another within
the same domain. 

Service Accounts will be created in the form of svc-BTS-{Env}-{Role}

e.g. 
- svc-BTS-DEV-Host
- svc-BTS-DEV-IsHost
- svc-BTS-DEV-RuleEn
- svc-BTS-DEV-SSO

Security groups will be created in the form of BTS-{Env} {Group name}

e.g.
- BTS-DEV Admins
- BTS-DEV SSO Admins
- BTS-DEV Affiliate SSO Admins
- BTS-DEV InProcess Hosts
- BTS-DEV Isolated Hosts
- BTS-DEV Operaters
- BTS-DEV B2B Operators
- BTS-DEV BAM Portal Users

Step 1)

BizTalk security groups and services accounts will be created in following Organization Unit by default. 
You would need to adjust the script for your environment accordingly. 

Root
    Service Accounts
        {Env}
            BizTalk

Creating above Organization Unit in PowerShell is also included but commented out by default. 

Step 2)

Regions called "Set environment variables" and "Create/Update BizTalk Admin User Account and add to local 
Administrators group on BizTalk Server" includes configurable values. Please update. 

Step 3)

Passwords for service accounts are default to "P@ssword". Please update these based on security policy and
also update provided excel file with changed password detail and give back to BizTalk Admin User as he or 
she would need this to install and configure BizTalk going forward.

Step 4)

Open Administrative PowerShell console, and set the execution policy to Unrestricted.  

Set-ExecutionPolicy Unrestricted

Step 5)

Run Create-BizTalkGroupsAndAccounts.ps1

.EXAMPLE
Create-BizTalkGroupsAndAccounts

.NOTES
Filename:     Create-BizTalkGroupsAndAccounts.ps1

Maintenance History
Name               Date         Version     C/R     Description        
----------------------------------------------------------------------------------
Aaron Kim          2015-08-25   1.0.0               Created 

#>

##———————————————————————–

Function: Main

Purpose: Main logic

##———————————————————————–
Function Main
{

#region Set environment variables

$Env = "DEV"
$SubDomain = ""
$Domain = "aklab"
$TopLevelDomain = "com"

# Path to create the BizTalk groups and service accounts. e.g. OU={something},OU={something-branch},OU={Organization},DC={subdomain},DC={domain},DC={TopLevelDomain}
#$BtsOuPath = "OU=BizTalk,OU=$Env,OU=Service Accounts,DC=$Subdomain,DC=$Domain,DC=$TopLevelDomain" 
$BtsOuPath = "OU=BizTalk,OU=$Env,OU=Service Accounts,DC=$Domain,DC=$TopLevelDomain" 
# This Path must exist. If you would like to create a path in sample, you could use following command. 
#NEW-ADOrganizationalUnit “Service Accounts”
#NEW-ADOrganizationalUnit $Env –path “OU=Service Accounts,DC=$Domain,DC=$TopLevelDomain”
#NEW-ADOrganizationalUnit BizTalk –path “OU=$Env,OU=Service Accounts,DC=$Domain,DC=$TopLevelDomain”

# Please update with domain administrator's user account or group
$DomainAdmin = "Domain Admins"

# Service Accounts and Passwords
$BTSHost = "svc-BTS-$Env-Host"
$BTSIsolatedHost = "svc-BTS-$Env-IsHost"
$BTSRuleEn = "svc-BTS-$Env-RuleEn"
$BTSSSOSvc = "svc-BTS-$Env-SSO"

# Convert the plain text passwords
$BTSHostPassword = ConvertTo-SecureString "P@ssword" -AsPlainText -Force
$BTSIsoHostPassword = ConvertTo-SecureString "P@ssword" -AsPlainText -Force
$BTSRuleEnPassword = ConvertTo-SecureString "P@ssword" -AsPlainText -Force
$BTSSSOSvcPassword = ConvertTo-SecureString "P@ssword" -AsPlainText -Force

#endregion

#region Create/Update BizTalk Admin User Account and add to local Administrators group on BizTalk Server 

# BizTalk Admin User account - This is a user account for someone who will install and configure BizTalk farm. 
# Most likely, at least user account must have been already created. In that case, update following line and comment out account creation part in this region. 
$BtsAdmin = $Env+"BTSAdm"

# Path where to create the BizTalk Admin User e.g. CN=Users,DC={subdomain},DC={domain},DC={TopLevelDomain}
#$AdminOuPath = "CN=Users,DC=$SubDomain,DC=$Domain,DC=$TopLevelDomain"
$AdminOuPath = "CN=Users,DC=$Domain,DC=$TopLevelDomain"

# Convert the plain text passwords
$BtsAdminPassword = ConvertTo-SecureString "P@ssword" -AsPlainText -Force
# Comment out following two in case BizTalk Admin user account is already created. 
# As this is a user account not a service account, allowed password to expire and let user to change the password at logon. Please update according to security policy. 
New-ADUser -SamAccountName $BtsAdmin -AccountPassword $BtsAdminPassword -name $BtsAdmin -enabled $true -PasswordNeverExpires $false -CannotChangePassword $false -ChangePasswordAtLogon $true -Path $AdminOuPath
Write-Host "User account $BtsAdmin was successfully created" -Fore DarkGreen

# BizTalk Admin User account should be a member of local Administrators group on BizTalk Server. 
# Update computer name accordingly and add more lines if there is more than 1 BizTalk Server.
$computer1 = "AKBTS2k13R2"
#Add-DomainUserToLocalGroup -computer $computer1 -group Administrators -domain $Subdomain.$Domain.$TopLevelDomain -user $BtsAdmin
Add-DomainUserToLocalGroup -computer $computer1 -group Administrators -domain $Domain"."$TopLevelDomain -user $BtsAdmin
Write-Host "User account $BtsAdmin was successfully added into Local Administrators group of $computer1" -Fore DarkGreen
#endregion

#region Create Security Groups

$BTSAdminsDesc = "Administrators who have the least privileges necessary to perform administrative tasks"
$SSOAdminsDesc = "Administrators of the Enterprise Single Sign-On (SSO) service"
$SSOAffAdminsDesc = "Administrators of certain SSO affiliate applications"
$BTSOpsDesc = "Operators who Have a low privilege role with access only to monitoring and troubleshooting actions"
$BTSInProessHostsDesc = "In-Process BizTalk Host Group"
$BTSIsolatedHostsDesc = "Isolated BizTalk Host Group"
$BTSB2BOpsDesc = "Operators to perform all Party management operation"
$BAMPortalUsersDesc = "Users who have access to BAM Portal Web site"

New-ADGroup -Name "BTS-$Env Admins" -GroupCategory Security -GroupScope Global -DisplayName "BTS-$Env Admins" -Path $BtsOuPath -Description $BTSAdminsDesc
New-ADGroup -Name "BTS-$Env SSO Admins" -GroupCategory Security -GroupScope Global -DisplayName "BTS-$Env SSO Admins" -Path $BtsOuPath -Description $SSOAdminsDesc
New-ADGroup -Name "BTS-$Env Affiliate SSO Admins" -GroupCategory Security -GroupScope Global -DisplayName "BTS-$Env Affiliate SSO Admins" -Path $BtsOuPath -Description $SSOAffAdminsDesc
New-ADGroup -Name "BTS-$Env Operaters" -GroupCategory Security -GroupScope Global -DisplayName "BTS-$Env Operaters" -Path $BtsOuPath -Description $BTSOpsDesc
New-ADGroup -Name "BTS-$Env InProcess Hosts" -GroupCategory Security -GroupScope Global -DisplayName "BTS-$Env InProcess Hosts" -Path $BtsOuPath -Description $BTSInProessHostsDesc
New-ADGroup -Name "BTS-$Env Isolated Hosts" -GroupCategory Security -GroupScope Global -DisplayName "BTS-$Env Isolated Hosts" -Path $BtsOuPath -Description $BTSIsolatedHostsDesc
New-ADGroup -Name "BTS-$Env B2B Operators" -GroupCategory Security -GroupScope Global -DisplayName "BTS-$Env B2B Operators" -Path $BtsOuPath -Description $BTSB2BOpsDesc
# In case BAM Portal to be used
New-ADGroup -Name "BTS-$Env BAM Portal Users" -GroupCategory Security -GroupScope Global -DisplayName "BTS-$Env BAM Portal Users" -Path $BtsOuPath -Description $BAMPortalUsersDesc
Write-Host "Security groups were successfully created in AD" -Fore DarkGreen
#endregion

#region Create Service Accounts
# As these are service accounts, password expiration is not recommended which can cause serious disruption of service. 
New-ADUser -SamAccountName $BTSHost -AccountPassword $BTSHostPassword -name $BTSHost -enabled $true -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -Path $BtsOuPath
New-ADUser -SamAccountName $BTSIsolatedHost -AccountPassword $BTSIsoHostPassword -name $BTSIsolatedHost -enabled $true -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -Path $BtsOuPath
New-ADUser -SamAccountName $BTSRuleEn -AccountPassword $BTSRuleEnPassword -name $BTSRuleEn -enabled $true -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -Path $BtsOuPath
New-ADUser -SamAccountName $BTSSSOSvc -AccountPassword $BTSSSOSvcPassword -name $BTSSSOSvc -enabled $true -PasswordNeverExpires $true -CannotChangePassword $true -ChangePasswordAtLogon $false -Path $BtsOuPath
Write-Host "Service Accounts were successfully created in AD" -Fore DarkGreen

#endregion

#region Add accounts to right security groups

# Add BizTalk Admin User account to BizTalk Administrators Group
Add-ADPrincipalGroupMembership -Identity $BtsAdmin -MemberOf "BTS-$Env Admins" 
# Add Service Accounts to belonging BizTalk groups
Add-ADPrincipalGroupMembership -Identity $BTSSSOSvc -MemberOf "BTS-$Env SSO Admins"
Add-ADPrincipalGroupMembership -Identity "BTS-$Env Admins" -MemberOf "BTS-$Env SSO Admins"
Add-ADPrincipalGroupMembership -Identity "BTS-$Env Admins" -MemberOf "BTS-$Env Affiliate SSO Admins"
Add-ADPrincipalGroupMembership -Identity $BTSHost -MemberOf "BTS-$Env InProcess Hosts"
Add-ADPrincipalGroupMembership -Identity $BTSIsolatedHost -MemberOf "BTS-$Env Isolated Hosts"
Add-ADPrincipalGroupMembership -Identity "BTS-$Env Admins" -MemberOf "BTS-$Env BAM Portal Users"
Write-Host "Service Accounts were successfully added into BizTalk Security Groups" -Fore DarkGreen

# Add the domain admin to all groups
Add-ADPrincipalGroupMembership -Identity $DomainAdmin -MemberOf "BTS-$Env Admins"
Add-ADPrincipalGroupMembership -Identity $DomainAdmin -MemberOf "BTS-$Env SSO Admins"
Add-ADPrincipalGroupMembership -Identity $DomainAdmin -MemberOf "BTS-$Env Affiliate SSO Admins"
Add-ADPrincipalGroupMembership -Identity $DomainAdmin -MemberOf "BTS-$Env InProcess Hosts"
Add-ADPrincipalGroupMembership -Identity $DomainAdmin -MemberOf "BTS-$Env Isolated Hosts"
Add-ADPrincipalGroupMembership -Identity $DomainAdmin -MemberOf "BTS-$Env BAM Portal Users"
Write-Host "$DomainAdmin is successfully added into every BizTalk Security Group" -Fore DarkGreen

#endregion

}

##———————————————————————–

Function: Add-DomainUserToLocalGroup

Purpose: Remotely add domain user to local group on a specified computer

##———————————————————————–
Function Add-DomainUserToLocalGroup
{
[cmdletBinding()]
Param(
[Parameter(Mandatory=$True)]
[string]$computer,
[Parameter(Mandatory=$True)]
[string]$group,
[Parameter(Mandatory=$True)]
[string]$domain,
[Parameter(Mandatory=$True)]
[string]$user
)

$de = [ADSI]"WinNT://$computer/$Group,group" 
$de.psbase.Invoke("Add",([ADSI]"WinNT://$domain/$user").path) 

}

Main