Automated creating of users and groups

In my previous post I showed how I automated creating hosts and host instances. In this post I will continue on that, but then by creating the users and groups according to the BizTalk best practices. They are created on the local computer, I will see if I can adjust the script to create them in an AD at a later time. As with my last post, I have commented my code thoroughly, so it should pretty much explain itself.

Let’s start by creating a method which will create a group if it does not yet exist.

#
# Function creates a group.
#
function CreateGroup([string]$groupname, [string]$description)
{
	# Check if the group allready exists 
	if([ADSI]::Exists("WinNT://$computer/$groupname,group"))
	{
		Write-Host $groupname "allready exists" -foregroundcolor DarkGray
		return
	}
 
	# Get the computer to which we want to add the group
	$computer = [ADSI]"WinNT://$computer"
 
	# Create the group
	$group = $computer.Create("Group", $groupname)
	$group.SetInfo()
 
	# Set the description of the group
	$group.description = $description
	$group.SetInfo()
 
	Write-Host $groupname "created" -foregroundcolor Green
}

Here we will create a user.

#
# Function creates a user.
#
function CreateUser([string]$username, [string]$password, [boolean]$passwordNeverExpires, [string]$description)
{
	# Get the computer to which we want to add the user
	$computer = [ADSI]"WinNT://$computer"
 
	# Loop through all existing users
	foreach ($user in $computer.psbase.children)
	{
		# Check if this is the user we are trying to create
		if ($user.Name -eq $username)
		{
			# If it is, the user was allready created
			Write-Host $user.Name "already exists" -foregroundcolor DarkGray
			return
		}
	}
 
	# Create the user
	$user = $computer.Create("user", "$username")
 
	# Set the password
	$user.SetPassword($password)
	$user.SetInfo()
 
	# Set the description
	$user.Description = $description
	$user.SetInfo()
 
	# The account should not be disabled
	$user.psbase.invokeset("AccountDisabled", $accountDisabled)
	$user.SetInfo()
 
	# Check if the password can expire
	if($passwordNeverExpires)
	{
		# Password should never expire
		$user.UserFlags.value = $user.UserFlags.value -bor 0x10000
		$user.CommitChanges()
	}
 
	# Check if the user was succesfully created
	if ($user.Name -eq $username)
	{
		Write-Host $username "created" -foregroundcolor Green
	}
	else
	{
		Write-host "Error creating" $username -foregroundcolor Red
	}
}

We also want to be able to add the users to a group.

#
# Function adds a user to a group
#
function AddUserToGroup([string]$username, [string]$groupname)
{
	# Check if the group exists
	if([ADSI]::Exists("WinNT://$computer/$groupname,group"))
	{
		# The group to which we want to add the user
		$groupToAddTo = [ADSI]"WinNT://$computer/$groupname,group"
 
		# Loop through all the members in this group
		foreach($member in $groupToAddTo.psbase.Invoke("Members"))
		{
			# Check if the user is allready part of the group
			if($member.GetType().InvokeMember("Name", 'GetProperty', $null, $member, $null) -eq $username)
			{
				Write-Host $username "is allready a member of" $groupname -foregroundcolor DarkGray
				return
			}
		}
 
		# Add the user to the group
		$groupToAddTo.add("WinNT://$username")
 
		Write-Host $username "has been added to" $groupname -foregroundcolor Green
	}
	else
	{
		Write-Host $groupname "does not exist" -foregroundcolor Yellow
		return
	}
}

Here you will be able to set your own properties that are used throughout the script.

######## Set your own objects here ########
 
# Variables used throughout the script
 
# The name of the computer we are working on
[string]$computer = "localhost"
 
# Parameter indicating if new users should be disabled
[string]$accountDisabled = "False"

Start by creating the groups.

# Create groups for BizTalk
Write-Host "Creating groups" -foregroundcolor Cyan
 
# CreateGroup -groupname "" - description ""
CreateGroup -groupname "SSO Administrators" - description "Administrator of the Enterprise Single Sign-On (SSO) service."
CreateGroup -groupname "SSO Affiliate Administrators" - description "Administrators of certain SSO affiliate applications. Can create/delete SSO affiliate applications, administer user mappings, and set credentials for affiliate application users."
CreateGroup -groupname "BizTalk Server Administrators" - description "Has the least privileges necessary to perform administrative tasks. Can deploy solutions, manage applications, and resolve message processing issues. To perform administrative tasks for adapters, receive and send handlers, and receive locations, the BizTalk Server Administrators must be added to the Single Sign-On Affiliate Administrators."
CreateGroup -groupname "BizTalk Server Operators" - description "Has a low privilege role with access only to monitoring and troubleshooting actions."
CreateGroup -groupname "BizTalk Server B2B Operators" - description "Has a low privilege role with access only to monitoring and troubleshooting actions."
CreateGroup -groupname "BizTalk Application Users" - description "The default name of the first In-Process BizTalk Host Group created by Configuration Manager. Use one BizTalk Host Group for each In-Process host in your environment. Includes accounts with access to In-Process BizTalk Hosts (hosts processes in BizTalk Server, BTSNTSvc.exe)."
CreateGroup -groupname "BizTalk Isolated Host Users" - description "The default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP. Use one BizTalk Isolated Host Group for each Isolated Host in your environment."
CreateGroup -groupname "EDI Subsystem Users" - description "Has access to the EDI database."
CreateGroup -groupname "BAM Portal Users" - description "Has access to BAM Portal Web site."
CreateGroup -groupname "BizTalk SharePoint Adapter Enabled Hosts" - description "Has access to Windows SharePoint Services Adapter Web Service."

Next create the users.

# Create users for BizTalk
Write-Host ""
Write-Host "Creating users" -foregroundcolor Cyan
 
# CreateUser -username "" -password "" -groupname "" -passwordNeverExpires $true -description ""
CreateUser -username "svc_SSO" -password "Pass@123" -passwordNeverExpires $true -description "Service account used to run Enterprise Single Sign-On Service which accesses the SSO database."
CreateUser -username "SSOAdmin" -password "Pass@123" -passwordNeverExpires $true -description "User account for the SSO Administrator."
CreateUser -username "SSOAffiliate" -password "Pass@123" -passwordNeverExpires $true -description "User accounts for SSO Affiliate Administrators."
CreateUser -username "svcBTSHost" -password "Pass@123" -passwordNeverExpires $true -description "Service account used to run BizTalk In-Process host instance which access In-Process BizTalk host instance (BTNTSVC)."
CreateUser -username "svcBTSIsolatedHost" -password "Pass@123" -passwordNeverExpires $true -description "Service account used to run BizTalk Isolated host instance (HTTP/SOAP)."
CreateUser -username "svcRuleEngineUpdate" -password "Pass@123" -passwordNeverExpires $true -description "Service account used to run Rule Engine Update Service which receives notifications to deployment/undeployment policies from the Rule engine database."
CreateUser -username "svcBAM" -password "Pass@123" -passwordNeverExpires $true -description "Service account used to run BAM Notification Services which accesses the BAM databases."
CreateUser -username "svcBAMWeb" -password "Pass@123" -passwordNeverExpires $true -description "User account for BAM Management Web service (BAMManagementService) to access various BAM resources. BAM Portal calls BAMManagementService with the user credentials logged on the BAM Portal to manage alerts, get BAM definition XML and BAM views"
CreateUser -username "svcBAMAppPool" -password "Pass@123" -passwordNeverExpires $true -description "Application pool account for BAMAppPool which hosts BAM Portal Web site."
CreateUser -username "BTSAdmin" -password "Pass@123" -passwordNeverExpires $true -description "User need to be able to configure and administer BizTalk Server."
CreateUser -username "BTSOperator" -password "Pass@123" -passwordNeverExpires $true -description "User account that will monitor solutions."
CreateUser -username "BTSB2BOperator" -password "Pass@123" -passwordNeverExpires $true -description "User account that will perform all party management operations."

And finally add the users to the groups.

# Add users to groups
Write-Host ""
Write-Host "Adding users to groups" -foregroundcolor Cyan
 
# AddUserToGroup -user "" -groupname ""
AddUserToGroup -username "svcSSO" -groupname "SSO Administrators"
AddUserToGroup -username "SSOAdmin" -groupname "SSO Administrators"
AddUserToGroup -username "SSOAffiliate" -groupname "SSO Affiliate Administrators"
AddUserToGroup -username "svcBTSHost" -groupname "BizTalk Application Users"
AddUserToGroup -username "svcBTSIsolatedHost" -groupname "BizTalk Isolated Host Users"
AddUserToGroup -username "svcBTSIsolatedHost" -groupname "IIS_WPG"
AddUserToGroup -username "svcBAM" -groupname "SQLServer2005NotificationServicesUser$computername"
AddUserToGroup -username "svcBAMWeb" -groupname "IIS_WPG"
AddUserToGroup -username "svcBAMAppPool" -groupname "IIS_WPG"
AddUserToGroup -username "BTSAdmin" -groupname "BizTalk Server Administrators"
AddUserToGroup -username "BTSOperator" -groupname "BizTalk Server Operators"
AddUserToGroup -username "BTSB2BOperator" -groupname "BizTalk Server B2B Operators"
 
################## Done ###################
 
Write-Host("Press any key to exit...") -Fore White
$null = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

Leave a Reply

Your email address will not be published. Required fields are marked *