You need to create the groups and users before you install BizTalk & SSO, depending on what features you are installing.
See Windows Groups and User Accounts in BizTalk Server and also Permissions Required for Deploying and Managing a BizTalk Application
Below are the Groups and Users you might need. Note: The naming should be to whatever naming conventions that are used at your company.
- SSO Administrators
- SSO Affiliate Administrators
- BizTalk Server Administrators
- BizTalk Server Operators
- BizTalk Server Read Only Users
- BizTalk Application Users
- BizTalk Isolated Host Users
- BAM Portal Users
- BizTalk SharePoint Adapter Enabled Hosts
- BizTalk B2B Operators Group
User and service accounts
- Enterprise Single Sign-On Service
- BizTalk Host Instance Account
- BizTalk Isolated Host Instance Account
- Rule Engine Update Service
- BAM Notification Services User
- BAM Management Web Service User
- BAM Application Pool Account
Not listed on those pages, but very important is the BizTalk Installer account that basically has highest privileges,e.g. local admin on the BizTalk server and sysadmin on the database server as it will be creating the BizTalk databases and assigning the rights to the accounts in the database.