Setting Object Cache Accounts in SharePoint 2010

This post will show how to set the PortalSuperUser and PortalSuperReader accounts for SharePoint 2010 using PowerShell.

Background

I frequently create web applications in my SharePoint 2010 environment that use Windows claims authentication.  When you specify the authentication to use claims, an important step is to set the Portal Super User and Portal Super Reader accounts so that the object cache can be read. 

The TechNet documentation on setting object cache accounts explains why to set these accounts, but many people don’t remember to set them until they see errors in the event log

To set these, you go to the User Policy button in the ribbon in Central Administration, add the Portal Super User account with Full Control, and add the Portal Super Reader account with Full Read permission.  Then you go to PowerShell and set the web application property.  I like telling my customers to use this method because it’s easy to copy the claims user name from the UI and paste it into PowerShell.

Ali Mazaheri points out that this is a very important step when upgrading from SharePoint 2007 to SharePoint 2010 as you can get Access Denied errors after upgrading if you don’t set object cache accounts, even for the site collection administrator. 

Implementation

Here is a quick bit of PowerShell script to make things a little easier.  Instead of having to go manually set the Full Read and Full Control permissions using the web UI, I do everything in one shot.

 foreach ($wa in Get-SPWebApplication)
{

    if($wa.UseClaimsAuthentication)
    {
        $superUser = "i:0#.w|sharepoint\sp_superuser"
        $superReader = "i:0#.w|sharepoint\sp_superreader"
        $fullPolicy = $wa.Policies.Add($superUser, $superUser) 
        $fullPolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole
([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)) 
        $readPolicy = $wa.Policies.Add($superReader, $superReader) 
        $readPolicy.PolicyRoleBindings.Add($wa.PolicyRoles.GetSpecialRole
([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead)) 
        $wa.Properties["portalsuperuseraccount"] = $superUser; 
        $wa.Properties["portalsuperreaderaccount"] = $superReader;

        $wa.Update() 
    }
}

This should save you quite a bit of time and make the process much less error prone.  After writing this, I noticed that Chris O’Brien wrote a similar script back in 2010, and I’d bet if I did more searches I would find similar scripts.  Got an approach that works for you?  Please share in the comments!

For More Information

Configure Object Cache User Accounts

Migrate users and permissions from SharePoint Server 2007 to SharePoint Server 2010

 Set object caching user accounts with PowerShell