SharePoint–Setting the Super User and Super Reader Accounts for All WebApplications in the Farm

The object cache stores properties about items in Microsoft SharePoint Server 2010. Items in this cache are used by the publishing feature when it renders Web pages. The goals of the object cache are to reduce the load on the computer on which SQL Server is running, and to improve request latency and throughput.

Recently, when reviewing the event logs on the farm, I started seeing these warning messages pop up

Object Cache: The super user account utilized by the cache is not configured. This can increase the number of cache misses, which causes the page requests to consume unneccesary system resources.
To configure the account use the following command ‘stsadm -o setproperty -propertyname portalsuperuseraccount -propertyvalue account -url webappurl’. The account should be any account that has Full Control access to the SharePoint databases but is not an application pool account.
Additional Data:
Current default super user account: SHAREPOINT\system

Unfortunately, what it doesn’t seem to specify is which web application does not have the super reader and super user accounts set up.  While we could walk through and check each web application per this technet article: http://technet.microsoft.com/en-us/library/ff758656.aspx that is rather tedious and time consuming.

An easier way of finding out which web applications are set up with the accounts and what accounts it is using is by running this simple PowerShell script:

Get-SPWebApplication | %{Write-Host "Web Application: " $_.url "`nSuper user: " $_.properties["portalsuperuseraccount"] "`nSuper reader: " $_.properties["portalsuperreaderaccount"] "`n"}

Which will list out each web application by its URL and tell you what accounts, if any, are set up as the object cache accounts.  This gives us a good starting point to then correct the issues on the farm so we can get rid of the warning messages.  So now I can use the technet article above and set up the correct accounts for the web applications missing the users by going into Central Admin, giving them the correct permissions to the web application and running this little script to add them to the property bag for the web application:

$wa = Get-SPWebApplication -Identity "<WebApplication>"
$wa.Properties["portalsuperuseraccount"] = "<SuperUser>"
$wa.Properties["portalsuperreaderaccount"] = "<SuperReader>"
$wa.Update()

However, being the lazy programmer admin I am, I always use the same super user and super reader accounts for the object cache, and I’d like to just set it up for every web application in the farm and be done with it.  So here is a little PowerShell program to get all the web applications in the farm and iterate through each one setting the standard super user and super reader accounts all in one shot.  Obviously the script can be extended with various command line parameters to set SuerReader and SuperUser, but as I always use the same ones I just fill it in and call it done…

 

Add-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue
 
# EDIT THIS TO ENSURE ACCOUNTS ARE CORRECT FOR ENVIRONMENT..
 
$objectCachePortalSuperReader = "<SuperReader>" 
$objectCachePortalSuperUser = "<SuperUser>" 
 
$allWebApps = Get-SPWebApplication 
 
Function ConfigureObjectCachingOnWebApp([Microsoft.SharePoint.Administration.SPWebApplication]$webApplication)
{
      Write-Host ("Processing " + $webApplication.Url);
 
      try
      {
            GrantPolicy $webApplication $objectCachePortalSuperReader FullRead
            GrantPolicy $webApplication $objectCachePortalSuperUser FullControl
 
            SetPropertyOnWebApp $webApplication "portalsuperuseraccount" $objectCachePortalSuperUser
            SetPropertyOnWebApp $webApplication "portalsuperreaderaccount" $objectCachePortalSuperReader
 
            $webApplication.Update()
 
            Write-Host -BackgroundColor DarkGreen -ForegroundColor White ("Configured " + $webApplication.Url);
      }
      catch
      {
            Write-Host -BackgroundColor DarkRed -ForegroundColor White ("Failed to configure " + $webApplication.Url + ". Error details : " + $_)        
      }
}
 
Function GrantPolicy([Microsoft.SharePoint.Administration.SPWebApplication]$webApplicationForPolicy, [string]$userOrGroup, 
      [Microsoft.SharePoint.Administration.SPPolicyRoleType]$policyLevel)
{
      $policy = $webApplicationForPolicy.Policies.Add($userOrGroup, $userOrGroup) 
      $policy.PolicyRoleBindings.Add($webApplicationForPolicy.PolicyRoles.GetSpecialRole($policyLevel)) 
}
 
Function SetPropertyOnWebApp([Microsoft.SharePoint.Administration.SPWebApplication]$webApplicationForProperty, [string]$property, 
      [string]$propertyValue)
{
      $webApplicationForProperty.Properties[$property] = $propertyValue 
}
 
# inline script starts here..
 
$confirmed = Read-Host "Set all web applications on this farm to the following:`n portalsuperuseraccount to "  $objectCachePortalSuperUser"`n portalsuperreaderaccount to " $objectCachePortalSuperReader"`n Enter Y to continue or N to exit."
if ($confirmed -eq 'y')
{
      foreach($webAppName in $allWebApps)
      {
            $webApp = Get-SPWebApplication -Identity $webAppName -ErrorAction SilentlyContinue
 
            if($webApp)
            {
                  ConfigureObjectCachingOnWebApp($webApp)     


            }
            else
            {
                  Write-Host -ForegroundColor DarkRed ("Failed to find web app '" + $webAppName + "' in this environment. ")
            }
      }
    Write-Host -BackgroundColor Blue -ForegroundColor White "Processing Done"
    Get-SPWebApplication | %{Write-Host "Web Application: " $_.url "`nSuper user: " $_.properties["portalsuperuseraccount"] "`nSuper reader: " $_.properties["portalsuperreaderaccount"] "`n" }
}
 
Write-Host -BackgroundColor Blue -ForegroundColor White "Script completed"

By saving this little script in my toolbox, I can quickly set (or reset) each WebApplication’s properties for the entire farm to our standard objectCache accounts.

Now, if for some reason you need to remove these permissions from a specific web application, I’ve seen lots of scripts that will set the account value to an empty string or a null value.  Don’t do this!  In the event that there is a particular web application that I don’t want to have these properties set for, you want to remove the properties from the propertybag using the following script.  This could also be used to enhance the above script for adding and removing for specific WebApplications through the command line.

# Remove properties
$wa = Get-SPWebApplication -Identity "<WebApplication>" 
$wa.Properties.Remove("portalsuperuseraccount")
$wa.Properties.Remove("portalsuperreaderaccount")
$wa.Update()

Write-Host("Properties count for " + $wa.Url +  ": " + $wa.Properties.Count)

4 thoughts on “SharePoint–Setting the Super User and Super Reader Accounts for All WebApplications in the Farm”

Leave a Reply