Kirk Evans is a Microsoft Architect for the Azure Center of Excellence.
Introduction to SharePoint and Azure IaaS
Building SharePoint Apps with Windows Azure Platform as a Service
SharePoint Solutions and Architectures on Windows Azure Infrastructure Services
Understanding Authentication and Permissions with Apps for SharePoint and Office
This post will show how to set the PortalSuperUser and PortalSuperReader accounts for SharePoint 2010 using PowerShell.
I frequently create web applications in my SharePoint 2010 environment that use Windows claims authentication. When you specify the authentication to use claims, an important step is to set the Portal Super User and Portal Super Reader accounts so that the object cache can be read.
The TechNet documentation on setting object cache accounts explains why to set these accounts, but many people don’t remember to set them until they see errors in the event log.
To set these, you go to the User Policy button in the ribbon in Central Administration, add the Portal Super User account with Full Control, and add the Portal Super Reader account with Full Read permission. Then you go to PowerShell and set the web application property. I like telling my customers to use this method because it’s easy to copy the claims user name from the UI and paste it into PowerShell.
Ali Mazaheri points out that this is a very important step when upgrading from SharePoint 2007 to SharePoint 2010 as you can get Access Denied errors after upgrading if you don’t set object cache accounts, even for the site collection administrator.
Here is a quick bit of PowerShell script to make things a little easier. Instead of having to go manually set the Full Read and Full Control permissions using the web UI, I do everything in one shot.
foreach ($wa in Get-SPWebApplication)
$superUser = "i:0#.w|sharepoint\sp_superuser"
$superReader = "i:0#.w|sharepoint\sp_superreader"
$fullPolicy = $wa.Policies.Add($superUser, $superUser)
$readPolicy = $wa.Policies.Add($superReader, $superReader)
$wa.Properties["portalsuperuseraccount"] = $superUser;
$wa.Properties["portalsuperreaderaccount"] = $superReader;
This should save you quite a bit of time and make the process much less error prone. After writing this, I noticed that Chris O’Brien wrote a similar script back in 2010, and I’d bet if I did more searches I would find similar scripts. Got an approach that works for you? Please share in the comments!
Configure Object Cache User Accounts
Migrate users and permissions from SharePoint Server 2007 to SharePoint Server 2010
Set object caching user accounts with PowerShell