These users are very important for SharePoint Web Application and if you don't setup them correctly, probably you'll be in an Access Denied condition for every user is accessing the web application.
Both users must also be part of "policy for web application" with Full Control and Full Read permissions.
Here's the script. Be carfull. Claims principal and super user string must match your IDP configuration. In my case windowsaccountname (samAccountName) was used as identity name identifier.
$webappurl = "https://yourfqdnwebappurl"
$mgr =
Get-SPClaimProviderManager
$tp =
Get-SPTrustedIdentityTokenIssuer -Identity "IDPName"
$superuser =
"NewSPCacheSUser"
$superuserclaim =
New-SPClaimsPrincipal –ClaimValue $superuser -ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
-TrustedIdentityTokenIssuer $tp
$superuserclaimstring
= $mgr.EncodeClaim($superuserclaim)
#set read user to
windows account (claims based)
$readuser =
"NewSPCacheSReader"
$readuserclaim =
New-SPClaimsPrincipal –ClaimValue $readuser -ClaimType http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
-TrustedIdentityTokenIssuer $tp
$readuserclaimstring
= $mgr.EncodeClaim($readuserclaim)
$webApp =
Get-SPWebApplication $webappurl
#SuperUser
$policy =
$webApp.Policies.Add($superuserclaimstring, $superuser)
$policyRole =
$webApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullControl)
$policy.PolicyRoleBindings.Add($policyRole)
$webApp.Update()
#ReadUser
$policy =
$webApp.Policies.Add($readuserclaimstring, $readuser)
$policyRole =
$webApp.PolicyRoles.GetSpecialRole([Microsoft.SharePoint.Administration.SPPolicyRoleType]::FullRead)
$policy.PolicyRoleBindings.Add($policyRole)
$webApp.Update()
#$webApp =
Get-SPWebApplication webappurl
$webApp.Properties["portalsuperuseraccount"]
= $superuserclaimstring
$webApp.Properties["portalsuperreaderaccount"]
= $readuserclaimstring
$webApp.update()
No comments:
Post a Comment