AppPool User in Performance Log Group

AppPool User in Performance Log Group best practice report by SPDocKit determines whether the application pool user accounts have the required permissions on the system.

Issue description

This check determines whether the application pool user accounts have the required permissions on the system.

Explanation

To gather required performance counter metrics, an application pool account needs to be a member of the local Performance Log Users group.

Download SPDocKit

Solution

Verify that the application pool account is a member of the local Performance Log Users group on all SharePoint servers. To do so, open Computer Management > System Tools > Local Users and Groups > Groups and double click the group Performance Log Users. If the application pool account is not a member of this group, add it to the group.

The following script checks the application pool accounts group memberships and reports accounts which are not members of required groups:

param()
function Get-SPServerList
{
$spServerList=@()
$serverList = Get-SPServer
foreach ($server in $serverList)
{
if ($server.Role -ne [Microsoft.SharePoint.Administration.SPServerRole]::Invalid)
{
$spServerList += $server.Address
}
}
return $spServerList
}
function Get-SPApplicationPoolUser
{
$appPoolUsers = @()
$svcAppPools = Get-SPServiceApplicationPool
foreach ($svcAppPool in $svcAppPools)
{
if ($appPoolUsers.IndexOf($svcAppPool.ProcessAccountName) -eq -1)
{
$appPoolUsers += $svcAppPool.ProcessAccountName
}
}
$spWebApps = Get-SPWebApplication -IncludeCentralAdministration
foreach ($spWebApp in $spWebApps)
{
if ($appPoolUsers.IndexOf($spWebApp.ApplicationPool.UserName) -eq -1)
{
$appPoolUsers += $spWebApp.ApplicationPool.UserName
}
}
return $appPoolUsers
}
function IsMemberOfGroup([string]$serverName,[string]$groupName,[string]$userName)
{
$userNameAdsPath = "WinNT://" + $userName.Replace("\","/")
$server = [ADSI]("WinNT://$serverName,computer")
$group = $server.psbase.children.find($groupName)
$members = $group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Adspath", "GetProperty", $null, $_, $null)}
return $members.IndexOf($userNameAdsPath) -gt -1
}
$spServerList = Get-SPServerList
$spUserList = Get-SPApplicationPoolUser
Write-Host "Checking Performance Log Users group membership for SharePoint Application Pool accounts..." -ForegroundColor Yellow
foreach ($server in $spServerList)
{
Write-Host "Server: $server" -ForegroundColor Green
foreach ($user in $spUserList)
{
Write-Host "`t User: $user - " -NoNewLine
if (!(IsMemberOfGroup $server "Performance Log Users" $user))
{
Write-Host "Missing" -ForegroundColor Red
}
else
{
Write-Host "OK" -ForegroundColor Green
}
}
Write-Host ""
}

Additional information

Additional information can be found in the following articles: