AppPool User in Performance Log Group

AppPool User in Performance Log Group best practice report by SPDocKit determines whether the application pool user accounts have the required permissions on the system.

Issue description

This check determines whether the application pool user accounts have the required permissions on the system.

Explanation

To gather required performance counter metrics, an application pool account needs to be a member of the local Performance Log Users group.

Solution

Verify that the application pool account is a member of the local Performance Log Users group on all SharePoint servers. To do so, open Computer Management > System Tools > Local Users and Groups > Groups and double click the group Performance Log Users. If the application pool account is not a member of this group, add it to the group.

The following script checks the application pool accounts group memberships and reports accounts which are not members of required groups:

param()

function Get-SPServerList
{
    $spServerList=@()
    $serverList = Get-SPServer
    foreach ($server in $serverList)
    {
        if ($server.Role -ne [Microsoft.SharePoint.Administration.SPServerRole]::Invalid)
        {
            $spServerList += $server.Address
        }
    }
    return $spServerList
}

function Get-SPApplicationPoolUser
{
    $appPoolUsers = @()

    $svcAppPools = Get-SPServiceApplicationPool
    foreach ($svcAppPool in $svcAppPools)
    {
        if ($appPoolUsers.IndexOf($svcAppPool.ProcessAccountName) -eq -1)
        {
            $appPoolUsers += $svcAppPool.ProcessAccountName
        }
    }

    $spWebApps = Get-SPWebApplication -IncludeCentralAdministration
    foreach ($spWebApp in $spWebApps)
    {
        if ($appPoolUsers.IndexOf($spWebApp.ApplicationPool.UserName) -eq -1)
        {
            $appPoolUsers += $spWebApp.ApplicationPool.UserName
        }
    }
    return $appPoolUsers
}

function IsMemberOfGroup([string]$serverName,[string]$groupName,[string]$userName)
{
    $userNameAdsPath = "WinNT://" + $userName.Replace("\","/")
    $server = [ADSI]("WinNT://$serverName,computer")
    $group = $server.psbase.children.find($groupName)

    $members = $group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Adspath", "GetProperty", $null, $_, $null)}
    return $members.IndexOf($userNameAdsPath) -gt -1

}

$spServerList = Get-SPServerList
$spUserList = Get-SPApplicationPoolUser

Write-Host "Checking Performance Log Users group membership for SharePoint Application Pool accounts..." -ForegroundColor Yellow

foreach ($server in $spServerList)
{
    Write-Host "Server: $server" -ForegroundColor Green
    foreach ($user in $spUserList)
    {
        Write-Host "`t User: $user - " -NoNewLine
        if (!(IsMemberOfGroup $server "Performance Log Users" $user))
        {
            Write-Host "Missing" -ForegroundColor Red
        }
        else
        {
            Write-Host "OK" -ForegroundColor Green
        }
    }
    Write-Host ""
}

Additional information

Additional information can be found in the following articles:

Last updated