Overview
There are two locations in SharePoint where users can “find” other users in the system; either by performing People search using the search services or using the People Picker control. Results can be different from both locations because they are pulling from different data sources. The People Search pulls from the SharePoint Profile database, which is a list of all the users that were pulled in from Active Directory that matched a certain filter criteria. The people picker on the other hand pulls directly from Active Directory and because of this, the people picker typically return more results. This is due to the fact that it is grabbing users that are disabled, service accounts and users that don't have email address (duplicate accounts in our AD structure due to multiple domains).
Problem
People picker is returning users that are disabled and service accounts. Also, due to our infrastructure, a number of users have multiple accounts across the domains but only one “main” account. The main account is always the account that has an associated email address; all other accounts don't have email address.
Resolution
Using the stsadm tools, it is possible to set a custom Active Directory filter on the people picker control. This can be done with the following command.
Stsadm -o setproperty
-pn peoplepicker-searchadcustomfilter
-pv -<LDAP filter>
-url <WebApplication url>
Example Syntax:
Stsadm -o setproperty
-pn peoplepicker-searchadcustomfilter
-pv “(|(&(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectcategory=group))”
-url http://myportal
This example filters out accounts that don't have email address or are disabled. Because security groups don't always have email addresses, we did an OR statement to make sure they are still included. This command must be run against each web application that should have the custom filter applied to the People Picker.
On a side note, it appears that the People Picker doesn't just pull from Active Directory but also pulls information from the Site Collection list of users who have “hit” the site. This in my opinion is a bit annoying because accounts that have been disabled (people leaving the company) stick around. Figures.
I thought I'd share this with everyone as this seems to be undocumented stsadm command. I noticed it in the list of available properties to set using setproperty but couldn't find a SINGLE thing on the web so we asked a Microsoft representative if he had any guidance.
Note: The line breaks are for readability and should not be in the batch file or command line.
undercoverlaptop
Thanks
Thank you lol I’ve been searching for this everywhere >_<
I got the operation completed message but that filter is not working. Actually the whole people picker is not working, it is not allowing any user even i am using a filter to allow users from a particular group. Is there anything else i was supposed to do. i checked with stsadm -o getproperty -propertyname peoplepicker-searchadcustomfilter and it says
What else do i need to do or how do remove this filter?
Thanks.
Hi Singh,
I think this has something to do with the hotfixes and service packs.
Even I tried it a lot till y’day and this query never worked (just like yours).
Today I installed all cumulative hotfixes from MSFT and the query started working, a magic isn’t it…???
Now the only issue is what about the nested users i.e. users inside an AD group which is inside this main AD group. SharePoint doesn’t seem to understand the nested users so it doesn’t find those users. But it will find the direct users inside the current AD group.
Even I am interested in knowing how to make SharePoint People-picker understand the nested users.
BTW, my query looks like this:-
(memberOf=CN=MyAdGroup,OU=Application Support Groups,OU=Group Directory,DC=Americas,DC=Microsoft,DC=Com)
I also found here http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx that there is something called LDAP_MATCHING_RULE_IN_CHAIN and I tried this as below but so far no go…
(memberOf:1.2.840.113556.1.4.1941:=(CN=MyAdGroup,OU=Application Support Groups,OU=Group Directory,DC=Americas,DC=Microsoft,DC=Com))
Note: Replace Microsoft with your companies domain name.
Hi Pankaj,
Which CU package did you installed?
I am running SP2 with nu CU’s after that. Hopefully updating to the last CU will fix my problem.
Thanks!
I checked again using stsadm -o getproperty -propertyname peoplepicker-searchadcustomfilter
and it says that Property Exists=”Yes” value=”<&(objectCategory=person)(objectClass=user)(memberOf=cn=groupname,ou=OUName,ou=Groups,ou=OUName,dc=abc,dc=xyz,dc=grp))"
but its not returning any user from that group.
Hi again,
my suggestion is, start with a simple query and then go on adding other criteria..
e.g. start with (memberOf=cn=groupname,ou=OUName,ou=Groups,ou=OUName,dc=abc,dc=xyz,dc=grp) first.
and before you try this on command prompt using STSADM, try this in “Active directory users and computers” tool which comes with the “Windows Server 2003 Administration Tools Pack”. It’s a free download from Microsoft. If your query works in that tool then you try it on STSADM because STSADM will ALWAYS take whatever you give to it, only PeoplePicker will fail while searching users and you will never know if the query is wrong or something else…
(now say “thanks to Microsoft”, quickly ).