Share via


Configure People Picker (SharePoint Foundation 2010)

 

Applies to: SharePoint Foundation 2010

People Picker is configured at the zone level for a farm by using the Stsadm setproperty operation. By configuring the settings for the control, you can filter and restrict the results that are displayed when a user searches for a user, group, or claim. Those settings will apply to every site within the site collection.

The information in this article applies only to Web applications that use Windows authentication in either classic mode or claims mode.

The People Picker control is used to find and select users, groups, and claims when a site, list, or library owner assigns permissions in Microsoft SharePoint Foundation 2010. People Picker is configured at the zone level for a farm by using the Stsadm setproperty operation. By configuring the settings for the control, you can filter and restrict the results that are displayed when a user searches for a user, group or claim. Those settings will apply to every site within the site collection. For more information about the People Picker properties, see Peoplepicker: Stsadm properties.

Note

There are no Windows PowerShell commands to configure People Picker.

This article contains information about how to configure People Picker for specific scenarios. For more information about the People Picker control and how it works, its relationship to authentication and claim providers, and how to plan for People Picker, see People Picker overview (SharePoint Foundation 2010).

Before you perform the procedures in this article, you must do the following:

  • Verify that the account you use to run Stsadm is a member of the local Administrators group on the server on which SharePoint Foundation 2010 is installed.

  • Open the command prompt window as an administrator to perform the procedures in this article.

  • In the command prompt on the driver where SharePoint Foundation 2010 is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft shared\Web server extensions\14\Bin.

In this article:

  • Check the setting value for any property

  • Clear a property value from People Picker

  • Set an encryption key for use with a one-way trust

  • Enable cross-forest or cross-domain queries with a one-way trust

  • Restrict People Picker to a certain group in Active Directory

  • Define the location of administrator accounts

  • Force People Picker to pick only from users in the site collection

  • Filter Active Directory accounts by using LDAP queries

  • Return only non-Active Directory user accounts

Check the setting value for any property

To check the setting for any People Picker property, type the following command:

stsadm.exe -o getproperty -pn <Property Name> -url <Web application URL>

For more information, see Peoplepicker: Stsadm properties (https://technet.microsoft.com/en-us/library/cc263318(office.12).aspx).

Clear a property value from People Picker

You can remove the setting for a People Picker property by specifying the property name you want to clear, and using empty quotation marks for the property value.

To remove a property setting from People Picker, type the following command:

stsadm.exe -o setproperty -pn <Property Name> -pv "" -url <Web application URL>

For more information, see Peoplepicker-searchadforests: Stsadm property (https://technet.microsoft.com/en-us/library/cc263460(office.12).aspx).

Set an encryption key for use with a one-way trust

If the forest or domain on which SharePoint Foundation 2010 is installed has a one-way trust with another forest or domain, you must first set the credentials for an account that is allowed to authenticate with the forest or domain to be queried before you can use the Stsadm peoplepicker-searchadforests property.

Note

The encryption key must be set on every front-end Web server in the farm on which SharePoint Foundation 2010 is installed.

To set an encryption key, type the following command:

stsadm.exe -o setapppassword -password <key>

For more information about querying additional forests or domains, see All you want to know about People Picker in SharePoint ( Functionality | Configuration | Troubleshooting ) Part-2 (https://go.microsoft.com/fwlink/p/?LinkId=207666).

Enable cross-forest or cross-domain queries when using a one-way trust

If the forest or domain on which SharePoint Foundation 2010 is installed has a one-way trust with another forest or domain, you must specify the credentials to be used to query the forest or domain, in addition to the names of the forests or domains to be queried. People Picker will only query the forests or domains that you specify in the peoplepicker-searchadforests property setting.

To specify the forests or domains to be queried along with the credentials, type the following command:

stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv <Valid list of forests or domains, Login name, Password> -url <Web application URL>

Note

You do not need to include the encryption key password that you assigned to the account when you use the peoplepicker-searchadforests property. However, if you have not already set an encryption key for the account, en error message will be displayed.

The following example configures People Picker for use with a forest named Contoso.com and a domain named Fabrikam.com, and includes the credentials for each:

STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Contoso.com,Contoso\User1,Password1; domain:Fabrikam.com,Fabrikam\User2,Password2" -url https://ServerName

For more information, see Peoplepicker-searchadforests: Stsadm property (https://technet.microsoft.com/en-us/library/cc263460(office.12).aspx).

Restrict People Picker to a certain group in Active Directory

If a Web application is using Windows authentication and the site user directory path is not set, the People Picker control searches the entire Active Directory to resolve users' names or find users, instead of searching only users within a particular organizational unit (OU). The Stsadm setsiteuseraccountdirectorypath operation allows the user's directory path to be set to a specific OU in the same domain. After the directory path is set to a site collection, the People Picker control will only search under that particular OU.

To restrict People Picker to a certain OU in Active Directory, type the following command:

stsadm -o setsiteuseraccountdirectorypath -path <Valid OU name> –url <Web application URL>

The following example configures People Picker to only return users and groups in the OU named "Sales":

stsadm -o setsiteuseraccountdirectorypath -path "OU=Sales,DC=ContosoCorp,DC=local" -url https://ServerName

Note

Only a single site user directory path can be set at a time for a site collection. Because this property specifies only one OU at a time, you should run the Stsadm setsiteuseraccountdirectorypath operation only once per site collection.

For more information, see Setsiteuseraccountdirectorypath: Stsadm operation (https://technet.microsoft.com/en-us/library/cc263328(office.12).aspx).

Define the location of administrator accounts

Administrative user accounts are often located in a different OU from regular site users. If you have used the Stsadm setsiteuseraccountdirectorypath operation to force People Picker to only return query results from a specific OU, you must also set the Stsadm peoplepicker-serviceaccountdirectorypaths property so the administrator can manage the site collection.

Note

Before the peoplepicker-serviceaccountdirectorypaths property will work, the Setsiteuseraccountdirectorypath operation must be set and contain a value.

To define the location of administrator accounts, type the following command:

Stsadm -o setproperty -pn peoplepicker-serviceaccountdirectorypaths -pv <A list of OU names> -url <Web application URL>

The following example configures People Picker to allow users that are in the OU "FarmAdmin":

stsadm -o setproperty -pn peoplepicker-serviceaccountdirectorypaths -pv "OU=FarmAdmin,DC=Contoso,DC=local" -url https://ServerName

For more information, see Peoplepicker-serviceaccountdirectorypaths: Stsadm property (https://technet.microsoft.com/en-us/library/cc263012(office.12).aspx).

Force People Picker to pick only from users in the site collection

The People Picker control consists of a text box, and two buttons; the Check Names button and the Browse button. The Check Names button is used to resolve a user name, group name or e-mail address exactly as it was typed into the text box. The Browse button opens the Select People and Groups dialog box, which can be used to submit a query for a full or partial string. The important difference between the two is that the Check Names button only resolves exactly what is in the text box, whereas the Select People and Groups dialog box searches for the query string. You can force People Picker to only return users who have permissions in the site collection by using either the PeoplePicker-Peopleeditoronlyresolvewithinsitecollection property or the PeoplePicker-Onlysearchwithinsitecollection property. However, the property you use to configure this restriction will depend on whether you want to set the restriction for the text box (People editor) and Check Names button, or for the Select People and Groups dialog box.

To force People Picker to only return users who have permissions in the site collection when the Check Names button is clicked, type the following command:

stsadm -o setproperty –pn peoplepicker-Peopleeditoronlyresolvewithinsitecollection –pv yes –url <Web application URL>

To force People Picker to only return users who have permissions in the site collection when the Select People and Groups dialog box is used, type the following command:

stsadm -o setproperty –pn peoplepicker-onlysearchwithinsitecollection –pv yes –url <Web application URL>

For more information, see Peoplepicker-onlysearchwithinsitecollection: Stsadm property (https://technet.microsoft.com/en-us/library/cc261988(office.12).aspx) and Peoplepicker-peopleeditoronlyresolvewithinsitecollection: Stsadm property (SharePoint Foundation 2010).

Filter Active Directory accounts by using LDAP queries

You can use a Lightweight Directory Access Protocol (LDAP) query to create a custom filter for displaying query results. For more information about LDAP queries, see LDAP Query Basics (https://go.microsoft.com/fwlink/p/?LinkId=207670).

To use a custom LDAP query, type the following command:

Stsadm –o setproperty –pn peoplepicker-searchadcustomfilter -pv <LDAP query filter> -url <Web application URL>

The following example filters out user accounts that do not have e-mail addresses, or that are disabled. Because security groups do not always have e-mail addresses associated with them, an OR statement is used to ensure that security groups are still included in the query results:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(&(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectcategory=group))" -url https://ServerName

The following example only returns active users, and not groups:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -url https://ServerName

For an explanation of the user account control string used in this query, see Search Filter Syntax (https://go.microsoft.com/fwlink/p/?LinkId=210020).

The following example returns a list of Active Directory users with the title "Manager":

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "((Title=Manager))" -url https://ServerName

Important

Remember that every time you run the setproperty command for a specific property, that property's current values will be overwritten by the new values you specify. If you need to filter query results based on multiple criteria, you will need to build a compound LDAP query that includes all the values for which you want to filter.

For more information, see Peoplepicker-searchadcustomfilter: Stsadm property (https://technet.microsoft.com/en-us/library/cc263452(office.12).aspx).

Return only non-Active Directory user accounts

If your Web application uses forms-based authentication, you can prevent People Picker from returning Active Directory accounts in the query results.

To return only non-Active Directory user accounts, type the following command:

stsadm -o setproperty -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv yes -url <Web application URL>

For more information, see Peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode: Stsadm property (https://technet.microsoft.com/en-us/library/cc263264(office.12).aspx).

See Also

Other Resources

Resource Center: Security and Authentication for SharePoint Foundation 2010