Select users from multiple forest domains

SharePoint 2007

Updated: May 29, 2007

Applies To: Office SharePoint Server 2007

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.


Topic Last Modified: 2017-01-25

Before you perform this procedure, confirm that:

  • You have read the topic Manage connections across domains in multiple forests.

  • You know the trust relationship between the current forest or domain and each target forest or domain, and you know the user name and password for an account with access to each target forest or domain.

Administrators must have access to the Shared Services Provider (SSP) administration site, and must have the Manage user profiles permission enabled to complete this procedure.

Information about users imported from directory services is available on SharePoint sites from the Select People and Groups dialog box, also known as the People Picker Web control. Site administrators and other users use the People Picker to select people and groups when assigning permissions. When information about users is located on multiple forests, additional steps might be necessary to ensure that all people and groups are available from this Web control.

The following steps describe how to configure the People Picker so that people from multiple forests are included:

  • All domains and forests with a two-way trust relationship are available without any additional configuration steps.

  • If the domain for the farm has a one-way trust relationship with one or more other forests or domains, you can configure access to the other domains and forests by using the Stsadm command-line tool and selecting an account to use when accessing each forest or domain. You can use a different account for each target domain or forest, or the same account for all domains and forests. If all forests are trusted from the current forest or domain, and the application pool identity account for the current Web application has access to all target forests, no further configuration steps are necessary.

  • The account and password used to access each domain or forest is stored on each front-end Web server in the farm. You must configure an encryption string to use when encrypting the password for each account. This encryption string must be the same for all servers in the farm, and unique for each server farm in a deployment with multiple farms.

Alternatively, you can configure the forests so that the application pool has access to each forest, and establish a two-way trust relationship between the current forest and domain and each of the target forests. However, because this is not possible in every scenario, it is often necessary to use the Stsadm command-line tool.

Use this procedure to enable selection of people and groups from multiple forests or domains that have a one-way trust relationship from the farm.

Enable selection of people and groups from multiple forests
  1. On every front-end Web server on a farm, at a command prompt, type the following command, and then press ENTER:

    STSADM.exe -o setapppassword -password key

    This key is an encryption string that is used to encrypt the password for the account that is used to access the forest or domain. The encryption string must be the same for every server in the farm, but a unique string should be used for each farm.
  2. On a front-end Web server, at a command prompt, type the following command, and then press ENTER:

    STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv domain:DnsName,user,password -url http:// webapp

    You can add multiple forests by listing multiple domains or forests in the format domain:DnsName,user,password separated by semicolons. You can omit the username and password if the application pool identity already has access to a domain or forest. The username and password must not contain commas. After you run this command, users can select users and groups from the listed forests and domains from any front-end Web server in the farm.

The following table describes the relevant placeholders.


Placeholder Description


A unique encryption string to use for all servers in the farm.


The target forest or domain and its DNS name.


The user and password for an account with access to the target forest or domain.


The name of the Web application for the current server.

For more information about the Stsadm command-line tool and the properties used in configuring the People Picker for multiple forests, see Peoplepicker: Stsadm properties (Office SharePoint Server).