Configure People Picker in SharePoint 2013
Applies to: SharePoint Server 2013 Standard, SharePoint Server 2013 Enterprise, SharePoint Foundation 2013
Topic Last Modified: 2014-07-16
Summary:Learn how to use the Stsadm.exe tool to manage People Picker in SharePoint 2013.
You configure the People Picker web control at the zone level for a farm by using the Stsadm setproperty operation. By configuring the settings for the control, you can filter and restrict the results that are displayed when a user searches for a user, group, or claim. Those settings will apply to every site within the site collection.
The information in this article applies only to web applications that use Windows authentication in either claims mode (the default for SharePoint 2013) or classic mode.
You use the People Picker control to find and select users, groups, and claims when a site, list, or library owner assigns permissions in SharePoint 2013. People Picker is configured at the zone level for a farm by using the Stsadm setproperty operation. By configuring the settings for the control, you can filter and restrict the results that are displayed when a user searches for a user, group or claim. Those settings will apply to every site within the site collection. For more information about the People Picker properties, see Peoplepicker: Stsadm properties.
|There are no built-in Windows PowerShell cmdlets to configure People Picker, however you can use the PeoplePickerSettings property to configure People Picker settings. For additional information on how to use the PeoplePickerSettings property see, PeoplePickerSettings Property|
This article contains information about People Picker Stsadm properties and how to configure People Picker for specific scenarios. For more information about the People Picker control and how it works, its relationship to authentication and claims providers, and how to plan for People Picker, see People Picker and claims providers overview (SharePoint 2013).
|In a two way trust, People Picker needs to be configured to return results from another forest other than the one where SharePoint is installed.|
Before you perform the procedures in this article, you must do the following:
Verify that the account that you use to run Stsadm is a member of the Administrators group on the server on which SharePoint 2013 is installed.
Open the Command Prompt window as an administrator to perform the procedures in this article.
In the command prompt on the drive where SharePoint 2013 is installed, change to the following directory: %COMMONPROGRAMFILES%\Microsoft Shared\Web Server Extensions\15\Bin. %COMMONPROGRAMFILES% is typically set to <drive letter>:\Program Files\Common Files.
In this article:
Table 1 lists the Stsadm properties that you can use to configure People Picker.
Table 1. Properties that can be used to configure People Picker
Configures the time-out when a query is issued to Active Directory Domain Services. The default time-out value is 30 seconds. For more information, see Peoplepicker-activedirectorysearchtimeout.
Restricts the search of a distribution list to a specific subset of domains. For more information, see Peoplepicker-distributionlistsearchdomains.
Specifies not to search Active Directory when the current port is using forms-based authentication. For more information, see Peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode.
Displays only users who are members of the site collection. For more information, see Peoplepicker-onlysearchwithinsitecollection.
Displays only users who are members of the current site collection. For more information, see Peoplepicker-peopleeditoronlyresolvewithinsitecollection.
Enables a farm administrator to specify a unique search query. For more information, see Peoplepicker-searchadcustomfilter.
Permits the administrator to set the custom query that is sent to Active Directory. For more information, see Peoplepicker-searchadcustomquery.
Permits a user to search from a second one-way trusted forest or domain. For more information, see Peoplepicker-searchadforests.
Enables a farm administrator to manage the site collection that has a specific organizational unit (OU) setting as defined in the Setsiteuseraccountdirectorypath setting. For more information, see Peoplepicker-serviceaccountdirectorypaths.
To check the setting for any People Picker property, type the following command:
stsadm.exe -o getproperty -pn <Property name> -url <Web application URL>
For more information, see Peoplepicker: Stsadm properties.
You can remove the setting for a People Picker property by specifying the property name that you want to clear, and using empty quotation marks for the property value.
To remove a property setting from People Picker, type the following command:
stsadm.exe -o setproperty -pn <Property name> -pv "" -url <Web application URL>
For more information, see Peoplepicker-searchadforests: Stsadm property.
If the forest or domain on which SharePoint 2013 is installed has a one-way trust with another forest or domain, you must first set the credentials for an account that can authenticate with the forest or domain to be queried before you can use the Stsadm peoplepicker-searchadforests property.
|The encryption key must be set on every front-end web server in the farm on which SharePoint 2013 is installed.|
To set an encryption key, type the following command:
stsadm.exe -o setapppassword -password <Key>
For more information about querying additional forests or domains, see All you want to know about People Picker in SharePoint ( Functionality | Configuration | Troubleshooting ) Part-2.
If the forest or domain on which SharePoint 2013 is installed has a one-way trust with another forest or domain, you must specify the credentials to be used to query the forest or domain, in addition to the names of the forests or domains to be queried. People Picker will only query the forests or domains that you specify in the peoplepicker-searchadforests property setting.
To specify the forests or domains to be queried together with the credentials, type the following command:
stsadm.exe -o setproperty -pn peoplepicker-searchadforests -pv <Valid list of forests or domains, Login name, Password> -url <Web application URL>
|You do not have to include the encryption key password that you assigned to the account when you use the peoplepicker-searchadforests property. If you have not already set an encryption key for the account, an error message will be displayed.|
Remember that the settings for People Picker are configured per zone for a web application. Therefore, if you have more than one forest or domain in your farm, you must combine the accounts and passwords into a single command for the setproperty operation.
The following example configures People Picker for use with a forest named Contoso.com and a domain named Fabrikam.com, and includes the credentials for each:
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "forest:Contoso.com,Contoso\User1,Password1; domain:Fabrikam.com,Fabrikam\User2,Password2" -url http://central
For more information, see Peoplepicker-searchadforests: Stsadm property.
If a web application is using Windows authentication and the site user directory path is not set, the People Picker control searches all the Active Directory to resolve users' names or find users, instead of searching only users in a particular organizational unit (OU). The Stsadm setsiteuseraccountdirectorypath operation allows the user's directory path to be set to a specific OU in the same domain. After the directory path is set to a site collection, the People Picker control will only search under that particular OU.
To restrict People Picker to a certain OU in Active Directory, type the following command:
stsadm -o setsiteuseraccountdirectorypath -path <Valid OU name> –url <Web application URL>
The following example configures People Picker to only return users and groups in the OU named "Sales":
stsadm -o setsiteuseraccountdirectorypath -path "OU=Sales,DC=ContosoCorp,DC=local" -url http://central
|Because this property specifies only one OU at a time, you should only run the Stsadm setsiteuseraccountdirectorypath operation once per site collection. To set multiple OUs at one time, use the Stsadm Peoplepicker-serviceaccountdirectorypaths property.|
For more information, see Setsiteuseraccountdirectorypath: Stsadm operation.
Administrative user accounts are often located in a different OU from regular site users. If you have used the Stsadm setsiteuseraccountdirectorypath operation to force People Picker to only return query results from a specific OU, you must also set the Stsadm peoplepicker-serviceaccountdirectorypaths property so the administrator can manage the site collection.
|Before the peoplepicker-serviceaccountdirectorypaths property will work, the Setsiteuseraccountdirectorypath operation must be set and contain a value.|
To define the location of administrator accounts, type the following command:
Stsadm -o setproperty -pn peoplepicker-serviceaccountdirectorypaths -pv <List of OU names> -url <Web application URL>
The following example configures People Picker to allow users who are in the OU named FarmAdmin:
stsadm -o setproperty -pn peoplepicker-serviceaccountdirectorypaths -pv "OU=FarmAdmin,DC=Contoso,DC=local" -url http://central
For more information, see Peoplepicker-serviceaccountdirectorypaths: Stsadm property.
You can force People Picker to only return users who have permissions in the site collection by using either the PeoplePicker-Peopleeditoronlyresolvewithinsitecollection property or the PeoplePicker-Onlysearchwithinsitecollection property.
For more information, see Peoplepicker-onlysearchwithinsitecollection: Stsadm property and Peoplepicker-peopleeditoronlyresolvewithinsitecollection.
You can use a Lightweight Directory Access Protocol (LDAP) query to create a custom filter for displaying query results. For more information about LDAP queries, see LDAP Query Basics.
To use a custom LDAP query, type the following command:
Stsadm –o setproperty –pn peoplepicker-searchadcustomfilter -pv <LDAP query filter> -url <Web application URL>
The following example filters out user accounts that do not have e-mail addresses, or that are disabled. Because security groups do not always have e-mail addresses associated with them, an OR statement is used to ensure that security groups are still included in the query results:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(&(mail=*)(!(userAccountControl:1.2.840.1135188.8.131.523:=2)))(objectcategory=group))" -url http://central
The following example only returns active users, and not groups:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.1135184.108.40.2063:=2))" -url http://central
For an explanation of the user account control string that is used in this query, see Search Filter Syntax (http://go.microsoft.com/fwlink/p/?LinkId=210020).
The following example returns a list of Active Directory users who have the title "Manager":
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "((Title=Manager))" -url http://central
|Remember that every time that you run the setproperty command for a specific property, that property's current values will be overwritten by the new values that you specify. If you must filter query results based on multiple criteria, you must build a compound LDAP query that includes all the values for which you want to filter.|
For more information, see Peoplepicker-searchadcustomfilter: Stsadm property.
If your web application uses forms-based authentication, you can prevent People Picker from returning Active Directory accounts in the query results.
To return only non-Active Directory user accounts, type the following command:
stsadm -o setproperty -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv yes -url <Web application URL>
For more information, see Peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode: Stsadm property.