Cloud and Microsoft technologies enthusiast architect in Switzerland RSS 2.0
# Saturday, June 09, 2012

This post is also published on The SharePoint Bar

Recently, I was called to troubleshoot and fix an issue on a SharePoint 2010 farm with a simple statement that not all the users were displayed in the people picker list. Indeed, some users were listed, some not, without having a clear common pattern that could lead to something like “they are not in a group with enough privileges” or anything similar.

The symptoms

A simple way to reproduce the issue was to open a “Library Permissions” or a “List Permissions” in the ribbon of any library or list and then to select “Check Permissions” in the ribbon. This will open a dialog from which a people picker can easily be opened.


Now, when clicking on the address book button and looking for a specific user, it was not displayed and therefore not selectable. This user was existing in the Active Directory, and, after a bit of time of investigation, I also found that, on the Central Administration or in a completely fresh web application and site collection, the problem was not present. Thus, it was clear it was only one site collection that had the issue.


The issue was caused by a restriction applied to the people picker. Indeed, it is possible to restrict the scope of the people picker to a specific OU (Organizational Unit) or to use a specific LDAP filter. Let’s illustrate this. In my Active Directory, I created 3 OU, in each of them I created a user :


In the people picker, I have all the users :


Now, execute the following command, which applies the limitation to the site collection specified by the –url parameter :

stsadm -o setsiteuseraccountdirectorypath -url http://centaurus -path "OU=OU2,OU=OU1,DC=plab,DC=local"

The result is that you will limit the scope of the people picker to the OU2 within OU1 :


To check the state of the limitations, execute the command below :

stsadm -o getsiteuseraccountdirectorypath -url http://centaurus

The result will be :


To simply remove any restriction, execute the following command :

stsadm -o setsiteuseraccountdirectorypath -url http://centaurus/ -path ""

This command has no PowerShell equivalent and is part of a set of others along with properties, dedicated to configure the people picker and that are listed below (from the TechNet article : :

Property name Description

Configures the timeout when a query is issued to Active Directory. The default timeout value is 30 seconds. For more information, see Peoplepicker-activedirectorysearchtimeout.


Restricts the search of a distribution list to a specific subset of domains. For more information, see Peoplepicker-distributionlistsearchdomains.


Specifies not to search Active Directory when the current port is using forms-based authentication. For more information, see Peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode.


Displays only users who are members of the site collection when the Select People and Groups dialog box is used. For more information, see Peoplepicker-onlysearchwithinsitecollection.


Displays only users who are members of the current site collection when the Check Names button is clicked. For more information, see Peoplepicker-peopleeditoronlyresolvewithinsitecollection: Stsadm property (SharePoint Server 2010).


Enables a farm administrator to specify a unique search query. For more information, see Peoplepicker-searchadcustomfilter.


Permits the administrator to set the custom query that is sent to Active Directory. For more information, see Peoplepicker-searchadcustomquery.


Permits a user to search from a second one-way trusted forest or domain. For more information, see Peoplepicker-searchadforests.


Enables a farm administrator to manage the site collection that has a specific organizational unit (OU) setting as defined in the Setsiteuseraccountdirectorypath setting. For more information, see Peoplepicker-serviceaccountdirectorypaths.


This other TechNet article explains what are the other people picker configurations that can be done :

These different commands can be really useful to restrict the users that can be added in a site collection, based on OUs in the Active Directory. To enable this, the Active Directory should follow the security model of your SharePoint organization, as it is only possible to restrict to a single OU as it is not possible to specify several OUs.

And, finally, it has to be documented, as these different properties and commands are not available in the SharePoint user interface and this feature may not come to the mind of the administrators that would have to find out why they don’t find users in the SharePoint infrastructure.

Saturday, June 09, 2012 8:40:00 PM (GMT Daylight Time, UTC+01:00)  #    Comments [0] -
All comments require the approval of the site owner before being displayed.
Please login with either your OpenID above, or your details below.
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):

Live Comment Preview
Google Cloud Platform Certified Professional Cloud Architect
Ranked #1 as
French-speaking SharePoint
Community Influencer 2013
Currently Reading :
I was there :
I was there :
I was exhibiting at :
I was there :
I was a speaker at :
I was a speaker at :
I was a speaker at
(January 2013 session):
I was a speaker at :
I was a speaker at :
United Nations (UN) SharePoint Event 2011
I was a speaker at :
I was there !
I was there !
I was there !
I was there !
<December 2022>
About the author/Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2022
Yves Peneveyre
Sign In
Total Posts: 290
This Year: 0
This Month: 0
This Week: 0
Comments: 20
Pick a theme:
All Content © 2022, Yves Peneveyre
DasBlog theme 'Business' created by Christoph De Baene (delarou)