Cloud and Microsoft technologies enthusiast architect in Switzerland RSS 2.0
# Saturday, June 09, 2012

This post is also published on The SharePoint Bar

Recently, I was called to troubleshoot and fix an issue on a SharePoint 2010 farm with a simple statement that not all the users were displayed in the people picker list. Indeed, some users were listed, some not, without having a clear common pattern that could lead to something like “they are not in a group with enough privileges” or anything similar.

The symptoms

A simple way to reproduce the issue was to open a “Library Permissions” or a “List Permissions” in the ribbon of any library or list and then to select “Check Permissions” in the ribbon. This will open a dialog from which a people picker can easily be opened.

imageimage

Now, when clicking on the address book button and looking for a specific user, it was not displayed and therefore not selectable. This user was existing in the Active Directory, and, after a bit of time of investigation, I also found that, on the Central Administration or in a completely fresh web application and site collection, the problem was not present. Thus, it was clear it was only one site collection that had the issue.

Resolution

The issue was caused by a restriction applied to the people picker. Indeed, it is possible to restrict the scope of the people picker to a specific OU (Organizational Unit) or to use a specific LDAP filter. Let’s illustrate this. In my Active Directory, I created 3 OU, in each of them I created a user :

imageimageimage

In the people picker, I have all the users :

image

Now, execute the following command, which applies the limitation to the site collection specified by the –url parameter :

stsadm -o setsiteuseraccountdirectorypath -url http://centaurus -path "OU=OU2,OU=OU1,DC=plab,DC=local"

The result is that you will limit the scope of the people picker to the OU2 within OU1 :

image

To check the state of the limitations, execute the command below :

stsadm -o getsiteuseraccountdirectorypath -url http://centaurus

The result will be :

<SiteUserAccountDirectoryPath>OU=OU2,OU=OU1,DC=plab,DC=local</SiteUserAccountDirectoryPath>

To simply remove any restriction, execute the following command :

stsadm -o setsiteuseraccountdirectorypath -url http://centaurus/ -path ""

This command has no PowerShell equivalent and is part of a set of others along with properties, dedicated to configure the people picker and that are listed below (from the TechNet article : http://technet.microsoft.com/en-us/library/gg602068.aspx) :

Property name Description
Peoplepicker-activedirectorysearchtimeout

Configures the timeout when a query is issued to Active Directory. The default timeout value is 30 seconds. For more information, see Peoplepicker-activedirectorysearchtimeout.

Peoplepicker-distributionlistsearchdomains

Restricts the search of a distribution list to a specific subset of domains. For more information, see Peoplepicker-distributionlistsearchdomains.

Peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode

Specifies not to search Active Directory when the current port is using forms-based authentication. For more information, see Peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode.

Peoplepicker-onlysearchwithinsitecollection

Displays only users who are members of the site collection when the Select People and Groups dialog box is used. For more information, see Peoplepicker-onlysearchwithinsitecollection.

Peoplepicker-peopleeditoronlyresolvewithinsitecollection

Displays only users who are members of the current site collection when the Check Names button is clicked. For more information, see Peoplepicker-peopleeditoronlyresolvewithinsitecollection: Stsadm property (SharePoint Server 2010).

Peoplepicker-searchadcustomfilter

Enables a farm administrator to specify a unique search query. For more information, see Peoplepicker-searchadcustomfilter.

Peoplepicker-searchadcustomquery

Permits the administrator to set the custom query that is sent to Active Directory. For more information, see Peoplepicker-searchadcustomquery.

Peoplepicker-searchadforests

Permits a user to search from a second one-way trusted forest or domain. For more information, see Peoplepicker-searchadforests.

Peoplepicker-serviceaccountdirectorypaths

Enables a farm administrator to manage the site collection that has a specific organizational unit (OU) setting as defined in the Setsiteuseraccountdirectorypath setting. For more information, see Peoplepicker-serviceaccountdirectorypaths.

 

This other TechNet article explains what are the other people picker configurations that can be done : http://technet.microsoft.com/en-us/library/gg602075.aspx

These different commands can be really useful to restrict the users that can be added in a site collection, based on OUs in the Active Directory. To enable this, the Active Directory should follow the security model of your SharePoint organization, as it is only possible to restrict to a single OU as it is not possible to specify several OUs.

And, finally, it has to be documented, as these different properties and commands are not available in the SharePoint user interface and this feature may not come to the mind of the administrators that would have to find out why they don’t find users in the SharePoint infrastructure.

Saturday, June 09, 2012 8:40:00 PM (GMT Daylight Time, UTC+01:00)  #    Comments [0] -
SharePoint
Google Cloud Platform Certified Professional Cloud Architect
Ranked #1 as
French-speaking SharePoint
Community Influencer 2013
Navigation
Currently Reading :
I was there :
I was there :
I was exhibiting at :
I was there :
I was a speaker at :
I was a speaker at :
I was a speaker at
(January 2013 session):
I was a speaker at :
I was a speaker at :
United Nations (UN) SharePoint Event 2011
I was a speaker at :
I was there !
I was there !
I was there !
I was there !
Archive
<November 2020>
SunMonTueWedThuFriSat
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2020
Yves Peneveyre
Sign In
Statistics
Total Posts: 289
This Year: 1
This Month: 0
This Week: 0
Comments: 19
Themes
Pick a theme:
All Content © 2020, Yves Peneveyre
DasBlog theme 'Business' created by Christoph De Baene (delarou)