This post is also published on The SharePoint Bar
Recently, I was called to troubleshoot and fix an issue on a SharePoint 2010 farm with a simple statement that not all the users were displayed in the people picker list. Indeed, some users were listed, some not, without having a clear common pattern that could lead to something like “they are not in a group with enough privileges” or anything similar.
A simple way to reproduce the issue was to open a “Library Permissions” or a “List Permissions” in the ribbon of any library or list and then to select “Check Permissions” in the ribbon. This will open a dialog from which a people picker can easily be opened.
Now, when clicking on the address book button and looking for a specific user, it was not displayed and therefore not selectable. This user was existing in the Active Directory, and, after a bit of time of investigation, I also found that, on the Central Administration or in a completely fresh web application and site collection, the problem was not present. Thus, it was clear it was only one site collection that had the issue.
The issue was caused by a restriction applied to the people picker. Indeed, it is possible to restrict the scope of the people picker to a specific OU (Organizational Unit) or to use a specific LDAP filter. Let’s illustrate this. In my Active Directory, I created 3 OU, in each of them I created a user :
In the people picker, I have all the users :
Now, execute the following command, which applies the limitation to the site collection specified by the –url parameter :
stsadm -o setsiteuseraccountdirectorypath -url http://centaurus -path "OU=OU2,OU=OU1,DC=plab,DC=local"
The result is that you will limit the scope of the people picker to the OU2 within OU1 :
To check the state of the limitations, execute the command below :
stsadm -o getsiteuseraccountdirectorypath -url http://centaurus
The result will be :
To simply remove any restriction, execute the following command :
stsadm -o setsiteuseraccountdirectorypath -url http://centaurus/ -path ""
This command has no PowerShell equivalent and is part of a set of others along with properties, dedicated to configure the people picker and that are listed below (from the TechNet article : http://technet.microsoft.com/en-us/library/gg602068.aspx) :
This other TechNet article explains what are the other people picker configurations that can be done : http://technet.microsoft.com/en-us/library/gg602075.aspx
These different commands can be really useful to restrict the users that can be added in a site collection, based on OUs in the Active Directory. To enable this, the Active Directory should follow the security model of your SharePoint organization, as it is only possible to restrict to a single OU as it is not possible to specify several OUs.
And, finally, it has to be documented, as these different properties and commands are not available in the SharePoint user interface and this feature may not come to the mind of the administrators that would have to find out why they don’t find users in the SharePoint infrastructure.