This post is also published on The SharePoint Bar

Recently, I was called to troubleshoot and fix an issue on a SharePoint 2010 farm with a simple statement that not all the users were displayed in the people picker list. Indeed, some users were listed, some not, without having a clear common pattern that could lead to something like “they are not in a group with enough privileges??? or anything similar.

The symptoms

A simple way to reproduce the issue was to open a “Library Permissions??? or a “List Permissions??? in the ribbon of any library or list and then to select “Check Permissions??? in the ribbon. This will open a dialog from which a people picker can easily be opened.

Now, when clicking on the address book button and looking for a specific user, it was not displayed and therefore not selectable. This user was existing in the Active Directory, and, after a bit of time of investigation, I also found that, on the Central Administration or in a completely fresh web application and site collection, the problem was not present. Thus, it was clear it was only one site collection that had the issue.

Resolution

The issue was caused by a restriction applied to the people picker. Indeed, it is possible to restrict the scope of the people picker to a specific OU (Organizational Unit) or to use a specific LDAP filter. Let’s illustrate this. In my Active Directory, I created 3 OU, in each of them I created a user :

In the people picker, I have all the users :

Now, execute the following command, which applies the limitation to the site collection specified by the -url parameter :

stsadm -o setsiteuseraccountdirectorypath -url http://centaurus -path “OU=OU2,OU=OU1,DC=plab,DC=local”

The result is that you will limit the scope of the people picker to the OU2 within OU1 :

To check the state of the limitations, execute the command below :

stsadm -o getsiteuseraccountdirectorypath -url http://centaurus

The result will be :

<SiteUserAccountDirectoryPath>OU=OU2,OU=OU1,DC=plab,DC=local</SiteUserAccountDirectoryPath>

To simply remove any restriction, execute the following command :

stsadm -o setsiteuseraccountdirectorypath -url http://centaurus/ -path “”

This command has no PowerShell equivalent and is part of a set of others along with properties, dedicated to configure the people picker and that are listed below (from the TechNet article : http://technet.microsoft.com/en-us/library/gg602068.aspx) :

Property name	Description
Peoplepicker-activedirectorysearchtimeout	Configures the timeout when a query is issued to Active Directory. The default timeout value is 30 seconds. For more information, see Peoplepicker-activedirectorysearchtimeout.
Peoplepicker-distributionlistsearchdomains	Restricts the search of a distribution list to a specific subset of domains. For more information, see Peoplepicker-distributionlistsearchdomains.
Peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode	Specifies not to search Active Directory when the current port is using forms-based authentication. For more information, see Peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode.
Peoplepicker-onlysearchwithinsitecollection	Displays only users who are members of the site collection when the Select People and Groups dialog box is used. For more information, see Peoplepicker-onlysearchwithinsitecollection.
Peoplepicker-peopleeditoronlyresolvewithinsitecollection	Displays only users who are members of the current site collection when the Check Names button is clicked. For more information, see Peoplepicker-peopleeditoronlyresolvewithinsitecollection: Stsadm property (SharePoint Server 2010).
Peoplepicker-searchadcustomfilter	Enables a farm administrator to specify a unique search query. For more information, see Peoplepicker-searchadcustomfilter.
Peoplepicker-searchadcustomquery	Permits the administrator to set the custom query that is sent to Active Directory. For more information, see Peoplepicker-searchadcustomquery.
Peoplepicker-searchadforests	Permits a user to search from a second one-way trusted forest or domain. For more information, see Peoplepicker-searchadforests.
Peoplepicker-serviceaccountdirectorypaths	Enables a farm administrator to manage the site collection that has a specific organizational unit (OU) setting as defined in the Setsiteuseraccountdirectorypath setting. For more information, see Peoplepicker-serviceaccountdirectorypaths.

 

This other TechNet article explains what are the other people picker configurations that can be done : http://technet.microsoft.com/en-us/library/gg602075.aspx

These different commands can be really useful to restrict the users that can be added in a site collection, based on OUs in the Active Directory. To enable this, the Active Directory should follow the security model of your SharePoint organization, as it is only possible to restrict to a single OU as it is not possible to specify several OUs.

And, finally, it has to be documented, as these different properties and commands are not available in the SharePoint user interface and this feature may not come to the mind of the administrators that would have to find out why they don’t find users in the SharePoint infrastructure.