Fresh Content on SharePointJoel.com SharePoint Ads
Subscribe in a reader
stsadm -help setproperty
Here's a list of the people picker properties that can be set ()
peoplepicker-activedirectorysearchtimeoutpeoplepicker-distributionlistsearchdomainspeoplepicker-nowindowsaccountsfornonwindowsauthenticationmodepeoplepicker-onlysearchwithinsitecollectionpeoplepicker-searchadcustomquerypeoplepicker-searchadforests
peoplepicker-searchadforests
The people picker is flexible. First, all servers in the farm need to all be within 1 domain. Users in the forest that the server is in (resource forest) will automatically show up. Forests that have at least a one way trust to that forest can be "searched" for adding users using the stsadm command in the blog post from Venky. The post also explains the scenario where users have more than one account with the same name or objects which reference their account using the ms-ds-Source-Object-DN an object introduced in Windows 2003 R2. Venky's post goes into more detail. In this scenario you would need to maintain the population of that attribute to show where the "real" account is.
If it is not a two way trust then you will need to specify an account and password, which are encrypted and stored in the config database. The "peoplepicker-searchadforests" stsadm property allows you to search multiple values when picking users. With the command you can add multiple forests, domains, and accounts and even specific property searching.
If it is not a two way trust then you will need to specify an account from the user forest. The "peoplepicker-searchadforests" property allows you to search that forest. You can add multiple forests, domains, and accounts. Note: you do need to specify the user password if there's a one way trust, so the picker can look it up. If this is something that's required in your environment, you'll need to remember to maintain these usernames/passwords.
stsadm.exe -o setproperty -url http://server:port -pn "peoplepicker-searchadforests" -pv "forest:foo.corp.com;domain:bar.foo.corp.com", LoginName, P@ssword
Another example.
peoplepicker-searchadcustomqueryAllows the administrator to set the custom query that is sent to Active Directory.For example, we could set it tostsadm.exe -o setproperty -pn peoplepicker-searchadcustomquery -pv "(physicalDeliveryOfficeName={0})"to search users by office name. Then I could type in 16/3077 to search who is in office 16/3077Some valid input are (SomeAdAttribute={0}) (SomeAdAttribute={0}*) (SomeAdAttribute={0})(AnotherAdAttribute={0})where SomeAdAttribute or AnotherAdAttribute are the names of some indexed attributes in AD.If it was set, the custom query and the SharePoint built-in query will be sent together to AD to search people.*Please use it with caution. If the property value is not a correct AD query, it will causes people picker totally broken. Also, if the searched attribute is not an indexed attribute in AD, it will make AD very slow.*
Note: The People Picker can only do wildcard searches for AD Windows group names. With any role provider other than the out of the box AD one the role provider lookup is specific to the entire name. For example if you have a group called "Readers" and you enter "Read" in the People Picker search dialog, it will not find your group; if you enter "Readers" it will. The role provider doesn’t provide a good way to do wildcard group search. See "Multiple Auth Providers" for more info. As well Steven Fowler in figuring out a custom membership provider has some great insights, another post People Picker and Custom Membership provider has dev insights on the GetUser() method.
peoplepicker-onlysearchwithinsitecollection
This will restrict the picker to only people and groups that are in the site collection.
peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode
This could be used to turn off the windows lookup on a non AD web app. From here you'd be leveraging the customer provider
peoplepicker-activedirectorysearchtimeout
Allows you to manage the active directory search timeout for lower bandwidth/ higher latency environments
peoplepicker-distributionlistsearchdomains
I'm not sure. I'll try to find out more. Note: DLs cannot be used for securing a SharePoint site/list,etc...
<update 4/11/07>
Great Quote from Jim in comments:
To use peoplepicker-searchadforests with credentials, which you need to specify if you don’t have two-way trusts in place, you must first set an encryption key:
stsadm.exe -o setapppassword -password key
This sets a key that will be used to encrypt/decrypt the password in the content database. Failure to do this results in a “command line error” message.
Secondly, the peoplepicker runs under the credentials of the application pool the site is running in. Make sure the application pool identity is a domain account with the right permissions.
Joel: This security key is REQUIRED to be run on every server with extended web apps (WFEs AND any index servers that have the WFE role) otherwise it will not work.
</update>
Related resources:
Determining the Global Deployment Approach
Global & Multi Farm Deployments
Basic and Advanced Deployment in a Nutshell
Security Blog Post on WSS and Office SharePoint Server 2007
SharePoint Manageability and Governance
MultiLingual Solutions on MOSS White Paper (Great info on variations, WSS and MOSS language packs)
Nice post! I really like the option to turn off windows lookup on non-AD apps. Thanks.
I've been trying to get users from a separate forest into our Sharepoint Portal. There is a one way trust and yet I'm unable to use stsadm.exe as your blog state.
Is this functionality unavailable in SPP 2003?
How do I get users from a separate forest access? I am able to do this with a Captaris tool operating on the same server. But when I run my version of the following command line:
which is entered as:
stsadm.exe -o setproperty -url http://sharepointsvr -pn "peoplepicker-searchadforests" -pv "forest:outsideagency.net;domain:domaincontroller.outsideagency.net", trustedaccount, p@ssword
I get a 'Command Line Error'
Is there a way to upgrade the stsadm.exe for this 2003 instance of sharepoint portal server just to bind these accounts??
The people picker stuff I mentioned is for WSS 3.0 and MOSS 2007.
There is a cross forest people picker on gotdotnet a community tool that you could try for SPS 2003. You can find a link from my 2003 IT Pro resources set of links. "Cross Forest People Picker for WSS (Requires SPS Profiles)"
I was preparing for a TechReady (internal Technical Readiness conference) Presentation and for my advanced
I have tried using the peoplepicker-searchadforests setproperty command per your and Bens blogs and no luck. I keep getting "Cannot retrieve the information for application credential key." I am providing username and passwords as well and still nothing.
Any insight would be appreciated!
I’ve been pinged a couple of times recently about multi forest environments. This *does* work. It *was*
Content deployment is an excellent way to publish SharePoint content between farms. A few things to keep
问题:
多域环境下,配置了SSP的UserProfie导入,但是在站点添加用户时仍然找不到新域中用户信息。 解决:
peoplepicker默认只能查找服务器所在的域中的用户信息,若要查...
When I set searchadcustomquery, I cannot add users.
Picker can look at the OU and pick from there but when I click OK it redirect me to an error page: "The user does not exist or is not unique."
stsadm.exe -o setproperty -pn peoplepicker-searchadcustomquery -pv "(&(objectCategory=Person)(objectClass=User)(memberOf=cn=Myusers_Everyone,ou=myplace,ou=Plan,ou=myou,dc=blah,dc=blah,dc=com))"
Any idea?
Hi Ishai,
I am greatly impressed by your posts. I have this problem of people picker. this is the prob in brief:
we initially had single server deployment with 8 web app on WSS 3.0.
due to load, we now moved them to a new farm with 3 servers with following configuration:
1. all having wss 3.0 SP1
2. all patched with search server express 2008
3. search and query bieng served by server3
also not worthy here is that due to budget constraint and stuff, we dint had load balancing so we are doing context switchin with
4 app on server1 and 4 app on server2..
each of this app is turned off in IIS in other server and each app has own IP and DNS.
so the NIC of each server has 4 IPs
backup restore happened like a charm. the expected context swithcing happens like a charm. but now people picker goes in infinite "query bieng processed" and never fetches anything
this problem has become a red flag as this the 4th day and i could find nothing that worked.
It's really a nice one but I want to know how can we restrict people picker only to a specific Security group in AD.
Hello Joel,
Great points.
Could you help me ?
I'm having problems in my Sharepoint and I thing the problem is the people picker.
When I try to find a User in my AD, by adding a user into "people and groups" it takes a lot of time to find the user. When I try to select more than one user, it gives me a yellow page.
I've searched on my event log and i found a monstruous log.
Into my AD, I have more than 200.000 users.
But it was working well a few weeks ago.
What do you thing? Do you thing the problem is into people picker ?
Thank you for this post, it helped me a lot to understand some functions of the PP.
if is possible, could you send me an email with some idea about that?
pbertrao@hotmail.com
Thank you,
My Best Regards,
Pablo Bertrão
I have the following problem with the People Picker on ONE of my web frontend servers. We have 2 frontend serves.
If I open up pickup.aspx by clicking the Browse icon in the Add users web form, I will get the pickup form then if I enter more than two letters, say something like "lo" it will give me an message "THERE WAS AN ERROR IN THE CALLBACK" in red letters.
If I enter only one letter, say something like "l" it will bring immediately a bunch of users where the letter "l" is in any part of their displayName attribute.
Thanks in advance!
Paul