Tuesday, October 28, 2008

Limiting the SharePoint People Picker

In SharePoint there will be times where you will want to control what results the people picker returns. The most common scenarios are in an extranet or hosting environment.
There are four strategies which can be used to limit the people picker. All of these are managed using STSADM commands. The four strategies are:-
  1. Applying a custom active directory filter
  2. Limiting the people picker search to within a site collection
  3. Limiting the people picker search to within an Active Directory(AD) Organisational Unit(OU)
  4. Disable returning windows accounts when the authentication method for the web application is via forms based authentication

    Some of these commands are not very well known and some are new in MOSS SP1.

Custom Active Directory Filter

To limit the search to a custom AD filter use the STSADM property peoplepicker-searchadcustomfilter

This property is new in SP1 and when a people search is executed it will return results that only match the combination of the built in query and the custom filter that is defined for the site collection.

To create a custom filter which will only return users with a title of Vice President run the following command for their site collection.

stsadm -o setproperty -url http://server/sites/vp-site -pn peoplepicker-searchadcustomfilter -pv ((Title=Vice President))

There is also a similar property with slightly different functionality called peoplepicker-searchadcustomquery. This command is also available pre-SP1 however you should ensure that the Active Directory attribute that is being queried is indexed; otherwise there may be performance problems.

Search only within a site collection

This option is suitable to a classic extranet environment where the internal and external user accounts are in the active directory however you do not want the extranet users to be able to search and browse the directory listing. Note that this is not 100% secure, users can still search Active Directory using a fully qualified logon name, regardless of this property setting. To only list users who have been added to a site collection use the property - peoplepicker-onlysearchwithinsitecollection. As an example:

stsadm -o setproperty –url http://extranet.company.com/sites/project1 –pn peoplepicker-onlysearchwithinsitecollection –pv yes

Consider for this site collection there is an AD user account: 'Gavin Adams COMPANY\gadams)' who is not a member of the site collection and the user 'John Doe (COMPANY\jdoe)' is already a member of the site collection. The behaviour that the users will see when they add a user to the site is as follows.

Search only within an AD OU

To limit the search to a path with AD (ie an OU) use the operation setsiteuseraccountdirectorypath

This operation is new in SP1. Once this is set for a site collection no other users can be added to the site collection that are not within that OU. Note that only one OU path can be specified per site collection. An example of this command is:-

stsadm -o setsiteuseraccountdirectorypath -path "OU=Employees,DC=Company,DC=com" –url http://server/sites/teamsite

Often administrative user accounts are in a different OU from the users for a site collection, therefore after the above operation has been applied to a site collection, the property peoplepicker-serviceaccountdirectorypaths is used to define the location of the administrator accounts. For example:-

stsadm -o setproperty -url http://server/sites/teamsite -pn peoplepicker-serviceaccountdirectorypaths -pv " OU=MOSS-Gods,DC=Company,DC=com

Non Windows Accounts only via FBA

If you have a web application that is configured to use forms based authentication and the account and membership provider is not Active Directory (eg a SQL database), then the property peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode can be set against the web application or zone so that the people search will not return any active directory user accounts.

An example of the command with a web application https://extranet.company.com would be:

stsadm -o setproperty -url https://extranet.company.com -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv yes

To use peoplepicker-searchadforests with credentials, which you need to specify if you don’t have two-way trusts in place, you must first set an encryption key:
stsadm.exe -o setapppassword -password key
This sets a key that will be used to encrypt/decrypt the password in the content database. Failure to do this results in a “command line error” message.
Secondly, the peoplepicker runs under the credentials of the application pool the site is running in(password of this credential user). Make sure the application pool identity is a domain account with the right permissions.


Oscar Fuster said...

One way to limit identities displayed in the MOSS people picker is to use Epok's Edition for Microsoft SharePoint extranet solution. What we do is limit the view of the people picker to only those members of specific partners that we want to share information with. This can be done with a single partner or it can reflect a larger community of partners. The groupings are created with Epok software and can be reflective of identities in SQL or in a separate AD specifically dedicated to the extranet. Additionally, we can incorporate the sharing policy,automatic expiration dates, terms and conditions, watermarking a lots of other features. Check out www.epok.net or the Authority Net blog at http://research.epokinc.com/blog/

Anonymous said...

Good Post. One question though, once I have set the property, how do I reset it. Before setting the property, it says PropertyExists="no", but once I set it and then later I want to remove the filter, how do i do it?

Anonymous said...

I want this exact opposite to work on the default site "Non Windows Accounts only via FBA"

Meaning I don't want non windows user to show up on the people picker on the default site. Only on the extended site.

SEO tools said...

Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write ups thanks once again.