There are four strategies which can be used to limit the people picker. All of these are managed using STSADM commands. The four strategies are:-
- Applying a custom active directory filter
- Limiting the people picker search to within a site collection
- Limiting the people picker search to within an Active Directory(AD) Organisational Unit(OU)
- Disable returning windows accounts when the authentication method for the web application is via forms based authentication
Some of these commands are not very well known and some are new in MOSS SP1.
Custom Active Directory Filter
To limit the search to a custom AD filter use the STSADM property peoplepicker-searchadcustomfilter
This property is new in SP1 and when a people search is executed it will return results that only match the combination of the built in query and the custom filter that is defined for the site collection.
To create a custom filter which will only return users with a title of Vice President run the following command for their site collection.
stsadm -o setproperty -url http://server/sites/vp-site -pn peoplepicker-searchadcustomfilter -pv ((Title=Vice President))
There is also a similar property with slightly different functionality called peoplepicker-searchadcustomquery. This command is also available pre-SP1 however you should ensure that the Active Directory attribute that is being queried is indexed; otherwise there may be performance problems.
Search only within a site collection
This option is suitable to a classic extranet environment where the internal and external user accounts are in the active directory however you do not want the extranet users to be able to search and browse the directory listing. Note that this is not 100% secure, users can still search Active Directory using a fully qualified logon name, regardless of this property setting. To only list users who have been added to a site collection use the property - peoplepicker-onlysearchwithinsitecollection. As an example:
stsadm -o setproperty –url http://extranet.company.com/sites/project1 –pn peoplepicker-onlysearchwithinsitecollection –pv yes
Consider for this site collection there is an AD user account: 'Gavin Adams COMPANY\gadams)' who is not a member of the site collection and the user 'John Doe (COMPANY\jdoe)' is already a member of the site collection. The behaviour that the users will see when they add a user to the site is as follows.
Search only within an AD OU
To limit the search to a path with AD (ie an OU) use the operation setsiteuseraccountdirectorypath
This operation is new in SP1. Once this is set for a site collection no other users can be added to the site collection that are not within that OU. Note that only one OU path can be specified per site collection. An example of this command is:-
stsadm -o setsiteuseraccountdirectorypath -path "OU=Employees,DC=Company,DC=com" –url http://server/sites/teamsite
Often administrative user accounts are in a different OU from the users for a site collection, therefore after the above operation has been applied to a site collection, the property peoplepicker-serviceaccountdirectorypaths is used to define the location of the administrator accounts. For example:-
stsadm -o setproperty -url http://server/sites/teamsite -pn peoplepicker-serviceaccountdirectorypaths -pv " OU=MOSS-Gods,DC=Company,DC=com
Non Windows Accounts only via FBA
If you have a web application that is configured to use forms based authentication and the account and membership provider is not Active Directory (eg a SQL database), then the property peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode can be set against the web application or zone so that the people search will not return any active directory user accounts.
An example of the command with a web application https://extranet.company.com would be:
stsadm -o setproperty -url https://extranet.company.com -pn peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -pv yes
To use peoplepicker-searchadforests with credentials, which you need to specify if you don’t have two-way trusts in place, you must first set an encryption key:
stsadm.exe -o setapppassword -password key
This sets a key that will be used to encrypt/decrypt the password in the content database. Failure to do this results in a “command line error” message.
Secondly, the peoplepicker runs under the credentials of the application pool the site is running in(password of this credential user). Make sure the application pool identity is a domain account with the right permissions.