Hi everyone,

I'm not sure whether some People Picker properties are workable in SharePoint 2013. I've tried with the following command in my SharePoint 2013 environment but can't seem to make it work so far.

stsadm -o setproperty -url http://contoso.com -pn peoplepicker-searchadcustomfilter -pv "(&(objectCategory=Person)(objectClass=User)(memberOf=OU=Sales,DC=contoso,DC=com))"

I've also tried with the following command:

stsadm -o setsiteuseraccountdirectorypath -path "OU=Sales,DC=contoso,DC=com" url http://contoso.com

Your suggestion would be greatly appreciated.

Regards,

Use Set-SPSite -UserAccountDirectoryPath "OU=Sales,DC=contoso,DC=com". Clear your other properties that you've set.

Thank you very much Trevor.

My environment has two domain controllers. One (DC A) is responsible for issuing SharePoint service account while another (DC B) is for end users. The one-way trust has been successfully established. People Picker in SharePoint in DC a can query and result user account in DC B.

I've tried with your command several times but still can't make it work. After the command, People Picker limits wrong OU. The OU I'm using is distinguishedName property. I'm not sure whether limiting in People Picker supports one-way trust case.

Regards,
-T.s

The UserAccountDirectoryPath is just a filter. It compares the incoming user object's distinguishedName against the UADP. If it doesn't match, it kicks it out. Trust doesn't have anything to do with it (even works against non-Active Directory LDAP services).

Thank you Trevor.

The filter is working. However, I have to paste full name (sometimes typing a few first letters works) onto People Picker box. If I don't limit the OU scope, People Picker can query and result with the first character. Is this what Microsoft gives (OOTB)?

How about web application scope as we have a lot of site collections?

Regards,
-T.s

People Picker starts querying at 3 characters.

You'll just need to loop through the Site Collections via PowerShell, e.g.:

foreach($site in Get-SPSite -Limit ALL)
{
Set-SPSite -Identity $site -UserAccountDirectoryPath "..."
}

Thank you Trevor. The People Query works sometimes. The limit is working but not really what I expect. People Picker shows no result but if I click Check Now button, the message Multiple entries matched, please click to resolve displays then the queried user name is still resolvable and added. The code-behind in Check Now button may perform a query to the whole Active Directory. 

Regards,
-T.s

The People Picker query also scopes to the OU specified. It shouldn't work "just some of the time" :) I'd recommend taking a network trace when it doesn't work "some of the time" to see the LDAP DN of the user attempting to log in. Make sure it is correct.

Does that work with web application that uses claim-based mode authentication? Via this article I think only classic mode authentication works with LDAP query like you say. 

https://technet.microsoft.com/en-us/library/gg602078.aspx#architecture

Regards,
-T.s

Yes, it works on a claims based web app -- I've implemented it in that scenario.

Thank you Trevor. It looks like there is something wrong with People Picker in my environment. If there is no limit of OU then the People Picker works well even with the first character. If I set limit then even with 3 characters, People Picker still show No Result Found after the query. I've tried to capture LDAP query by Network Monitor, Wireshark and Microsoft Message Analyzer but these tools can't capture LDAP traffic. What I only see after performing People Picker query is that SharePoint calls REST (/sites/lib/_vti_bin/client.svc/ProcessQuery ) to start querying. People Picker seems not to always send LDAP query to Active Directory.

Even if I set the path as SearchActiveDirectoryDomains property value, People Picker will turn back from working to not-working. This looks strange to me.