The SharePoint PeoplePicker isn’t showing users from a trusted domain
After installing SharePoint, and importing all the User Profiles, you’ll find if you are using the People Picker, you’ll only see users from the trusted domain that have successfully logged on the SharePoint 2007 server, rather than all of them. This is rather bizarre, as you’ve imported all the profiles, and can see them!
You actually need to configure the PeoplePicker to do a lookup to the Domain Controllers, as its here the People looks, NOT the SharePoint user profile store. It seems unusual, but true! It’s quite a complex task.
Before you do anything else, work out a list of all of the domains the PeoplePicker needs to look at, INCLUDING the domain SharePoint is installed on. If SharePoint is on Domain1 and you want to see all the Domain1 users and all the users from the trusted domain Domain2, you’re going to need to list them both, something most of the guides online don’t make clear. You’ll also need the fully qualified domain names – doing use the older NetBIOS name. If your domain is exampledomain.local, don’t just use “exampledomain” – we’ll need the full thing.
Next, make sure you have a valid Active Directory user account on each of the domains you want to look at. You don’t need to worry about the domain the SharePoint server is on – the accounts SharePoint should be running under will already have access.
Now, we first need to set up an encryption key, so SharePoint can securely store the usernames and passwords for the other domains. Use the following command on every server in the farm – if you don’t, the other SharePoint servers won’t be able to decrypt the stored user names and passwords:
stsadm –o setapppassword –password MyPassword
Replace MyPassword with your chosen encryption key, of course!
Next, we need to tell each Web Front End server, which domains to use. I always list the current domain SharePoint is a member of first, for ease of reference. Normally, I’d expect at least two entries – the current domain and the trusted domain (or domains) – if there isn’t a trusted domain, why are you doing this???. We’ll need to separate the entries in the domain list with semi-colons.
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:domain1.com;domain:domain2.com,domain2\user,password –url https://sharepoint.domain1.com
Here, the url should be replaced by that of your web application – don’t forget to use https if you’ve set the application up to use SSL. Domain names should obviously be replaced with your own, and you should use the usernames and passwords from each domain that you either created or ensured were available earlier. A more realistic looking example might be:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:technet.microsoft.com;domain:kb.microsoft.com,kb\AD_Lookup,LookUp2009 –url https://sharepoint.technet.microsoft.com
Please note this is an entirely hypothetical example, so don’t think of trying the links or usernames!
Fianlly, though this generally isn’t mentioned in most of the other guides, you need to reset IIS before SharePoint will pick up the changes. As always, I prefer the noforce option, just in case.
issreset -noforce
You should now see all of the available people from the domains you’ve selected in the people picker!
Hi ,
When i login with external user in to the sharepoint site i am not able to see all AD users but when log in with AD user then i am able to see all the users from the domain in people picker.
we are using ECTS to add External user.
Please help me solve this issue its very critical.
Thanks in advance
Hi,
This is exactly what I am looking for. I am currently setting up an extranet at my work. Qustion. How do you incorporate filter strings to the above example? For example, I want to return only accounts that are active.
Thanks
Few details first
We have a MOSS 2007 FARM AND 3 DOMAINS all have a two way trust.
We have over 78 sites all of which stopped with no known reason from being able to find users that are in one of the domains we can find the users in the view profiles yet we can no longer find users using peoplepicker for any users from the one domain.
We have tried this command you have provided and they come back with commandline error
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:full domain name,-userlogin domain\username password –url http://webapp url
Any help would be great we have been stumped for over a week,
Hi Tom – hopefully the new post on More People Picker Issues will be helpful – http://kipper.org.uk/index.php/2009/10/more-people-picker-issues/
We have the exact problem accept we have a two way trust and peoplepicker is only finding users inside their own sites.
We have verified that the property is not set it states “NO”
We have run almost in not all STSADM commands available no affect.
Reuilt the SSP’s and all WFE’S No affect.
Some users can sign in but have no access just get read only and some get request access page.
If they get request access page I can then add them.
Very weird scenario and have no clues this issue has been happening now for like 2 months and no body seems to have a clue not even Microsoft
Also we have multple domains as well, all are two way and verified no issues.
only one domain has this issue default and another have no issues I can find those accounts.