Someone asked in the comments on another post how to filter the responses to the People Picker to only show active users. Its an unusual question, in that “Active Users” is so difficult to define. The People Picker’s default behaviour includes a check to make sure that the account is enabled in Active Directory, so disabled accounts are hidden. Perhaps it means just users, not groups, or just those users granted access to the Site Collection.
I actually favor the option in the people picker to only return users which have been granted permissions on the Site collection. This instantly means users in one site collection don’t know about the existence of others by default, and is easy to implement. Just run:
stsadm -o setproperty –url http://<server> –pn peoplepicker-onlysearchwithinsitecollection –pv yes
You can add specific users to the site collection by searching for the fully qualified logon name, but the people picker will only return users on the site.
If you need slightly more unusual options though, you’ll need to alter the query itself. It’ll also potentially affect the ability to add any users to the site, so be very, very careful - I’d really recommend not trying this unless you are pretty confident with LDAP queries.
There are several ways of doing this – first, you can set the People Picker to use a custom LDAP query, and select exactly what you need from the AD. The alternative is that you can allow the People Picker to use standard querys, and then filter the result set. You can also restrict queries to a particular OU, which would obviously limit the response.
The first is best if you need to limit the query to a specific OU or search for a custom field flagging people as a SharePoint Site user, but be wanred – performanced on a non indexed field will be appalling. I’d avoid it if possible. The second is better if you need to hide certain user accounts (like service accounts) from the returned queries. The last option is quite neat, but its rare that you structure AD for your SharePoint web applications. Synergy online covers all these options in detail here.
Incidentally, I believe the LDAP query to filter for only active users is:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
So to only return active users, not groups, you could use the following filter:
stsadm -o setproperty -url http://server/sites/vp-site -pn peoplepicker-searchadcustomfilter -pv “(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))”
One final note – the AD filter and limiting the queries to an OU are only available from SharePoint SP1 onwards – make sure you’re patched!
Recent Comments