Wednesday, July 18, 2007

Active Directory configuration on Sharepoint Server

Peoplepicker: Stsadm property (Office SharePoint Server)

Updated: June 07, 2007

Property name: Peoplepicker

The peoplepicker property is part of the setproperty and getproperty operations. The syntax for the setproperty operation is:

stsadm -o setproperty

   -propertyname <property name>

   -propertyvalue <property value>

   [-url] <URL>

The syntax for the getproperty operation is:

stsadm -o getproperty

   -propertyname <property name>

   [-url] <URL>

Description

User information that is imported from directory services is available on the Select People and Groups dialog box, also known as the People Picker Web control. Site administrators and other users use this dialog box to select people and groups when they assign permissions. You are permitted to select users only on the domain that Microsoft Office SharePoint Server 2007 is installed.

When a Web application uses Windows authentication, People Picker will search all two-way trusted forests and all two-way trusted domains. However, if you want to search from a one-way trusted forest or a one-way trusted domain, you must run the setapppassword operation, and then run the peoplepicker -searchadforests property.

Properties

Property (-pn)

Value (-pv)

Description

Example values

peoplepicker-activedirectorysearchtimeout

A valid integer, such as "30"

Configure the timeout when a query is issued to Active Directory.

The default value is "30."

peoplepicker-distributionlistsearchdomains

A valid URL, such as http://server_name

 

Note:

 

The domain name should be a DNS name.

Restricts the search from a search distribution list to be from a specific subset of domains.

http://contoso-370

peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode

Any one of the following values:

Yes

No

Specifies not to search Active Directory when the current port is using forms authentication.

For example, a Web application uses Windows authentication on port 80 and uses forms authentication on port 81. If a user accesses port 81 and attempts a search, results are returned when People Picker is used.

However, when the value is "True," People Picker will only search from the membership provider. If the value is "False," the people picker will search both the membership provider and the Windows Active Directory.

The default value is "Yes."

peoplepicker-onlysearchwithinsitecollection

Any one of the following values:

Yes

No

Displays only users that are members of the site collection.

Only users that are already added to the site collection are displayed in the People Picker. This prevents anyone from browsing your user directory through the People Picker.

A value of "Yes" permits a user to search within their site collection.

A value on "No" does not permit a user to search within their site collection.

peoplepicker-searchadcustomquery

A valid string that specifies the custom query

Permits the administrator to set the custom query that is sent to Active Directory.

Some valid examples are:

(SomeAdAttribute={0})

(SomeAdAttribute={0}*)

(SomeAdAttribute={0})(AnotherAdAttribute={0})

where SomeAdAttribute and AnotherAdAttribute are the names of some indexed attributes in Active Directory.

 

Important:

 

If the property value is not a correct Active Directory query, People Picker will fail. Also, if the searched attribute is not an indexed attribute in Active Directory, the performance of Active Directory will be very slow.

The People Picker can only do wildcard searches for Active Directory Windows group names. With any role provider other than the ones included with Office SharePoint Server 2007, the role provider lookup is specific to the entire name. For example, if you have a group called "Readers" and you enter "Read" in the Select People and Groups dialog box, it will not find your group; if you enter "Readers" it will.

peoplepicker-searchadforests

A valid list of forests or domains

Permits a user to search from a second one-way trusted forest or domain.

By default, Office SharePoint Server 2007 talks only to the domain controller for the domain in which Office SharePoint Server 2007 was installed.

The format of the list of forests or domains value includes the following:

forest:DnsName,LoginName,Password

domain:DnsName,LoginName,Password


 

Note:

 

If "Password" is used, you need to run stsadm –o setapppassword –password <somekey> on every front-end Web server first. The <somekey> could be any string. We will use <somekey> as the key to encrypt the password in the "domain:DnsName,LoginName,Password" or "forest:DnsName,LoginName,Password" and store the encypted password in the database.

However, if the domains or forests are trusted, it is not necessary to pass in the LoginName or Password. The following format is used: forest:DnsName or domain:DnsName.

Examples

Change the Active Directory search timeout

If you have 10 Active Directory directories to search and you do not want to let the user to wait too long, you can configure the timeout to be 10 seconds per Active Directory. To do this, use the following syntax:

stsadm -o setproperty -pn peoplepicker-activedirectorysearchtimeout –pv 10

Restrict a search distribution list to a subdomain

To restrict a search for a distribution list to only be corp.fabrikam.com and ntdev.corp.fabrikam.com, use the following syntax:

stsadm -o setproperty -url http://contoso-370 -pn peoplepicker-distributionlistsearchdomains -pv corp.fabrikam.com;dev.corp.fabrikam.com

 

Note:

 

The domain name should be a Domain Name System (DNS) name and should be separated by a semicolon. If no values were set, all trusted domains or the domains listed in the configuration are searched.

Display users within a site collection

Normally, users that are already added to the site collection are displayed in the People Picker. This prevents anyone from browsing your user directory through the People Picker.

However, in a hosting scenario, you do not want to let the end users to be able to search users from Active Directory. We only want the end users be able to search users that are already in the site collection. But suppose the end user already knows the login name in Active Directory, we still allow end users to invite the user with fully qualified logon name.

If you want users to be able to search within a site collection, use the following syntax:

stsadm -o setproperty –url http://server –pn peoplepicker-onlysearchwithinsitecollection –pv yes

If you do not want users to be able to search within a site collection, use the following syntax:

stsadm -o setproperty –url http://server –pn peoplepicker-onlysearchwithinsitecollection –pv no

Create a custom query in Active Directory

To create a query that searches on the last name, use the following syntax:

stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pn (sn={0}*)

Search additional domains or forests

To enumerate a list of users by using People Picker from a second forest or domain, use the following syntax:

stsadm –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <webapp>

Search membership providers using Windows authentication

Do not search Windows Active Directory when the current port is using forms authentication.

To search from a membership provider only, use the following syntax:

stsadm -o setproperty -url http://server -pn "peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode" -pv yes

To search a membership provider and Windows Active Directory, use the following syntax:

stsadm -o setproperty -url http://server -pn "peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode" -pv no

 

Note:

 

If the value is set to "Yes," the People Picker will not try to search or resolve a user against Active Directory if the current zone does not use Windows authentication.

No comments: