Peoplepicker: Stsadm property (Office SharePoint Server)
Updated: June 07, 2007
Property name: Peoplepicker
The peoplepicker property is part of the setproperty and getproperty operations. The syntax for the setproperty operation is:
stsadm -o setproperty
-propertyname <property name>
-propertyvalue <property value>
[-url] <URL>
The syntax for the getproperty operation is:
stsadm -o getproperty
-propertyname <property name>
[-url] <URL>
Description
User information that is imported from directory services is available on the Select People and Groups dialog box, also known as the People Picker Web control. Site administrators and other users use this dialog box to select people and groups when they assign permissions. You are permitted to select users only on the domain that Microsoft Office SharePoint Server 2007 is installed.
When a Web application uses Windows authentication, People Picker will search all two-way trusted forests and all two-way trusted domains. However, if you want to search from a one-way trusted forest or a one-way trusted domain, you must run the setapppassword operation, and then run the peoplepicker -searchadforests property.
Properties
Property (-pn) | Value (-pv) | Description | Example values | ||||||||||
peoplepicker-activedirectorysearchtimeout | A valid integer, such as "30" | Configure the timeout when a query is issued to Active Directory. | The default value is "30." | ||||||||||
peoplepicker-distributionlistsearchdomains | A valid URL, such as http://server_name Note: The domain name should be a DNS name. | Restricts the search from a search distribution list to be from a specific subset of domains. | http://contoso-370 | ||||||||||
peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode | Any one of the following values:
| Specifies not to search Active Directory when the current port is using forms authentication. For example, a Web application uses Windows authentication on port 80 and uses forms authentication on port 81. If a user accesses port 81 and attempts a search, results are returned when People Picker is used. However, when the value is "True," People Picker will only search from the membership provider. If the value is "False," the people picker will search both the membership provider and the Windows Active Directory. | The default value is "Yes." | ||||||||||
peoplepicker-onlysearchwithinsitecollection | Any one of the following values:
| Displays only users that are members of the site collection. Only users that are already added to the site collection are displayed in the People Picker. This prevents anyone from browsing your user directory through the People Picker. | A value of "Yes" permits a user to search within their site collection. A value on "No" does not permit a user to search within their site collection. | ||||||||||
peoplepicker-searchadcustomquery | A valid string that specifies the custom query | Permits the administrator to set the custom query that is sent to Active Directory. | Some valid examples are:
where SomeAdAttribute and AnotherAdAttribute are the names of some indexed attributes in Active Directory. Important: If the property value is not a correct Active Directory query, People Picker will fail. Also, if the searched attribute is not an indexed attribute in Active Directory, the performance of Active Directory will be very slow. The People Picker can only do wildcard searches for Active Directory Windows group names. With any role provider other than the ones included with Office SharePoint Server 2007, the role provider lookup is specific to the entire name. For example, if you have a group called "Readers" and you enter "Read" in the Select People and Groups dialog box, it will not find your group; if you enter "Readers" it will. | ||||||||||
peoplepicker-searchadforests | A valid list of forests or domains | Permits a user to search from a second one-way trusted forest or domain. By default, Office SharePoint Server 2007 talks only to the domain controller for the domain in which Office SharePoint Server 2007 was installed. | The format of the list of forests or domains value includes the following:
Note: If "Password" is used, you need to run stsadm –o setapppassword –password <somekey> on every front-end Web server first. The <somekey> could be any string. We will use <somekey> as the key to encrypt the password in the "domain:DnsName,LoginName,Password" or "forest:DnsName,LoginName,Password" and store the encypted password in the database. However, if the domains or forests are trusted, it is not necessary to pass in the LoginName or Password. The following format is used: forest:DnsName or domain:DnsName. |
Examples
Change the Active Directory search timeout
If you have 10 Active Directory directories to search and you do not want to let the user to wait too long, you can configure the timeout to be 10 seconds per Active Directory. To do this, use the following syntax:
stsadm -o setproperty -pn peoplepicker-activedirectorysearchtimeout –pv 10
Restrict a search distribution list to a subdomain
To restrict a search for a distribution list to only be corp.fabrikam.com and ntdev.corp.fabrikam.com, use the following syntax:
stsadm -o setproperty -url http://contoso-370 -pn peoplepicker-distributionlistsearchdomains -pv corp.fabrikam.com;dev.corp.fabrikam.com Note: The domain name should be a Domain Name System (DNS) name and should be separated by a semicolon. If no values were set, all trusted domains or the domains listed in the configuration are searched. Display users within a site collection Normally, users that are already added to the site collection are displayed in the People Picker. This prevents anyone from browsing your user directory through the People Picker. However, in a hosting scenario, you do not want to let the end users to be able to search users from Active Directory. We only want the end users be able to search users that are already in the site collection. But suppose the end user already knows the login name in Active Directory, we still allow end users to invite the user with fully qualified logon name. If you want users to be able to search within a site collection, use the following syntax: stsadm -o setproperty –url http://server –pn peoplepicker-onlysearchwithinsitecollection –pv yes If you do not want users to be able to search within a site collection, use the following syntax: stsadm -o setproperty –url http://server –pn peoplepicker-onlysearchwithinsitecollection –pv no Create a custom query in Active Directory To create a query that searches on the last name, use the following syntax: stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pn (sn={0}*) Search additional domains or forests To enumerate a list of users by using People Picker from a second forest or domain, use the following syntax: stsadm –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <webapp> Search membership providers using Windows authentication Do not search Windows Active Directory when the current port is using forms authentication. To search from a membership provider only, use the following syntax: stsadm -o setproperty -url http://server -pn "peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode" -pv yes To search a membership provider and Windows Active Directory, use the following syntax: stsadm -o setproperty -url http://server -pn "peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode" -pv no Note: If the value is set to "Yes," the People Picker will not try to search or resolve a user against Active Directory if the current zone does not use Windows authentication.