Sunday, June 12, 2011

Configure People Picker for Multi-Domains(or Cross Domains), Forests Environments

By default, the people picker will issue queries to all two-way trusted domains and two-way trusted forests to search people & groups. It uses the application pool account to search the target domains and forests.
Configure People Picker for Multi-Domains, Multi Forest

If the application pool account does not have permission to the target domains or forests, or if you want to use different account to search the target domains or forests, you can use the below steps:

If the AD domain has a 1-way trust, then you need to specify a username and password, execute the following commands on every server in the farm:
stsadm –o setapppassword –password MyPassword
ensure you use the same password for each server you execute this command on!

On every WFE in the farm execute the following command to instruct the people-picker to use the corret AD domain:
 stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:YourDomain.com,domain\user,password –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker

Note: you can specify mulitple domains to lookup as well, just encapsulate the domain names in quotation marks and seperate them with a semi-colon (-pv "YourDomain1.com;YourDomain2.com”,domain\username,password)

If the AD domain has a 2-way trust you do not need to run the stsadm –o setapppassword command, just execute this one:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:YourDomain.com,domain\user,password –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker

If you need to reset the people-picker back to normal, just execute this command:
 stsadm -o setproperty -pn peoplepicker-searchadforests –pv (don’t specify anything here) –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker

In case of Cross forests:
stsadm.exe -o setproperty -url <URL> -pn "peoplepicker-searchadforests" -pv "forest:forest.corporate.com (forest:DnsName) ;domain:na.corporate.com", LoginName, P@ssword
Don't forget to do the IISReset!

More Info:
MOSS 2007: http://technet.microsoft.com/en-us/library/cc263318%28office.12%29.aspx
SharePoint 2010: http://technet.microsoft.com/en-us/library/gg602066.aspx#section4
http://technet.microsoft.com/en-us/library/gg602075.aspx
http://blogs.msdn.com/b/joelo/archive/2007/01/18/multi-forest-cross-forest-people-picker-peoplepicker-searchadcustomquery.aspx


Limit the People Picker in SharePoint 2010 to a Specific OU or Domain
Say, There are two Site Collections: Sales and Legal. Active Directory is setup to store Sales department users in the Sales Organizational Unit and Legal department users in the Legal Organizational Unit. The requirement is to prevent Sales users from adding site/library/item permissions for Legal users, and vice versa.

So here is the solution:
Run the following PowerShell commands
Set-SPSite -Identity http://portal/sites/sales -UserAccountDirectoryPath "OU=sales,OU=SharePoint,DC=MYCOMPANY,DC=com"Set-SPSite -Identity http://portal.contoso.com/sites/legal -UserAccountDirectoryPath "OU=Legal,OU=SharePoint,DC=MYCOMPANY,DC=com"

Here is a related post: http://sharepointserver-2007.blogspot.com/2008/10/limiting-sharepoint-people-picker.html



You might also like:
SharePoint Usage Reports
Usage reports, collaboration and audit for SharePoint.
Document SharePoint Farm
Automatically generate SharePoint documentation.
*Sponsored


Check out these SharePoint products:

No comments :

Post a Comment

Please Login and comment to get your questions answered!

You might also like:

Related Posts Plugin for WordPress, Blogger...