Apply Filters to People Picker in SharePoint – E.g. Don’t show User Accounts with No E-mail.
Business Problem:
Many users have more than one account/admin account in multiple domains. Now, the problem is that when end-users select approvers from people pickers in various workflows, they select user accounts without E-Mail. Since the workflows are unable to get any E-Mails from the selected users, they are failing.
What’s the Solution:
Let’s instruct the People Picker, “O.K., People Picker, Don’t show me accounts without an E-Mail associated!”
How to filter the People Picker in SharePoint?
Set the appropriate People Picker custom Properties by running the below STSADM commands: Let’s say you want only the “Sales” or “IT” department people to be in People Picker. Just apply the filter to the People picker with STSADM:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(department=Sales)(department=IT))" -url <web-application-URL or Site collection URL>
To Filter-out accounts without E-mails:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(mail=*)(objectcategory=group))" -url <web-application-URL or Site collection URL>
Here, I’ve added (objectcategory=group) with an OR condition since security groups don’t usually have emails.
Get rid of Disabled accounts and get users from only a particular Forest/Domain.
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(&(userPrincipalName=*crescent.org)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -url <web-app-url or Site-collection-URL>
Filter out accounts without E-mails, Disabled Accounts, and Get Accounts only from a Particular Domain further
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(&(mail=*)(userPrincipalName=*crescent.org)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectcategory=group))" -url <web-application-URL or Site collection URL>
Restrict People Picker on a Site Collection within a specific OU in Active Directory:
Need users ONLY from an OU/Domain for a site collection?
SharePoint 2010 / 2007 people picker filter domain:
stsadm -o setsiteuseraccountdirectorypath -path "CN=Sales,DC=ME,DC=CRESCENT, DC=org" -url https://company.intranet.com/sites/sales
PowerShell equivalent of the above:
Set-SPSite -Identity "https://intranet.crescent.com" -UserAccountDirectoryPath "CN=Sales,DC=Crescent,DC=com"
Clear People Picker Filters (Undo)
stsadm -o setsiteuseraccountdirectorypath -path "" -url https://company.intranet.com/sites/sales
PowerShell:
Set-SPSite -Identity "https://intranet.crescent.com" -UserAccountDirectoryPath ""
Get the current filters applied:
stsadm -o getproperty -url <web-application-URL or Site collection URL> -pn peoplepicker-searchadcustomfilter
Clear any existing properties applied:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv " " -url <web-application-URL>
stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv " " -url <web-application-URL>
Last but not least:
Remember: People Picker gets its data both from the Active Directory and from the “User Information List” of the site collection. So make sure you are cleaning up both! The above people, picker search filters apply to both SharePoint 2010 and SharePoint 2007.
PowerShell to Get-Set People Picker Settings:
You can use PowerShell too:
$webApp = Get-SPWebApplication 'Web-App-Name or URL'
$webApp.PeoplePickerSettings
E.g. Let’s set a custom filter in People Picker using PowerShell:
$WebApp = Get-SPWebApplication https://web-App-Url
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery = "(|(mail=*)(objectcategory=group))"
$WebApp.Update()
Exclude a Particular User Account or AD Group from People Picker:
$WebApp = Get-SPWebApplication https://intranet.crescent.com
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery ="(!(sAMAccountName=All_Staff))"
$WebApp.Update()
Technet Reference: https://learn.microsoft.com/en-us/previous-versions/office/sharepoint-2007-products-and-technologies/cc263318(v=office.12)?redirectedfrom=MSDN
After running this command – PowerShell: Set-SPSite -Identity “https://intranet.crescent.com” -UserAccountDirectoryPath “CN=Sales,DC=Crescent,DC=com” , The check Names of People Picker is working fine as expected but the Browse option of people picker is not returning any result if searching for the same user.
Hello Salaudeen,
Great article, is there any similar approach for SharePoint Online as well where i need to restrict one site collection for accessing all AD OU’s
Handy post
i’m trying to filter out all users who’s department = Terminated this is my command but not working:
stsadm -o setproperty -pn peoplepicker-searhadcustomfilter -pv “(!department=Terminated)” -url https://site/subsite
not working… any ideas??
thanks! Lieane
Thanks for this post, very useful.
Have you ever noticed that the adcustomquery (not filter) is applied at the web application level. I’ve tried to bind users from a AD security group to a site collection but it applies to he entire web app.
Do you know if this is intended?
Thanks
Yes Frank! These settings applies to Web Application level.
I have tried peoplepicker-searchadcustomfilter and see that it applies for the complete Web Application. i.e., I get an error even when I try to create new site collections using Central Administration.
I have used the below command (just testing.. will implement the correct logic) just to test how it works:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(title=z*)” -url https://WebApplication/sites/SiteColl1
Can you please confirm if searchadcustomfilter can be applied at the site collection level ? If so, is there anything wrong with the syntax of the above statement.
Use setsiteuseraccountdirectorypath for site collection!
Great post! It’s nice to have clear, concise examples all in one place. Thanks!