Configure People Picker for Multi-Domains (or Cross Domains), Forests Environments in SharePoint

By default, the people picker will issue queries to all two-way trusted domains and two-way trusted forests to search people & groups. It uses the application pool account to search the target domains and forests.

Configure People Picker for Multi-Domains, Multi Forest

If the application pool account does not have permission to the target domains or forests, or if you want to use different account to search the target domains or forests, you can use the below steps:

If the AD domain has a 1-way trust, then you need to specify a username and password, execute the following commands on every server in the farm:
stsadm -o setapppassword -password <Password>
Ensure you use the same password for each server you execute this command on!

On every WFE in the farm execute the following command to instruct the people-picker to use the correct AD domain:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:YourDomain.com,domain\user,password -url <web-app-url>
You need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker

Note: you can specify multiple domains to lookup as well, just encapsulate the domain names in quotation marks and separate them with a semi-colon (-pv “YourDomain1.com;YourDomain2.com”,domain\username,password)

If the AD domain has a 2-way trust you do not need to run the stsadm -o setapppassword command, just execute this one:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:YourDomain.com,domain\user,password -url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker

If you need to reset the people-picker back to normal, just execute this command:
 stsadm -o setproperty -pn peoplepicker-searchadforests -pv (don’t specify anything here) -url <relevant web application>
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker

In case of Cross forests:
stsadm.exe -o setproperty -url <URL> -pn “peoplepicker-searchadforests” -pv “forest:forest.corporate.com (forest:DnsName) ;domain:na.corporate.com”, LoginName, Password
Don’t forget to do the IISReset!

More Info:
MOSS 2007: http://technet.microsoft.com/en-us/library/cc263318%28office.12%29.aspx
SharePoint 2010: http://technet.microsoft.com/en-us/library/gg602066.aspx#section4
http://technet.microsoft.com/en-us/library/gg602075.aspx

Limit the People Picker in SharePoint 2010 to a Specific OU or Domain
Say, There are two Site Collections: Sales and Legal. Active Directory is setup to store Sales department users in the Sales Organizational Unit and Legal department users in the Legal Organizational Unit. The requirement is to prevent Sales users from adding site/library/item permissions for Legal users, and vice versa.

So here is the solution:
Run the following PowerShell commands
Set-SPSite -Identity http://portal/sites/sales -UserAccountDirectoryPath “OU=sales,OU=SharePoint,DC=MYCOMPANY,DC=com”Set-SPSite -Identity http://portal.contoso.com/sites/legal -UserAccountDirectoryPath “OU=Legal,OU=SharePoint,DC=MYCOMPANY,DC=com”

Here is a related post: Apply filter to SharePoint People Picker

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

One thought on “Configure People Picker for Multi-Domains (or Cross Domains), Forests Environments in SharePoint

  • August 6, 2021 at 10:01 PM

    Thans man, very grateful. It’s helmp me a lot.

    I post in this forum.

    https://docs.microsoft.com/en-us/answers/questions/503278/sharepoint-foundation-2013-multi-tenancy-deploymen.html

    Reply

Leave a Reply