Apply Filters to People Picker in SharePoint – E.g. Don’t show User Accounts with No E-mail
Business Problem:
Many users having more than one account/admin account in multiple domains. Now the problem is: when end-users select approvers from people pickers in various workflows, They select user account without E-Mail. Since the workflows are unable to get any E-Mails from the selected users, they are failing.
What’s the Solution: Lets instruct People Picker “O.K, People Picker, Don’t show me accounts which doesn’t has E-Mail associated!”
But How to filter people picker in SharePoint? Set the appropriate People Picker custom Properties by running the below STSADM commands:
Let’s say, you want only the “Sales” or “IT” department people to be in People picker. Just apply the filter to People picker with STSADM:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(department=Sales)(department=IT))” -url <web-application-URL or Site collection URL>
To Filter-out accounts without E-mails:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(mail=*)(objectcategory=group))” -url <web-application-URL or Site collection URL>
Here, I’ve added (objectcategory=group) with OR condition, since security groups wont be having E-Mails usually.
Get rid of Disabled accounts and get users from only a particular Forest/Domain?
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(&(userPrincipalName=*crescent.org)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))” -url <web-app-url or Site-collection-URL>
Filter-out accounts without E-mails, Disabled Accounts and Get Accounts only from a Particular Domain further:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(&(mail=*)(userPrincipalName=*crescent.org)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectcategory=group))” -url <web-application-URL or Site collection URL>
Restrict People Picker on a Site Collection within a specific OU in Active Directory:
SharePoint 2010 / 2007 people picker filter domain:
Need users ONLY from a OU/Domain for a site collection?
stsadm -o setsiteuseraccountdirectorypath -path “CN=Sales,DC=ME,DC=CRESCENT, DC=org” -url https://company.intranet.com/sites/sales
PowerShell: Set-SPSite -Identity “https://intranet.crescent.com” -UserAccountDirectoryPath “CN=Sales,DC=Crescent,DC=com”
Clear People Picker Filters (Undo)
stsadm -o setsiteuseraccountdirectorypath -path “” -url https://company.intranet.com/sites/sales
PowerShell: Set-SPSite -Identity “https://intranet.crescent.com” -UserAccountDirectoryPath “”
Get the current filters applied:
stsadm -o getproperty -url <web-application-URL or Site collection URL> -pn peoplepicker-searchadcustomfilter
Important:
Clear any existing properties applied. E.g:
- stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv ” ” -url <web-application-URL>
- stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv ” ” -url <web-application-URL>
Last but not least:
Remember: People picker gets its data both from the Active Directory and from the “User Information List” of the site collection. So make sure you are cleaning up both! Above people picker search filters apply to both SharePoint 2010 and SharePoint 2007.
PowerShell to Get-Set People Picker Settings:
You can use PowerShell too:
$webApp = Get-SPWebApplication 'Web-App-Name or URL'
$webApp.PeoplePickerSettings
E.g. Let’s set custom filter in People Picker using PowerShell:
$WebApp = Get-SPWebApplication https://web-App-Url
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery = "(|(mail=*)(objectcategory=group))"
$WebApp.Update()
Exclude a Particular User Account or AD Group from People Picker:
$WebApp = Get-SPWebApplication https://intranet.crescent.com
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery ="(!(sAMAccountName=All_Staff))"
$WebApp.Update()
Technet Reference: https://technet.microsoft.com/en-us/library/cc263318%28v=office.12%29.aspx
Learn the LDAP Query basics: https://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx
Hello Salaudeen,
Great article, is there any similar approach for SharePoint Online as well where i need to restrict one site collection for accessing all AD OU’s
Handy post
i’m trying to filter out all users who’s department = Terminated this is my command but not working:
stsadm -o setproperty -pn peoplepicker-searhadcustomfilter -pv “(!department=Terminated)” -url https://site/subsite
not working… any ideas??
thanks! Lieane
Thanks for this post, very useful.
Have you ever noticed that the adcustomquery (not filter) is applied at the web application level. I’ve tried to bind users from a AD security group to a site collection but it applies to he entire web app.
Do you know if this is intended?
Thanks
Yes Frank! These settings applies to Web Application level.
I have tried peoplepicker-searchadcustomfilter and see that it applies for the complete Web Application. i.e., I get an error even when I try to create new site collections using Central Administration.
I have used the below command (just testing.. will implement the correct logic) just to test how it works:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(title=z*)” -url https://WebApplication/sites/SiteColl1
Can you please confirm if searchadcustomfilter can be applied at the site collection level ? If so, is there anything wrong with the syntax of the above statement.
Use setsiteuseraccountdirectorypath for site collection!
Great post! It’s nice to have clear, concise examples all in one place. Thanks!