Apply Filters to People Picker in SharePoint - E.g. Don't show User Accounts with No E-mail

Business Problem:
Many users having more than one account/admin account in multiple domains. Now the problem is: when end-users selects approvers from people pickers in various workflows, They selects user account without E-Mail. Since the workflows are unable to get any E-Mails from the selected users they are failing.
filter people picker in sharepoint

What's the Solution: Lets instruct People Picker "O.K, People Picker, Don't show me accounts which doesn't has E-Mail associated!"

But How to filter people picker in SharePoint? Set the appropriate People Picker custom Properties by running the below STSADM commands:

Lets say, you want only the "Sales" or "IT" department people to be in People picker. Just apply the filter to People picker with STSADM:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(department=Sales)(department=IT))" -url <web-application-URL or Site collection URL>

To Filter-out accounts without E-mails:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(mail=*)(objectcategory=group))" -url <web-application-URL or Site collection URL>

Here, I've added (objectcategory=group) with OR condition, since security groups wont be having E-Mails usually.
  • Get rid of Disabled accounts and get users from only a particular Forest/Domain?
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(&(userPrincipalName=*!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -url <web-app-url or Site-collection-URL>

  • Filter-out accounts without E-mails, Disabled Accounts and Get Accounts only from a Particular Domain further:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(&(mail=*)(userPrincipalName=*!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectcategory=group))" -url <web-application-URL or Site collection URL>

Restrict People Picker on a Site Collection within a specific OU in Active Directory:

  • SharePoint 2010 / 2007 people picker filter domain:
Need users ONLY from a OU/Domain for a site collection?
stsadm -o setsiteuseraccountdirectorypath -path "CN=Sales,DC=ME,DC=CRESCENT, DC=org" -url

PowerShell:  Set-SPSite -Identity "" -UserAccountDirectoryPath "CN=Sales,DC=Crescent,DC=com"
  • Clear People Picker Filters (Undo)
stsadm -o setsiteuseraccountdirectorypath -path "" -url

PowerShell: Set-SPSite -Identity "" -UserAccountDirectoryPath ""
  • Get the current filters applied:
stsadm -o getproperty -url <web-application-URL or Site collection URL> -pn peoplepicker-searchadcustomfilter  

Clear any existing properties applied. E.g:
  • stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv " " -url <web-application-URL>
  • stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv " " -url <web-application-URL>
Last but not least:
Remember: People picker gets its data both from Active directory and from the "User Information List" of the site collection. So make sure you are cleaning up both!

Above people picker search filters applies to both SharePoint 2010 and SharePoint 2007.

PowerShell to get People Picker Settings:
You can use PowerShell too:
$webApp = Get-SPWebApplication 'Web-App-Name or URL'
E.g. Lets set custom filter in People Picker using PowerShell:
$WebApp = Get-SPWebApplication http://web-App-Url
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery = "(|(mail=*)(objectcategory=group))"

Exclude a Particular User Account or AD Group from People Picker:

$WebApp = Get-SPWebApplication
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery ="(!(sAMAccountName=All_Staff))"

Technet Reference:
Learn the LDAP Query basics:


  1. Great post! It's nice to have clear, concise examples all in one place. Thanks!

  2. Thanks for this post, very useful.
    Have you ever noticed that the adcustomquery (not filter) is applied at the web application level. I've tried to bind users from a AD security group to a site collection but it applies to he entire web app.
    Do you know if this is intended?


    1. Yes Frank! These settings applies to Web Application level.

    2. I have tried peoplepicker-searchadcustomfilter and see that it applies for the complete Web Application. i.e., I get an error even when I try to create new site collections using Central Administration.
      I have used the below command (just testing.. will implement the correct logic) just to test how it works:
      stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(title=z*)" -url http://WebApplication/sites/SiteColl1

      Can you please confirm if searchadcustomfilter can be applied at the site collection level ? If so, is there anything wrong with the syntax of the above statement.

    3. Use setsiteuseraccountdirectorypath for site collection!

  3. i'm trying to filter out all users who's department = Terminated this is my command but not working:

    stsadm -o setproperty -pn peoplepicker-searhadcustomfilter -pv "(!department=Terminated)" -url http://site/subsite

    not working... any ideas??

    thanks! Lieane

  4. Hello Salaudeen,

    Great article, is there any similar approach for SharePoint Online as well where i need to restrict one site collection for accessing all AD OU's


Please Login and comment to get your questions answered!

Powered by Blogger.