Apply Filters to People Picker in SharePoint – E.g. Don’t show User Accounts with No E-mail

Business Problem:
Many users having more than one account/admin account in multiple domains. Now the problem is: when end-users select approvers from people pickers in various workflows, They select user account without E-Mail. Since the workflows are unable to get any E-Mails from the selected users, they are failing.

filter people picker in sharepoint

What’s the Solution: Lets instruct People Picker “O.K, People Picker, Don’t show me accounts which doesn’t has E-Mail associated!”

But How to filter people picker in SharePoint? Set the appropriate People Picker custom Properties by running the below STSADM commands:

Let’s say, you want only the “Sales” or “IT” department people to be in People picker. Just apply the filter to People picker with STSADM:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(department=Sales)(department=IT))” -url <web-application-URL or Site collection URL>

To Filter-out accounts without E-mails:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(mail=*)(objectcategory=group))” -url <web-application-URL or Site collection URL>

Here, I’ve added (objectcategory=group) with OR condition, since security groups wont be having E-Mails usually.

Get rid of Disabled accounts and get users from only a particular Forest/Domain?

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(&(userPrincipalName=*crescent.org)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))” -url <web-app-url or Site-collection-URL>

Filter-out accounts without E-mails, Disabled Accounts and Get Accounts only from a Particular Domain further:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(&(mail=*)(userPrincipalName=*crescent.org)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectcategory=group))” -url <web-application-URL or Site collection URL>

Restrict People Picker on a Site Collection within a specific OU in Active Directory:

SharePoint 2010 / 2007 people picker filter domain:

Need users ONLY from a OU/Domain for a site collection?
stsadm -o setsiteuseraccountdirectorypath -path “CN=Sales,DC=ME,DC=CRESCENT, DC=org” -url http://company.intranet.com/sites/sales

PowerShell:  Set-SPSite -Identity “http://intranet.crescent.com” -UserAccountDirectoryPath “CN=Sales,DC=Crescent,DC=com”

Clear People Picker Filters (Undo)

stsadm -o setsiteuseraccountdirectorypath -path “” -url http://company.intranet.com/sites/sales

PowerShell: Set-SPSite -Identity “http://intranet.crescent.com” -UserAccountDirectoryPath “”

Get the current filters applied:

stsadm -o getproperty -url <web-application-URL or Site collection URL> -pn peoplepicker-searchadcustomfilter  

Important:
Clear any existing properties applied. E.g:

  • stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv ” ” -url <web-application-URL>
  • stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv ” ” -url <web-application-URL>

Last but not least:

Remember: People picker gets its data both from the Active Directory and from the “User Information List” of the site collection. So make sure you are cleaning up both! Above people picker search filters apply to both SharePoint 2010 and SharePoint 2007.

PowerShell to Get-Set People Picker Settings:
You can use PowerShell too:

$webApp = Get-SPWebApplication 'Web-App-Name or URL'
$webApp.PeoplePickerSettings

E.g. Let’s set custom filter in People Picker using PowerShell:

$WebApp = Get-SPWebApplication http://web-App-Url
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery = "(|(mail=*)(objectcategory=group))"
$WebApp.Update()

Exclude a Particular User Account or AD Group from People Picker:

$WebApp = Get-SPWebApplication http://intranet.crescent.com
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery ="(!(sAMAccountName=All_Staff))"
$WebApp.Update()

Technet Reference: http://technet.microsoft.com/en-us/library/cc263318%28v=office.12%29.aspx
Learn the LDAP Query basics: http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

8 thoughts on “Apply Filters to People Picker in SharePoint – E.g. Don’t show User Accounts with No E-mail

  • October 14, 2020 at 3:01 PM

    Hello Salaudeen,

    Great article, is there any similar approach for SharePoint Online as well where i need to restrict one site collection for accessing all AD OU’s

    Reply
  • January 25, 2019 at 5:33 AM

    Handy post

    Reply
  • March 16, 2016 at 4:05 PM

    i’m trying to filter out all users who’s department = Terminated this is my command but not working:

    stsadm -o setproperty -pn peoplepicker-searhadcustomfilter -pv “(!department=Terminated)” -url http://site/subsite

    not working… any ideas??

    thanks! Lieane

    Reply
  • October 17, 2015 at 8:56 AM

    Thanks for this post, very useful.
    Have you ever noticed that the adcustomquery (not filter) is applied at the web application level. I’ve tried to bind users from a AD security group to a site collection but it applies to he entire web app.
    Do you know if this is intended?

    Thanks

    Reply
    • January 5, 2016 at 11:41 AM

      I have tried peoplepicker-searchadcustomfilter and see that it applies for the complete Web Application. i.e., I get an error even when I try to create new site collections using Central Administration.
      I have used the below command (just testing.. will implement the correct logic) just to test how it works:
      stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(title=z*)” -url http://WebApplication/sites/SiteColl1

      Can you please confirm if searchadcustomfilter can be applied at the site collection level ? If so, is there anything wrong with the syntax of the above statement.

      Reply
  • August 1, 2012 at 9:51 PM

    Great post! It’s nice to have clear, concise examples all in one place. Thanks!

    Reply

Leave a Reply