Apply Filters to People Picker in SharePoint – E.g. Don’t show User Accounts with No E-mail

Business Problem:
Many users having more than one account/admin account in multiple domains. Now the problem is: when end-users select approvers from people pickers in various workflows, They select user account without E-Mail. Since the workflows are unable to get any E-Mails from the selected users, they are failing.

filter people picker in sharepoint

What’s the Solution: Lets instruct People Picker “O.K, People Picker, Don’t show me accounts which doesn’t has E-Mail associated!”

But How to filter people picker in SharePoint? Set the appropriate People Picker custom Properties by running the below STSADM commands:

Let’s say, you want only the “Sales” or “IT” department people to be in People picker. Just apply the filter to People picker with STSADM:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(department=Sales)(department=IT))” -url <web-application-URL or Site collection URL>

To Filter-out accounts without E-mails:
stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(mail=*)(objectcategory=group))” -url <web-application-URL or Site collection URL>

Here, I’ve added (objectcategory=group) with OR condition, since security groups wont be having E-Mails usually.

Get rid of Disabled accounts and get users from only a particular Forest/Domain?

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(&(userPrincipalName=*crescent.org)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))” -url <web-app-url or Site-collection-URL>

Filter-out accounts without E-mails, Disabled Accounts and Get Accounts only from a Particular Domain further:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(|(&(mail=*)(userPrincipalName=*crescent.org)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(objectcategory=group))” -url <web-application-URL or Site collection URL>

Restrict People Picker on a Site Collection within a specific OU in Active Directory:

SharePoint 2010 / 2007 people picker filter domain:

Need users ONLY from a OU/Domain for a site collection?
stsadm -o setsiteuseraccountdirectorypath -path “CN=Sales,DC=ME,DC=CRESCENT, DC=org” -url https://company.intranet.com/sites/sales

PowerShell:  Set-SPSite -Identity “https://intranet.crescent.com” -UserAccountDirectoryPath “CN=Sales,DC=Crescent,DC=com”

Clear People Picker Filters (Undo)

stsadm -o setsiteuseraccountdirectorypath -path “” -url https://company.intranet.com/sites/sales

PowerShell: Set-SPSite -Identity “https://intranet.crescent.com” -UserAccountDirectoryPath “”

Get the current filters applied:

stsadm -o getproperty -url <web-application-URL or Site collection URL> -pn peoplepicker-searchadcustomfilter  

Important:
Clear any existing properties applied. E.g:

  • stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv ” ” -url <web-application-URL>
  • stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv ” ” -url <web-application-URL>

Last but not least:

Remember: People picker gets its data both from the Active Directory and from the “User Information List” of the site collection. So make sure you are cleaning up both! Above people picker search filters apply to both SharePoint 2010 and SharePoint 2007.

PowerShell to Get-Set People Picker Settings:
You can use PowerShell too:

$webApp = Get-SPWebApplication 'Web-App-Name or URL'
$webApp.PeoplePickerSettings

E.g. Let’s set custom filter in People Picker using PowerShell:

$WebApp = Get-SPWebApplication https://web-App-Url
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery = "(|(mail=*)(objectcategory=group))"
$WebApp.Update()

Exclude a Particular User Account or AD Group from People Picker:

$WebApp = Get-SPWebApplication https://intranet.crescent.com
$WebApp.PeoplePickerSettings.ActiveDirectoryCustomQuery ="(!(sAMAccountName=All_Staff))"
$WebApp.Update()

Technet Reference: https://technet.microsoft.com/en-us/library/cc263318%28v=office.12%29.aspx
Learn the LDAP Query basics: https://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

9 thoughts on “Apply Filters to People Picker in SharePoint – E.g. Don’t show User Accounts with No E-mail

  • After running this command – PowerShell: Set-SPSite -Identity “https://intranet.crescent.com” -UserAccountDirectoryPath “CN=Sales,DC=Crescent,DC=com” , The check Names of People Picker is working fine as expected but the Browse option of people picker is not returning any result if searching for the same user.

    Reply
  • Hello Salaudeen,

    Great article, is there any similar approach for SharePoint Online as well where i need to restrict one site collection for accessing all AD OU’s

    Reply
  • Handy post

    Reply
  • i’m trying to filter out all users who’s department = Terminated this is my command but not working:

    stsadm -o setproperty -pn peoplepicker-searhadcustomfilter -pv “(!department=Terminated)” -url https://site/subsite

    not working… any ideas??

    thanks! Lieane

    Reply
  • Thanks for this post, very useful.
    Have you ever noticed that the adcustomquery (not filter) is applied at the web application level. I’ve tried to bind users from a AD security group to a site collection but it applies to he entire web app.
    Do you know if this is intended?

    Thanks

    Reply
    • I have tried peoplepicker-searchadcustomfilter and see that it applies for the complete Web Application. i.e., I get an error even when I try to create new site collections using Central Administration.
      I have used the below command (just testing.. will implement the correct logic) just to test how it works:
      stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv “(title=z*)” -url https://WebApplication/sites/SiteColl1

      Can you please confirm if searchadcustomfilter can be applied at the site collection level ? If so, is there anything wrong with the syntax of the above statement.

      Reply
  • Great post! It’s nice to have clear, concise examples all in one place. Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *