My challenge with the People Picker

Okay, there are plenty of blogs about the People Picker and I have read many to deal with my challenge. Let me first explain the situation and the goal to achieve.

Basically our intranet is accessible for only employees, but we have some tourists as well that are authorized. These tourists can be hired professionals to be an ad interim director or manager for some time. Or they could be employees from a company that is taken over by us. But we have also hired professionals that are not authorized for our intranet. My challenge is to have User Profiles for only authorized users and only these authorized users should appear in the People Picker.


Active Directory

All our user accounts are in Active Directory. The service accounts and admin accounts are in different OUs, but the remaining real people user accounts are in one OU:

  • AdminAcct
  • ServiceAcct
  • UserAcct

User Profiles

I have followed Spencer Harbar’s Rational Guide to implementing User Profile Synchronization. It works like a charm. When setting up the AD connection I chose the OU UserAcct to synchronize with. This OU contains also the accounts for hired people that should not have access to our intranet and no user profile should be created. I have talked to our AD administrators and to distinguish the right accounts I could use the property msExchHomeServerName. It appears that hired people have no Exchange mailbox and thus the property does not exist. Great!

I have added a Connection Filter for the AD synchronization. Go to User Profile service application, Configure Synchronization Connections, Edit Connection Filters from the connection’s dropdown menu.


The first filter is to exclude disabled accounts. The second filter is for excluding accounts that have no property msExchHomeServerName.

Obviously I have two filters, but this screen does not tell you which operator (AND or OR) is used. Bedroefde emoticon Hopefully Microsoft can do something about that. Two filters may not be complex, but when having a more complex filter it should be very convenient to show the operators.

The first part is complete now. Only User Profiles for authorized users.

Notice: you have to do a synchronization to see results. However, again the magic keyword here is: patience. I did a synchronization and when it finished, I did not see any changes. After an hour or so, while packing my bags, my colleague yelled: YES! THEY ARE GONE!


People Picker

The next step was to configure the People Picker. it still showed the wrong tourists, admin and service accounts, etc. Hmmm… Not good. As it turned out, the People Picker has it’s own connection to Active Directory. I found this blog that explains really well how the People Picker works. (I was stunned when I read the first comment! I totally forgot… ahum)

So, the People Picker checks both the User Information List of the given Site Collection and Active Directory.

On the web front end server I opened a command prompt and I used the following commands.

SetSiteUserAccountDirectoryPath will cause the People Picker to resolve user names searching the defined OU in the Path variable.

stsadm -o setsiteuseraccountdirectorypath -path “OU=UserAcct,DC=company,DC=local” –url

Next thing was to tell the People Picker how to search:

stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv “(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(msExchHomeServerName=*)(|(sn={0}*)(name={0}*)(displayName={0}*)))” -url

The value for peoplepicker-searchadcustomquery is a LDAP query that the People Picker will execute for the Active Directory connection. Before setting this value I tested the LDAP query with a LDAP query tool. To learn more about LDAP queries, click here.

Up to now, the result was not correct yet. I was almost there, I could feel it. Glimlach I tried to set the peoplepicker-searchadcustomfilter as well with different values, starting with the complete LDAP query. I finally saw the correct result with this command:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv (&(msExchHomeServerName=*)) -url

One thing is not clear to me yet. I had to set both properties peoplepicker-searchadcustomquery  and peoplepicker-searchadcustomfilter to get the right result. Also the filter was just a part of the custom LDAP query.

However, hope this real life example can be helpful for you. Glimlach