Limiting the People picker and profile import from AD to certain group

June 2nd, 2009 | Categories: MOSS, SharePoint, SharePoint administration

If you have a SharePoint environment which not every employee in the organization uses you’re stuck with two obsticles:

  1. How to limit that the person is not selected and/or added as a member of the site collection (because of licencing issues)
  2. How to stop MOSS from importing entire AD domain or forest. If you’re stuck with 100 users from 1000 to enter information manually can be a pain.

The solution can be that SharePoint will not recognize other domains/forests than the ones specified and limit the people from those forests to only certain groups.

Here’s what I did. Let’s say we have an AD domain called contosio.local. In this domain We’ve created OU called AccessGroups and in this OU we’ve created a security group called SharePoint. We want to do this for the site http://moss

1. To limit People picker to certain group in AD domain
a. limit the peoplepicker property only to specified domain by running the following command
stsadm –o setproperty –pn "peoplepicker-searchadforests” –pv “domain:contosio.local,contosioadministrator,adminPassword” –url http://moss

Note in the example above you have to enter the account with the right to read from AD and its password. If you want to limit the access to multiple AD domains, separate the values in pv with semicolon.

b. limit the peoplepicker property to custom LDAP filter by running the following command:
stsadm –o setproperty –pn peoplepicker-searchadcustomfilter –pv “(memberOf=CN=SharePoint,OU=AccessGroups,DC=contosio,DC=local)” –url http://moss

Now you’ll be able to add people only from the domain contosio.local – group SharePoint. Don’t forget to add users to security group.

2. To limit profile import only to that same AD group (MOSS ONLY)
a. Open SharePoint Central Administration
b. Open Shared Services Administration
c. Click User Profiles and Properties
d. Click View Import Connections
e. Edit the domain connection for the domain (if you don’t have one yet, you’ll have to create it manually)
f. Change the default value of the field  User filter from (&(objectCategory=Person)(objectClass=User)) to
(&(objectCategory=Person)(objectClass=User)(memberOf=CN=SharePoint,OU=AccessGroups,DC=contosio,DC=local))

Like that you now control from AD who can access SharePoint and who’s profiles get imported.