Limiting the People picker and profile import from AD to certain group
If you have a SharePoint environment which not every employee in the organization uses you’re stuck with two obsticles:
- How to limit that the person is not selected and/or added as a member of the site collection (because of licencing issues)
- How to stop MOSS from importing entire AD domain or forest. If you’re stuck with 100 users from 1000 to enter information manually can be a pain.
The solution can be that SharePoint will not recognize other domains/forests than the ones specified and limit the people from those forests to only certain groups.
Here’s what I did. Let’s say we have an AD domain called contosio.local. In this domain We’ve created OU called AccessGroups and in this OU we’ve created a security group called SharePoint. We want to do this for the site http://moss
1. To limit People picker to certain group in AD domain
a. limit the peoplepicker property only to specified domain by running the following command
stsadm –o setproperty –pn "peoplepicker-searchadforests” –pv “domain:contosio.local,contosio\administrator,adminPassword” –url http://moss
Note in the example above you have to enter the account with the right to read from AD and its password. If you want to limit the access to multiple AD domains, separate the values in pv with semicolon.
b. limit the peoplepicker property to custom LDAP filter by running the following command:
stsadm –o setproperty –pn peoplepicker-searchadcustomfilter –pv “(memberOf=CN=SharePoint,OU=AccessGroups,DC=contosio,DC=local)” –url http://moss
Now you’ll be able to add people only from the domain contosio.local – group SharePoint. Don’t forget to add users to security group.
2. To limit profile import only to that same AD group (MOSS ONLY)
a. Open SharePoint Central Administration
b. Open Shared Services Administration
c. Click User Profiles and Properties
d. Click View Import Connections
e. Edit the domain connection for the domain (if you don’t have one yet, you’ll have to create it manually)
f. Change the default value of the field User filter from (&(objectCategory=Person)(objectClass=User)) to
(&(objectCategory=Person)(objectClass=User)(memberOf=CN=SharePoint,OU=AccessGroups,DC=contosio,DC=local))
Like that you now control from AD who can access SharePoint and who’s profiles get imported.
does this work with WSS 3.0 too?
Yes it should work on WSS 3.0
How do you get around the ability to allow NTAUTHORITY\Authenticated Users?
Hi Boris,
Instead of using a particular group in the AD, I try to use an LDAP query to get the users. Have you tried this, and if so, have you been successful?
The query works against the AD when I run the query directly and returns the number of users/accounts that I expect. However, when I use the stsradm –o setproperty –pn peoplepicker-searchadcustomfilter –pv [my ldap query] -url [http://myweb] and recycle the app pool, or iisreset, the people picker in SharePoint shows accounts that are not returned when i run the LDAP query against the AD.
Any thoughts?
Thanks in advance.
I try to exclude one certain OU (DeptC) from the people picker.
stsadm -o setproperty -url http://SPServer -pn peoplepicker-searchadcustomfilter -pv “(!(OU=DeptC,OU=Dept,dc=domain,dc=com))”
I am a LDAP Newbie
Any thoughts? Would be appreciated very much
Basically you need to handle this in the LDAP query.
Hi,
I want to import/search Computer Names(available in the Network) from Active Directory by configuring SharePoint Central Administration.
Could you please check and help on this?
Thanks.