Tuesday, May 15, 2007

People Picker not able to identify users in forest with multiple domain - SharePoint 2007

I am working on this issue from past 2 days and belive me it's very time consuming in case you dont get the solution ASAP . Thanks to Joel Oleson's Life blog which talks about the same.

To keep it short i would just give the problem statement and solution to get it working .


Problem Statement :
When Sharepoint server 2007 is installed in environment with more than one domain , there is a tendency of people picker control to search only in domain where the portal is installed .
E.G Consider following environment as example

Forest Name :test.com
First Domain :First.test.com
Second Domain :Second.test.com


In such case if you install sharepoint server in domain First.test.com , the people picker might not recognize users from Second.test.com.
So what could be done to make it work .

Solution Description :
Note : First make sure that there exist atleast a one way trust between the 2 domains(First.test.com /Second.test.com) and follow the steps.

First Step :
Run stsadm.exe to set the password used for encrytion/de-cryption

stsadm.exe -o setapppassword -password
eg stsadm.exe -o setapppassword -password testpassword


Second Step :

Format of command :
stsadm.exe –o setproperty -url {} –pn "peoplepicker-searchadforests" –pv {list of forests or domains}

The format of {list of forests or domains} is a list of

forest:DnsName,LoginName,Password
or
domain:DnsName,LoginName,Password

separated by semicolon.

As per our example the command is like

C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN>stsa
dm.exe -o setproperty -url "http://localhost" -pn "people
picker-searchadforests" -pv "forest:test.com;domain:First.test.com;domain:Second.test.com" ,{domainusername},{domainuserpassword}


Last step IISRESET might not be needed (i did that :) ).

And you are all set , try the People picker search and you get all the users.

2 comments:

Anonymous said...

Our issue is the reverse of the solution this article addresses. Our AD is structured this way: root is the parent and dom1 and dom2 are children and have 2-way trusts between each other. What we wnat to do is for peoplepicker to just show us the results from dom1 and not from dom2.

Any suggestions/ideas? Thanks.

Anonymous said...

We have a similar issue in that the reference "localhost" cannot be used on our production server and each site deployed will be unique. Is there a way to set the reference in the context.xml so that it is portable to different servers without manual intervention (or the use of localhost)? Appreciate any suggestions.