Configure People Picker for Multi-Domains(or Cross Domains), Forests Environments
By default, the people picker will issue queries to all two-way trusted domains and two-way trusted forests to search people & groups. It uses the application pool account to search the target domains and forests.
If the application pool account does not have permission to the target domains or forests, or if you want to use different account to search the target domains or forests, you can use the below steps:
If the AD domain has a 1-way trust, then you need to specify a username and password, execute the following commands on every server in the farm:
stsadm –o setapppassword –password MyPassword
ensure you use the same password for each server you execute this command on!
On every WFE in the farm execute the following command to instruct the people-picker to use the corret AD domain:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:YourDomain.com,domain\user,password –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker
Note: you can specify mulitple domains to lookup as well, just encapsulate the domain names in quotation marks and seperate them with a semi-colon (-pv "YourDomain1.com;YourDomain2.com”,domain\username,password)
If the AD domain has a 2-way trust you do not need to run the stsadm –o setapppassword command, just execute this one:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:YourDomain.com,domain\user,password –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker
If you need to reset the people-picker back to normal, just execute this command:
stsadm -o setproperty -pn peoplepicker-searchadforests –pv (don’t specify anything here) –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker
In case of Cross forests:
stsadm.exe -o setproperty -url <URL> -pn "peoplepicker-searchadforests" -pv "forest:forest.corporate.com (forest:DnsName) ;domain:na.corporate.com", LoginName, P@ssword
Don't forget to do the IISReset!
More Info:
MOSS 2007: http://technet.microsoft.com/en-us/library/cc263318%28office.12%29.aspx
SharePoint 2010: http://technet.microsoft.com/en-us/library/gg602066.aspx#section4
http://technet.microsoft.com/en-us/library/gg602075.aspx
http://blogs.msdn.com/b/joelo/archive/2007/01/18/multi-forest-cross-forest-people-picker-peoplepicker-searchadcustomquery.aspx
Limit the People Picker in SharePoint 2010 to a Specific OU or Domain
Say, There are two Site Collections: Sales and Legal. Active Directory is setup to store Sales department users in the Sales Organizational Unit and Legal department users in the Legal Organizational Unit. The requirement is to prevent Sales users from adding site/library/item permissions for Legal users, and vice versa.
So here is the solution:
Run the following PowerShell commands
Set-SPSite -Identity http://portal/sites/sales -UserAccountDirectoryPath "OU=sales,OU=SharePoint,DC=MYCOMPANY,DC=com"Set-SPSite -Identity http://portal.contoso.com/sites/legal -UserAccountDirectoryPath "OU=Legal,OU=SharePoint,DC=MYCOMPANY,DC=com"
Here is a related post: http://sharepointserver-2007.blogspot.com/2008/10/limiting-sharepoint-people-picker.html
If the application pool account does not have permission to the target domains or forests, or if you want to use different account to search the target domains or forests, you can use the below steps:
If the AD domain has a 1-way trust, then you need to specify a username and password, execute the following commands on every server in the farm:
stsadm –o setapppassword –password MyPassword
ensure you use the same password for each server you execute this command on!
On every WFE in the farm execute the following command to instruct the people-picker to use the corret AD domain:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:YourDomain.com,domain\user,password –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker
Note: you can specify mulitple domains to lookup as well, just encapsulate the domain names in quotation marks and seperate them with a semi-colon (-pv "YourDomain1.com;YourDomain2.com”,domain\username,password)
If the AD domain has a 2-way trust you do not need to run the stsadm –o setapppassword command, just execute this one:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv domain:YourDomain.com,domain\user,password –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker
If you need to reset the people-picker back to normal, just execute this command:
stsadm -o setproperty -pn peoplepicker-searchadforests –pv (don’t specify anything here) –url relevant web application
you need to run this for each web application, if you do not run this on the WFE you will see a “callback error” in the people-picker
In case of Cross forests:
stsadm.exe -o setproperty -url <URL> -pn "peoplepicker-searchadforests" -pv "forest:forest.corporate.com (forest:DnsName) ;domain:na.corporate.com", LoginName, P@ssword
Don't forget to do the IISReset!
More Info:
MOSS 2007: http://technet.microsoft.com/en-us/library/cc263318%28office.12%29.aspx
SharePoint 2010: http://technet.microsoft.com/en-us/library/gg602066.aspx#section4
http://technet.microsoft.com/en-us/library/gg602075.aspx
http://blogs.msdn.com/b/joelo/archive/2007/01/18/multi-forest-cross-forest-people-picker-peoplepicker-searchadcustomquery.aspx
Limit the People Picker in SharePoint 2010 to a Specific OU or Domain
Say, There are two Site Collections: Sales and Legal. Active Directory is setup to store Sales department users in the Sales Organizational Unit and Legal department users in the Legal Organizational Unit. The requirement is to prevent Sales users from adding site/library/item permissions for Legal users, and vice versa.
So here is the solution:
Run the following PowerShell commands
Set-SPSite -Identity http://portal/sites/sales -UserAccountDirectoryPath "OU=sales,OU=SharePoint,DC=MYCOMPANY,DC=com"Set-SPSite -Identity http://portal.contoso.com/sites/legal -UserAccountDirectoryPath "OU=Legal,OU=SharePoint,DC=MYCOMPANY,DC=com"
Here is a related post: http://sharepointserver-2007.blogspot.com/2008/10/limiting-sharepoint-people-picker.html
Read more: http://www.sharepointdiary.com/2011/06/configure-people-picker-for-multidomain-forest.html#ixzz3I4o7Ohf5
No comments:
Post a Comment