Hi. There’s some information out there already about how to use a feature introduced in SharePoint 2007 SP1 to control and configure the SharePoint people picker. I thought I would add some context about WHY you might need to do this.
We have a client in transition from its old domain to a new one at some point in the coming year. The current SharePoint site lives in the older domain, however, since both old and new domains are currently trusted, and are fully populated with user accounts, users are seeing duplicate entries in SharePoint when they assign permissions or select users in the web site.
In the Shared Service Provider, user profile import is only set to pull from OLDDOMAIN, so NEWDOMAIN is already excluded from imports. We could use the stsadm property peoplepicker-onlysearchwithinsitecollection to prevent users form the new domain from creating profiles, but that step has been deferred for now. (It will probably be done immediately prior to cutting over the new domain.)
The syntax used to “lock” people picker to the current domain and exclude the new one is:
stsadm -o setsiteuseraccountdirectorypath –url http://sitecollectionurl -path "DC=OLDDOMAIN,DC=com"
Also, if the service accounts being used are in a different Active Directory Organization unit than that specified above (and currently they are not), administrators using those accounts may be blocked from editing the site collection. The stsadm settable property peoplepicker-serviceaccountdirectorypaths, not needed at present, may be needed in the future as an advance step for migration to the new domain. (http://technet.microsoft.com/en-us/library/cc263012.aspx)
If we were using this, the syntax would be:
stsadm -o setproperty -url http://sitecollectionurl -pn peoplepicker-serviceaccountdirectorypaths -pv "OU=SharePoint Administration,DC=OLDDOMAIN,DC=com”
In addition, we used the Server Admin Tools adsiedit.msc to confirm the distinguishedName AD naming context for relevant OUs and containers. For SharePoint/SQL types without much grounding in Active Directory, ADSIEdit is a highly powerful tool (careful!) that lets you peek under the hood at all the information tracked inside each object in AD. Highly essential.
This may or may not be my last post before Christmas 2009, so happy holidays, and thanks for reading!
