locked
can peoplepicker be configured to search multiple AD groups? RRS feed

  • Question

  • Don't have access to an AD right now

    I know I can use

    stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv <AD group>, -url <SPsite>

    and this will configure PP to search only within that AD group for the specified site - but can I use this command to add multiple AD groups?

    Does anyone know?

    Cheers

    Jonj

    Monday, January 28, 2013 4:13 PM

Answers

  • I can confirm that using multiple AD groups with people picker doesn’t work - I raised a call with Microsoft and they have confirmed this to me

    Suggestion - move away from AD membership and create a new AD property to filter on instead

    Wednesday, April 10, 2013 7:27 AM

All replies

  • You can use any LDAP query so you could query multiple groups using the OR operator (|). Your custom filter would look something like this:

    (|(&(objectcategory=user)(memberof=CN=Group1,OU=SomeOU,DC=domain,DC=com))(&(objectcategory=user)(memberof=CN=Group2,OU=SomeOU,DC=domain,DC=com)))

    Where:

    CN=Group1,OU=SomeOU,DC=domain,DC=com is the DN of the first group

    CN=Group2,OU=SomeOU,DC=domain,DC=com is the DN of the second group

    This filter will search in the two groups and return the members from both. In the people picker's case it will use only these users.


    Jason Warren
    Infrastructure Architect

    • Marked as answer by Entan MingModerator Monday, February 4, 2013 10:43 AM
    • Unmarked as answer by jonjames Friday, March 29, 2013 11:07 AM
    Monday, January 28, 2013 7:29 PM
  • I've been testing this and I havn't been able to get it to work

    I get:

    & was unexpected at this time

    This is the command:

    stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv (|(&(objectcategory=
    user)(memberOF=CN=Verde,OU=PeoplePickerTest,DC=Barley,DC=Soup))(&(objectcategory
    =user)(memberof=CN=Verde_sub1,OU=PeoplePickerTest,DC=Barley,DC=Soup))) -url http
    ://pearl:2222/
    & was unexpected at this time.

    Tried using this also and no joy:

    (memberof=CN=Group1,OU=SomeOU,DC=domain,DC=com)(memberof=CN=Group2,OU=SomeOU,DC=domain,DC=com)

    Can this actually be done?

    Kind regards Jonj


    • Edited by jonjames Friday, March 29, 2013 11:30 AM added detail
    Friday, March 29, 2013 11:10 AM
  • Try putting the query in quotes:

    stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(|(&(objectcategory=
    user)(memberOF=CN=Verde,OU=PeoplePickerTest,DC=Barley,DC=Soup))(&(objectcategory
    =user)(memberof=CN=Verde_sub1,OU=PeoplePickerTest,DC=Barley,DC=Soup)))" -url http
    ://pearl:2222/


    Jason Warren
    Infrastructure Architect

    Friday, March 29, 2013 6:12 PM
  • Thank you for responding Jason - Using quotes does allow the command to complete - but subsequent testing with PeoplePicker shows that though I can now see the users from both groups - I can also see users from other groups too - in fact I can see everything in the AD. So something is still going wrong somewhere as I want to be able to restrict visibility to just the AD groups I specify

    I reset PeoplePicker by using:

    stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "" - url http
    ://pearl:2222/

     - removes all filters.

    And filtering to one group works:

    stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv (memberOF=CN=Verde,OU=PeoplePickerTest,DC=Barley,DC=Soup) - url http
    ://pearl:2222/

    I reset again and run the command to filter by 2 x AD groups (using quotes) - and unfortunately it opens up the whole AD

    Kind regards

    Jonj


    Saturday, March 30, 2013 8:31 AM
  • What happens when you try a filter that has only the Verde_sub1 group? So (memberof=CN=Verde_sub1,OU=PeoplePickerTest,DC=Barley,DC=Soup)

    Jason Warren
    Infrastructure Architect

    Wednesday, April 3, 2013 3:23 PM
  • Interestingly this doesn't seem to work

    I set the filter to Vsub1 and PP cannot see the accounts inside it or the group itself - but still sees the accounts in the Verde group - but not accounts from within other groups

    I have tried creating a new group nested in the Verde group called Vsub2_DomainLocal - the same thing happens. I cannot see the group or the accounts when I  set the filter to Vsub1_DoamainLocal - but I can see accounts in the parent group Verde. When I set the filter to Verde I can see all the accounts in the Verde group but not the nested groups

    Kind regards

    Jonathan

    Thursday, April 4, 2013 8:30 AM
  • I can confirm that using multiple AD groups with people picker doesn’t work - I raised a call with Microsoft and they have confirmed this to me

    Suggestion - move away from AD membership and create a new AD property to filter on instead

    Wednesday, April 10, 2013 7:27 AM