none
People-Picker with two domains RRS feed

  • Question

  • Hi,

    Following problem:

    • Domain A contains old accounts
    • Domain B contains new accounts with sid-history of old accounts
    • Between these server is a two way trust

    I need to setup the people-picker to show only accounts from Domain A (old accounts), not the new ones and i cannot disable accounts on Domain B.

    But i only get accounts from Domain B.

    Already tried:

    I have tried to block the account from reading the OU in Domain B -> no success. (Description)

    I have entered to use explictly Domain A in the PeoplePickerSettings

    Setup:

    2x SP 2013 (CU February 2015)

    1x SQL-Server 2014

    Are there any other settings to solve this problem ?


    Thursday, March 26, 2015 7:04 PM

All replies

  • Disable the user accounts in Domain B. They won't appear in the People Picker that way.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, March 26, 2015 9:18 PM
    Moderator
  • As i said: I need to setup the people-picker to show only accounts from Domain A (old accounts), not the new ones and i cannot disable accounts on Domain B.
    Friday, March 27, 2015 6:26 AM
  • Well, you can't have two objects with the same SID. Your applications won't know what to do.

    Only possible thing you could do is use Set-SPSite -UserAccountDirectoryPath "DC=DomainA,DC=com".


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Friday, March 27, 2015 1:16 PM
    Moderator
  • Technically they don't have the same SID, the new account refers via SID-history to the old account. But i am not an AD-specialist, don't know how SP reacts to this.

    Further investigations:

    I logged the net traffic with NetMon when i enter the CN into the people-picker-field. And the response from the AD is the correct account from the correct OU (sAMAccountName=AIM).

    But the People-Picker shows me the wrong account: KNAPP_LOGISTIK\aichinge instead of KSI\AIM.

    Log from IE-Debugger:

    Monday, March 30, 2015 8:58 AM
  • Right, you break the security model by storing the SID with two different accounts (doesn't matter if it is ObjectSid or SidHistory). SharePoint sees that SID and falls back to either the UIL, or if the SID can be found in the UPSA, the UPSA.

    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, March 30, 2015 6:45 PM
    Moderator
  • And there is no way to deny SP to access this OU ?

    That is very frustrating.

    Tuesday, March 31, 2015 11:50 AM
  • Hi Thomas,

    have a look at this link maybe it will help you.

    http://www.sharepointblues.com/2010/08/30/limiting-people-picker-scope-in-sharepoint/

    Best regards.

    Tuesday, March 31, 2015 1:14 PM
  • And there is no way to deny SP to access this OU ?

    That is very frustrating.

    Well, you're doing something that is very unsupported for security reasons in Active Directory. This isn't a SharePoint issue, really.

    What you could do is run this cmdlet for each Site Collection:

    Set-SPSite http://SiteUrl -UserAccountDirectoryPath "DC=DOMAINA,DC=com"

    That will limit what SharePoint scopes to for People Picker as well as authenticated users.


    Trevor Seward

    Follow or contact me at...
      

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, March 31, 2015 2:59 PM
    Moderator