Don't filter out your Farm and Object Cache accounts in SharePoint's People Picker

  • Article

I often have SharePoint cases where customers don't want their Object Cache accounts or Farm account to show up in the People Picker in SharePoint. While there are a variety of reasons people choose to do this, filtering these accounts out of People Picker is a bad idea.

Internally, SharePoint code uses the People Picker code path for other account resolution purposes. Accounts that are filtered from People Picker won't be found by SharePoint's internal code in these instances.

The most common place I've run into this issue is with SharePoint 2016's Fast Site Collection Creation code. By default, SharePoint 2016 uses Fast Site Collection Creation to speed up the My Site creation process (see here for more details). If the Farm Account cannot be found by the People Picker code, you will see a message like the following in the ULS logs:

Error in resolving user. User: 'contoso\farmaccount', ResolverInformation: 'SPActiveDirectoryPrincipalResolver, DomainName: 'contoso.com', DomainIsForest: 'False', DomainLoginName: '', CustomSearchQuery: '', CustomSearchFilter: '(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(employeeID=*)(employeeNumber=*))(|(extensionAttribute12=*)(mail=*)(proxyAddresses=*)))', Timeout: '00:00:30', IncludeDistributionList: 'True''

If the Object Cache accounts (Portal Super User and Portal Super Reader) are filtered from the People Picker, you may experience seemingly random permissions issues with a message similar to the following in the ULS:

User Key aysye Unexpected User key value from token is not a user key so throwing. UserKey: 'i:0#.w|contoso\superreader'

The solution is to allow the accounts to be resolved in the People Picker.

The following PowerShell commands may be used to check the current People Picker settings. You'll want to check the ActiveDirectoryCustomQuery and ActiveDirectoryCustomFilter properties:

$wa = Get-SPWebApplication <sitename>
$wa.PeoplePickerSettings

Object Cache accounts may be queried as follows:

$wa = Get-SPWebApplication <sitename>
$wa.Properties["portalsuperuseraccount"]
$wa.Properties["portalsuperreaderaccount"]