People Picker in MOSS 2007 can’t find people in non-default domains

Customer is seeing the following behavior:


"We went to SSP and clicked on User Profiles and Properties under the “User Profiles and My Sites” section and then clicked on View Import Connections and then added to the Import Connections list and I started a full import. It completed in about an hour and imported users from the domain1 domain.


The problem we run into is that when I go to add them to a site to give them access, we are unable to find the users by using People Picker. We only find users from the domain0 domain which the moss server is on. " 


I found out that by default People Picker can only find people in the resource domain - the domain that MOSS servers are in. For other domains/forests, you'll need to run the following command:


Stsadm.exe –o setproperty –pn peoplepicker-searchadforests –pv <list of forests or domains> -url <webapp>


The format of <list of forests or domains> is a list of






separated by semicolon.


If they are trusted domains/forests, then it is not necessary to pass in the LoginName or Password, just in the format of





If the Password is specified in the forest:DnsName,LoginName,Password or domain:DnsName,LoginName,Password, please run

stsadm.exe -o setapppassword -password <somekey> first. <somekey> could be any string. We will use <somekey> to encrypt the Password in domain:DnsName,LoginName,Password or forest:DnsName,LoginName,Password and stored the encrypted Password in the database. Also, please use the same <somekey> to run stsadm.exe -o setapppassword -password <somekey> on all machines where SharePoint is installed. For different web farm, please use different <somekey>.


 *Note: My customer's problem still remains after running the command due to some "invalid binder credentials" issue in their Global Directory. I'll post an update later.

Comments (1)
  1. agoodwin says:

    QUOTE:<i>"I found out that by default People Picker can only find people in the resource domain – the domain that MOSS servers are in.<i>

    Unless you’ve migrated the farm…. I’ve found that having migrated a farm from one domain to another the original domain (still in the same network) is still searchable via the People Picker. This *may* be due to the two-way trust between the domains to allow authentication via ISA server for users accessing via the internet.

    I need to be able to prevent the original domain from being accessed by the People Picker.

    The stsadm.exe command for ‘peoplepicker-onlysearchwithinsitecollection’ yes/no keeps returning ‘command line error’.

    Syntax as below:

    Stsadm.exe -o setproperty –url http://server  –pn peoplepicker-onlysearchwithinsitecollection –pv yes

    Stsadm.exe -o setproperty –url http://server  –pn peoplepicker-onlysearchwithinsitecollection –pv no

    Any ideas??

Comments are closed.

Skip to main content