Adventures with SharePoint People Picker, Domain Migrations and Groups

I recently worked a customer issue, where the customer was going through a domain migration. The customer is running SharePoint 2010. (This works for both 2007 and 2013 as well) There are two forests, with users in both. Users from one of the domains were being moved to the domain in the other forest. As part of the process, accounts were being pre-created with SIDHistory and set in a disabled state. This created a bit of an issue for people picker. In order to have people picker play nice with this configuration, you need to do a couple things. The first is to make sure you’re on the August 2012 Cumulative Update for SharePoint 2010. This introduces an STSADM command (stsadm -o setproperty -propertyname “HideInactiveProfiles” -propertyvalue “true”) that let’s us hide the inactive users. In addition to this, you also need to set your people picker “SearchADCustomFilter” property to exclude the disabled users. You can see how to Configure People Picker settings on TechNet. (There’s an issue with SID to name resolution that requires you to use both the patch and the SearchADCustomFilter property. I’ll spare you the details) There’s a small issue with the TechNet article. It doesn’t include groups in the syntax it provides for your SearchADCustomFilter property. In order to keep People Picker finding groups, you need to use the following syntax for your SearchADCustomFilter property.




After making these changes, you should only see the accounts for the active user, in whichever domain the account is active in. Remember, you need to do this for each web application.

Here’s some quick bonus info. You can also use PowerShell to access the people picker properties. The following info should get you started.


 $webapp = Get-SPWebApplication
$webapp.PeoplePickerSettings //Displays your current values

$webapp.PeoplePickerSettings.SearchADCustomFilter = "(|(objectCategory=group)(&(objectCategory=person)(objectClass=user)(!objectClass=inetOrgPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2))) " //Sets the SearchADCustomFilter value
$webapp.Update() //commits the change

$webapp.PeoplePickerSettings //Displays the updated values
Comments (1)

  1. Don Woods says:

    Saved me after days of playing with LDAP filters. Thank you very much!