Another People Picker Post – SharePoint 2013 and SharePoint 2016

A few years ago, I wrote a post about customizing People Picker settings. I recently referenced that post, and it was a bit dated, and could benefit from a little more guidance. That post was based on SharePoint 2010. (The PowerShell was for 2010. The stsadm commands would work for 2010 and 2013)

In SharePoint 2013 we changed the names of some of the PeoplePickerSettings, which comes from the SPPeoplePickerSettings class. If we look at SPPeoplePickerSetting's properties, we can see all of the things we can tweak.

In most instances, companies will want to change the active directory custom filter to find user's a way specific to some properties of that company's AD. Below is an example of how to do that. In this example, you may not want to find accounts that don't have an email address. Service accounts could be something that doesn't have an email address, and you wouldn't want to add them to your SharePoint sites.

$webapp = Get-SPWebApplication
$webapp.PeoplePickerSettings //Displays your current values
$webapp.PeoplePickerSettings.ActiveDirectoryCustomFilter = "(&(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))" //Finds users with an email address, who are not disabled
$webapp.Update() //commits the change
$webapp.PeoplePickerSettings //Displays the updated values

I've always struggled with How to write LDAP search filters. That Atlassian article does a nice job of getting you going in the right direction.


In other examples, you might have a number of forests and/or domains that you want to search across. You'll need to create a SPPeoplePickerSearchActiveDirectoryDomain object, and add it to the people picker settings. See below for an example.You'll need to do this for each domain you want to add.

$webapp = Get-SPWebApplication
$domaintoadd = New-Object Microsoft.SharePoint.Administration.SPPeoplePickerSearchActiveDirectoryDomain
$domaintoadd.DomainName = ""
$domaintoadd.ShortDomainName = "CONTOSO" #optional
$domaintoadd.IsForest = $true
$domaintoadd.LoginName = "accountname" #Only accountname, NOT domain\accountname
$pw = ConvertTo-SecureString "password" -AsPlainText -Force


NOTE: One last thing to think about, when customizing your people picker settings is that some SharePoint Service accounts need to be able to be resolved by the people picker, or you will get issues. One specific case I know about is the portalsuperreader and portalsuperuser accounts. I have a separate post that goes into how to troubleshoot this specific issue.



Comments (0)

Skip to main content