Business Scenario:
There are two Site Collections: US and UK. Active Directory is setup to store United States users in the US Organizational Unit and United Kingdom users in the UK Organizational Unit. The requirement is to prevent US users from adding site/library/item permissions for UK users, and vice versa.
Solution:
Currently, a US user (Kevin Carter) can add a UK user (Kyle Wilson) access to the site.
The same goes for Kyle (UK) being able to add Kevin (US):
Launch the SharePoint 2010 Management Shell (PowerShell) and run the following commands. Make sure you edit the Identity and UserAccountDirectoryPath parameters to reflect your environment and OU/Domain structure.
Set-SPSite -Identity http://portal.contoso.com/sites/US -UserAccountDirectoryPath "OU=US,OU=SharePoint,DC=Contoso,DC=com" Set-SPSite -Identity http://portal.contoso.com/sites/UK -UserAccountDirectoryPath "OU=UK,OU=SharePoint,DC=Contoso,DC=com"
Now, if Kevin (US) tries to add Kyle (UK) to the site again, then this is what he’ll see:
The same goes for if Kyle were to try and add Kevin:
You could also use the above command to limit the People Picker to a specific domain.
Pingback: Limit the People Picker in SharePoint 2010 « SP2010 Blog
So glad I found this.
Now if only I could get it working in sharepoint 2007 via powershell 2.
I’m trying to limit the people picker to only show results from active directory rather than the whole site collection.
My SP 2010 Farm returns results for 5 domains that it trusts. What changes would I make if I want to allow the people picker to return results from two specific domains. First, the domain my server is in and second a domain that we have a two way trust with?
Wendy,
Check out the TechNet article on People Picker property settings. This may help you. I believe you can accomplish what you are looking for by including the proper “-PV” values. Perhaps this would work by adding multiple domain values or using a custom LDAP query as noted in the bottom of the link.
http://technet.microsoft.com/en-us/library/gg602066.aspx#section4
-Adam
Can I do the same at run time based on selected parameters? In other words, if I have two OUs – UK and US and one page with the people picker and country selector with “UK”, “US and “ALL” options, can I let the people picker display a list of users depending on my selection? Thank you.
How does the profiles imported from the User Profile Service play into this? I have a one way trust with Domain Y, but I am not importing profiles from that domain. But after a Domain Y user accesses a site collection, they are now queryable in the People Picker.
It doesn’t actually/oddly enough. Since Domain Y is trusted, you can grant any user from that domain access to a site. When granting, that user account is then added into SharePoint’s hidden list known as the User Information List. The people picker queries both this list and the domains. You do not need to import users in order to grant them access. You can see this more clearly in how you are able to grant users access to SharePoint in SharePoint Foundation where no User Profile Service ever exists.
Exactly. This is precisely how I uncovered this nugget of information. I was on SharePoint Foundation for a few months and just upgraded to Enterprise.
My struggle right now…and nobody, even on the MSDN forums, can seem to figure out how to resolve it…is that I have two domains in my org. Domain X, where the SP server resides, and Domain Y, which has a one way trust with Domain X (X trusts Y, Y doesn’t trust X). Half of my users are on Domain Y, the other on Domain X. To give my Y users access, I added them to domain groups and then added those domain groups to SharePoint permissions in a certain site collection. During my Foundation period it was easy…users in Domain X had access without issue because they were in the same AD as the server. Users in Domain Y had access, but had to visit the site at least one time so Foundations would create a site collection profile for them…at which time they could update their profile data manually (like email address which is critical for the workflow). The problem…and this is the source problem for all of this…is that all users have accounts in BOTH DOMAINS. I didn’t do it that way, it just is what it is…the company did it that way for some weird reason years ago. So in the people picker for that site collection, every user can potentially show up twice and the users don’t know which one to select.
I’m struggling to figure out a way to make the people picker show only the REAL account for each user. If AD were the only variable it would be difficult enough, but with the people picker ALSO pulling from this hidden user list, it seems insurmountable at this point.
Wow, yeah, that does sound like a real issue. You could limit the picker to one domain but you are right, which is the REAL account for that user or domain? I’m not sure of a viable solution, if any. I’ll give it some more thought.
What is the way to remove the configuration done in this article? Example: US user now can add UK user access to their site. I am troubleshooting with a production server and would like to know is there a way to check for the current configuration in the server on.
I’m trying to search by sn and givenname using FBA Ldapmembership provider. Yet when I do the search in people picker it does not return the result. Searching by the username is the only way the result will come back. Is there a way to configure ppl picker to search by sn, and givenname attributes?