People Picker and fltering by certain AD Groups

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/245

  •  16-10-2019
  •  | 
  •  

Pergunta

I have a scenario where a client wants to filter in the People Picker what AD Groups are available to choose from. For instance, when selecting what AD User/AD Group can be added to an Alert on a SharePoint List.

The LDAP query can be set for peoplepicker-adcustomfilter property for a Site Collection, but it appears to not affect AD Groups and only "People" e.g. AD Users. The reason I say "appears" is that the Users being returned seem to abide by the LDAP query, but the AD Groups seem to return all of them.

I have already narrowed down the ad forest using the peoplepicker-searchadforests property to the forest and domain I require. But want to filter what groups are shown also. The scenario is that some of the AD Groups are for things like printer groups and file access that aren't relevant to SharePoint.

Could it be the case that the people picker needs a kick to refresh the LDAP query? is this query immediately reflected and all calls dynamically go straight to AD with the LDAP query...or is it cached somewhere? I am assuming this has nothing to do with SSP User Profiles at this point as this same functionality exists in WSS.

TechNet article wasn't that useful on this.

Foi útil?

Solução

This one can be done out of the box.

First, why this isn't working: The default behavior of the People Picker is not to query AD via LDAP. It is to query the SharePoint User Profile database. This is populated via user import. In MOSS, it is through a scheduled (or manual) user import. In WSS, it is done when any AD account or group is added to any site via explicit permissions or when added to a SharePoint group in a site.

The Name property will be the AD account name and so it looks very much like it is pulling from AD.

You can code another solution, but getting the right information into a usable SharePoint format can be tricky. But for this, you don't have to.

So, how to address your issue:

As I said, this can be with OOTB functionality if you're willing to do a few minutes work ahead of time.

  1. Make a list (not SP list..just a list) of the AD groups you want for this particular people picker to choose from.
  2. Create a new SharePoint group in the site where this people picker exists.
  3. Do not give the SP group any permissions. It is just a holder.
  4. Add the AD groups from your list in Step 1 to this SP group. Remove any individual account (such as yours) from the group.
  5. In your people picker column settings, change the "Allow selection from" to "People and groups".
  6. Then change the "Choose From" to "SharePoint Group" and in the drop-down choose the list you created.

How to use this nifty little thingie?

When you create a new list item, you will see the people field with a "Check Names" and a "Browse". Since you limited the people picker to only what is in the SP group, anything typed in will only be checked against the groups in your SP group. So, it is likely that this will be unsatisfying.

However - look at that "Browse" button. Click it! Notice that it brings up the list of the AD groups you put into your SP Group.

I think you get the point.

Have fun!

Outras dicas

Have you run your custom filter through an LDAP browser? Does it return the results you expect?

I can resolve the user in check names, but not in "select people and groups". By chance I managed to do a search and got a result on the SharePoint group that is part of the Site Collection, builtin\administrators and the site collection administrator account. But that was it!

The results are:

stsadm -o getproperty -propertyname peoplepicker-activedirectorysearchtimeout -url http://site/

<Property Exist="Yes" Value="30" />

stsadm -o getproperty -propertyname peoplepicker-distributionlistsearchdomains -url http://site/

<Property Exist="No" />

stsadm -o getproperty -propertyname peoplepicker-nowindowsaccountsfornonwindowsauthenticationmode -url http://site/

<Property Exist="Yes" Value="yes" />

stsadm -o getproperty -propertyname peoplepicker-onlysearchwithinsitecollection -url  http://site/

<Property Exist="Yes" Value="no" />

stsadm -o getproperty -propertyname peoplepicker-searchadcustomfilter -url http://site/

<Property Exist="Yes" Value="(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" /> 

stsadm -o getproperty -propertyname peoplepicker-searchadcustomquery -url http://site/

<Property Exist="No" />

stsadm -o getproperty -propertyname peoplepicker-searchadforests -url http://site/

<Property Exist="No" />

stsadm -o getproperty -propertyname peoplepicker-serviceaccountdirectorypaths -url http://site/

<Property Exist="No" />

stsadm -o getproperty -propertyname peoplepicker-onlysearchwithinsitecollection -url  http://site/

<Property Exist="Yes" Value="no" />
Licenciado em: CC-BY-SA com atribuição
Não afiliado a sharepoint.stackexchange
scroll top