People Picker Fields in Multiple Forests or Domains
Date: 26.04.2012
Sometimes SharePoint is used in environments with a complex Active Directory structure (using multiple domains or forests). This can lead to problems regarding the resolve mode of People Picker fields, both in OOB SharePoint fields and within the corresponding MatchPoint fields (i.e. within a Form Web Part: PersonField, RoleField).
SharePoint Behavior
Per default, the SharePoint People Picker will resolve accounts from the domain where SharePoint is installed. For resolving user- and group accounts from other forests or domains, it is required to modify the People Picker settings (according to MSDN). SharePoint will then be able to resolve user- and group accounts, provided that trusts between the forests or domains are configured correctly. More information on the configuration of the SharePoint People Picker can be found within the following MSDN article:</br> People Picker overview
Please be cautious: If not configured correctly, there might me a severe performance impact.
If SharePoint should resolve user accounts within multiple AD forests or domains, it is required to specify these search paths per web application:</br> Peoplepicker-searchadforests: Stsadm property
For further optimization of account resolving, it might be necessary to use a custom query or custom search filters:</br> Peoplepicker-searchadcustomquery: Stsadm property</br> Peoplepicker-searchadcustomfilter: Stsadm property
Note: We have found that resolving accounts cross-forest (or cross-domain) might work without making modifications to the People Picker settings. However, we suggest following the MSDN guidelines and specifying the settings.
MatchPoint Behavior
As far as possible, MatchPoint's account resolving follows the implementation of SharePoint. However, SharePoint does not provide a documented API for using the functionality for resolving accounts directly, so there are some differences:
While SharePoint might be able to resolve accounts in multi forest or domain setups without additional configurations, it is essential to configure the search settings for any web applications in order for the MatchPoint People Picker controls to work correctly:
stsadm ?o setproperty ?pn peoplepicker-searchadforests ?pv <list of forests or domains> -url <WebApp>This is required so MatchPoint can include additional search paths when user- or group accounts are resolved.
For a custom LDAP filter, please use the PeoplePickerSettings element within the MatchPointConfiguration.xml configuration file. This corresponds with the configuration of a custom search filter for OOB SharePoint People Picker fields.</br> </br> Within MatchPoint's configuration settings, you can also configure a custom display name pattern that will be used within a People Picker field.
Note: As of April 16, 2012 there were no PowerShell commands to configure People Picker. Therefore the links and examples provided here use the STSADM utility.