Skip to main content
Habanero logo

Users from a trusted domain not resolving in the Central Administration People Picker

Related content

{
  "_type": "relatedContent",
  "link": "/careers",
  "linkText": "Read more",
  "_key": "be2c8d479563",
  "headline": "We're Hiring!",
  "content": [
    {
      "markDefs": [],
      "children": [
        {
          "marks": [],
          "text": "We're on a mission to change the world of work. Come join us!",
          "_key": "344dedab8cc60",
          "_type": "span"
        }
      ],
      "_type": "block",
      "style": "normal",
      "_key": "344dedab8cc6"
    }
  ]
}

I ran into an issue recently with the People Picker in SharePoint 2013. In this case, I had a development VM joined to a domain (habaneros.com) and needed to add a web application user policy for users from another one-way trusted domain (contoso.com).

Diagram showing domain trust and location of farm and users

I configured the peoplepicker-searchadforests property in Central Administration but the users wouldn't resolve.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://CentralAdmin

I tried IIS resets and changing the value of the property a number of times. I ran a Network Monitor capture to compare the people picker query against a query from Local Users and Groups (where the users did resolve). I couldn’t figure it out.

People picker with the name unresolved

Out of frustration, I set the property for the web application to see if it was something weird with Central Administration.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://webapp

I tried to resolve a user in the web application and it worked. Dumbfounded, I went back to Central Administration and the names were now resolving there as well. A light bulb went off in my brain and everything became immediately obvious.

People picker with the user resolved

The web application user policy is a property of the web application, not Central Administration. The users weren’t resolving because I hadn’t yet set the peoplepicker-searchadforests property for the web application. Once both were set, the people picker could then resolve the users:

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://CentralAdmin
stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:habaneros.com;forest:contoso.com,contoso\ReadAccount,P@ssw0rd" -url http://webapp

Setting the property for both Central Administration and the Web Application should allow you to resolve names when adding a web application user policy for users in a trusted domain.

Related content

{
  "_type": "relatedContent",
  "link": "/go-intranet",
  "linkText": "Read more",
  "_key": "3c35031934c8",
  "headline": "A better way to build a SharePoint intranet",
  "content": [
    {
      "markDefs": [],
      "children": [
        {
          "text": "GO is our customizable intranet that leverages O365 and our expertise in employee experience, design and development.",
          "_key": "366b47fdbb0f0",
          "_type": "span",
          "marks": []
        }
      ],
      "_type": "block",
      "style": "normal",
      "_key": "366b47fdbb0f"
    }
  ]
}

References