SharePoint 2010 PeoplePicker Not Finding Active Directory Users

We had a weird problem at one of my customers the other day. They’d built a SharePoint 2010 farm with one web application and three site collections.

In two of the site collections, the PeoplePicker control allowed the users to select the correct folks from their Active Directory. However, for one site collection, only users that already exist in the User Information List could be resolved by the PeoplePicker:

SharePoint 2010 PeoplePicker Failing to Resolve a User

This was accompanied in the ULS (14 hive logs) with the following message:

Error ID 72e9 Error in resolving user ‘fred’ : System.DirectoryServices.DirectoryServicesCOMException (0x8007202B): A referral was returned from the server.       at

System.DirectoryServices.SearchResultCollection.ResultsEnumerator.MoveNext()     at Microsoft.SharePoint.WebControls.PeopleEditor.SearchFromGC(SPActiveDirectoryDomain domain, String strFilter, String[] rgstrProp, Int32 nTimeout, Int32 nSizeLimit, SPUserCollection spUsers, ArrayList& rgResults)     at

Microsoft.SharePoint.Utilities.SPUserUtility.ResolveAgainstAD(String input, Boolean inputIsEmailOnly, SPActiveDirectoryDomain globalCatalog, SPPrincipalType scopes, SPUserCollection usersContainer, TimeSpan searchTimeout, String customFilter)     at

Microsoft.SharePoint.Utilities.SPActiveDirectoryPrincipalResolver.ResolvePrincipal(String input, Boolean inputIsEmailOnly, SPPrincipalType scopes, SPPrincipalSource sources, SPUserCollection usersContainer)     at

Microsoft.SharePoint.Utilities.SPUtility.ResolvePrincipalInternal(SPWeb web, SPWebApplication webApp, Nullable`1 urlZone, String input, SPPrincipalType scopes, SPPrincipalSource sources, SPUserCollection usersContainer, Boolean inputIsEmailOnly, Boolean alwaysAddWindowsResolver).

A lot of people on the Internet seem to be having the same issues, and a lot of the advice seems to centre around setting Web Application level properties to configure the PeoplePicker.

But the problem here is not Web Application wide – it only affects one site collection.

So I decided to have a look at some of the properties on the SPSite object itself – through courtesy of PowerShell. A look at the SPSite.UserAccountDirectoryPath property showed an unexpected difference between the site collections that worked and the one that didn’t.

Here’s an example snippet to illustrate the point:

PS C:\> $site = get-spsite http://brokensite.contoso.com
PS C:\> $site.UserAccountDirectoryPath
DC=dev,DC=contoso,DC=com

 

The site collections that worked instead had an empty string for SPSite.UserAccountDirectoryPath. Simply updating the value of the errant site collection resolved the problem. You could also use the Set-SPSite cmdlet:

PS C:\> Set-SPSite -Identity http://brokensite.contoso.com 
-UserAccountDirectoryPath ""

 

This resolved the problem for our client. I hope you find it useful too!

Comments

  1. Nick says

    hi Joel,
    I’ve got a weird issue. I have two site collections – ISG and Corpsys. I am in the middle of a Active Directory migration – from A to B. When I migrate a user, I disable the account in A and enable it in B. In my ISG PeoplePicker I can see both users for domain A and domain B. In my CorpSys PeoplePicker I only see the enabled users – whether they are in Domain A or Domain B. The site collections are in the same web app and content database. I’ve checked the 9 settings in PeoplePicker via STSADM, and they are identical. Any ideas?
    thank you.

    • says

      Hi Nick!

      It might be worth looking at the ULS logs when you pop up the people picker in the affected site collection. I’d suggest running a new-splogfile just before and immediately after testing to give you the narrowest slice of log file to wade through. Maybe if you find anything, you could post the results back here and we can see if there’s any clues.

      Cheers!

      joel

  2. Enrique says

    Hi Joel,

    I am using the path “Set-SPSite -Identity http://sharepoint -UserAccountDirectoryPath OU=SPUsers,DC=vmlab,DC=local” to limit the People Picker to only search the specified OU. Using SharePoint Foundation 2010 on Windows 2008 64-Bit.

    When I query the value using the get-spsite cmd you have above, it returns the value as I specified.

    However, when I run a search in SharePoint, it still returns all users in my AD environment. I have restarted the SharePoint server, restarted my browser sessions, waited a few hours, and still no desired result.

    Any clue why this might still be searching my entire AD domain?

  3. says

    Hi Joel,
    sorry for the much-delayed response – here’s the results of my ULS log

    Error in searching user ‘reinhardt’ : System.DirectoryServices.DirectoryServicesCOMException (0x8007203B): A local error has occurred.
    at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
    at System.DirectoryServices.DirectoryEntry.Bind()
    at System.DirectoryServices.DirectoryEntry.get_AdsObject()
    at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
    at Microsoft.SharePoint.WebControls.PeopleEditor.SearchFromGC(SPActiveDirectoryDomain domain, String strFilter, String[] rgstrProp, Int32 nTimeout, Int32 nSizeLimit, SPUserCollection spUsers, ArrayList& rgResults)
    at Microsoft.SharePoint.Utilities.SPUserUtility.SearchAgainstAD(String input, SPActiveDirectoryDomain domainController, SPPrincipalType scopes, SPUserCollection usersContainer, Int32 maxCount, String customQuery, String customFilter, TimeSpan searchTimeout, Boolean& reachMaxCount)
    at Microsoft.SharePoint.Utilities.SPActiveDirectoryPrincipalResolver.SearchPrincipals(String input, SPPrincipalType scopes, SPPrincipalSource sources, SPUserCollection usersContainer, Int32 maxCount, Boolean& reachMaxCount)
    at Microsoft.SharePoint.Utilities.SPUtility.SearchPrincipalFromResolvers(List`1 resolvers, String input, SPPrincipalType scopes, SPPrincipalSource sources, SPUserCollection usersContainer, Int32 maxCount, Boolean& reachMaxCount, Dictionary`2 usersDict).

    any ideas?

  4. Ravikumar says

    Hi all,

    I am not able to browse/Search users while granting user permission on clients Machine..! pls anyone help me for the same.

    Note: check is working fine. but unable to search users in all the levels Site, list, Item..

  5. Amir says

    hallo,
    I use SharePoint Foundation 2013 and I have the same problem as you.
    but at that line (PS C:> $ site.UserAccountDirectoryPath
    DC = dev, DC = xxxx, DC = de) I always recoi an error.
    error:
    Unexpected token ‘DC= Mydomain’ in expression or statement. At line:1 char:40 +$site.UserAccountDirectoryPath DC=myADdomain <DC=MyDomain DC=de
    +
    Argument in the parameter list is missing
    +CategoryInfo :ParserError: [], ParentContainsErrorRecordException +FullyQualifiedErrorId : UnexpectedToken

    Please HELP

  6. Cyril says

    Hi joel,
    I created a list definition in visual studio 2010 but my assigned field alone is not displaying the value. what is the reason for can you help me..

  7. Paul Wike says

    Fantastic , this also resolves an issue when migrating databases from one domain to another. This resolves the issue of allowing you to change site collection administrators which gives you the message user is not found. Awesome – another pint I owe you Joel !

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>