Posted on:
Categories: SharePoint


Company has two AD forests (DMZ and Internal domain) and there’s duplication of accounts between the domains. SharePoint 2010 infrastructure is configured in the DMZ domain and one way trust is configured between DMZ and Internal forest.


PeoplePicker control is configured to query both forests/domains by using the Peoplepicker-Searchadforests STSADM property. This poses an issue when accounts are duplicated between DMZ and Internal domain; both accounts are enumerated through the PeoplePicker control. Users are frequently confused which accounts to add to sites, tasks and other applications. The solution must exclude duplicate DMZ user accounts and enumerate contractor, partner and service DMZ accounts.


The solution was to leverage the Peoplepicker-searchadcustomfilter property in tandem with Peoplepicker-Searchadforests. The Peoplepicker-searchadcustomfilter enables a farm administrator to specify a unique search query (reference:  Outlined below is a set of commands coupled with detailed explanations:

stsadm -o setproperty -pn peoplepicker-searchadforests -pv “,contoso\spaduser,Passw0rd;, contoso\spaduser,Passw0rd;forest:dmz.local,dmz\spaduser,Passw0rd;domain:dmz.local, dmz\spaduser,Passw0rd;” -url

The above command sets the peoplepicker-searchadforests property on The command contains forests/domain settings and includes AD credentials for the peoplepicker control to use for querying target domains/forests. Additional information about the peoplepicker-searchadforests can be obtained here:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(`|(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=Contoso,DC=com) (msExchRecipientTypeDetails=2)(sAMAccountName=*_adm)(sAMAccountName=svc.*)(Title=*Contractor)(Title=Partner*))” –url

The above command augments the Peoplepicker-searchadforests property by adding custom search criteria. With reference to the above example, the criteria consist of the following:

  • (objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=Contoso,DC=com) = Return Group Object Types from DMZ/Internal domain
  • “msExchRecipientTypeDetails=2” – Return user accounts from DMZ/Internal domain that have an Exchange mailbox. (I use this criteria to eliminate duplicate users from the DMZ domain because only users in the internal domain have exchange mailboxes)
  • ‘sAMAccountName=*_adm” – Return user accounts (this applies to result set from DMZ / Internal domain)
  • Title=*Contractor – Return user accounts from both domains with “contractor” anywhere in the title
  • Title=Partner* - Return user accounts from both domains where the title starts with “Partner”

There’s a performance hit on response times so I recommend testing/monitoring to make sure AD domain controllers aren’t overwhelmed. I’m currently running this in 10K user plus environment without any adverse effects.