Wednesday, June 11, 2014

How to configure People Picker in SharePoint 2013 for a remote domain with a one-way trust

I came across a situation today that required use of the STSADM command on SharePoint 2013 (Yes, it still lives)...

If SharePoint is installed on a domain that has a one-way trust with other domains and you want the People Picker on SharePoint 2013 to show users and groups from those other domains, you have to use the STSADM command to configure the People Picker. Basically, the People Picker needs an identity that it can use to authenticate against the remote trusted domains to query them.

Step 1 

First, you have to set an encryption key on all web servers in your farm so that the stored credentials can be encrypted:

Just to be clear, you have to run this on all web servers in your farm and the "AnyKey" value has to be set to the same value on all of those servers.

STSADM.exe -o setapppassword -password AnyKey

where "AnyKey" is any value. For example,

STSADM.exe -o setapppassword -password B1gL0ngPassw0rd

Step 2

Next, you have to give SharePoint the credentials to authenticate against the remote domain and tell it which domain you would like to authenticate against. You only have to run this on one of your SharePoint web servers

STSADM.exe -o setproperty -propertyname peoplepicker-searchadforests -propertyvalue <Valid list of domains> -url <URL of the Web application>

where <Valid list of domains> is in the following format:


For example, a sample command might look like this:

STSADM.exe -o setproperty -propertyname peoplepicker-searchadforests -propertyvalue ",microsoft\UserX,Ne@tP@ssw0rd" -url

You can add more than one domain. Just delimit them with a semicolon and a space. For example:

STSADM.exe -o setproperty -propertyname peoplepicker-searchadforests -propertyvalue ",microsoft\UserX,Ne@tP@ssw0rd;,bing\UserY,L@meP@ssw0rd" -url

Other Notes

There are lots of other things you can do with the People Picker control. For example:
  • You can run a custom query to search active directory and only display those users or groups.
  • You can also tell the people picker control to restrict to users in the site collection.
  • You are not restricted to remote domains. You can run the same commands I showed above for forests.


There is actually good documentation on this here: