In instances where your network administrator has created an external trust with another domain, you may want the SharePoint People Picker to find users in the external AD.

According to Microsoft’s TechNet, “The People Picker automatically issues queries to all two-way trusted domains when it uses the application pool account to search for users and groups. When you select a secondary account in the People Picker, the primary account information will be returned.”  Therefore, by default two-way trusts are automatically searched.

This leaves two questions:

  1. What if you don’t want the People Picker to search all trusted external forests and/or domains?
  2. What if you need the People Picker to search one-way trusts?

Trust Authentication

For one-way trusts, you must provide the following information:
  • Logon credentials with permission to query the forest
  • An encryption key that will be used when the People Picker is performing a query.
Open your SharePoint Management Shell as Administrator and type the following:
stsadm.exe -o setpassword -password <key>
Where:
  •  <key> is the encryption key to set for the web application.
This procedure must be executed for each of your front-end web servers.

Define the Scope

For one-way trusts or to restrict the search scope of the two-way trust, you must define the scope.
Open your SharePoint Management Shell as Administrator and execute the following command:
stsadm.exe -o setproperty -pn "peoplepicker-searchadforests" -pv "<forest:contoso.com, <Login>, <Password>;domain:corp.contoso.com, <Login>, <Password>>" -url <http://server:port>

Where:

  • <forest:contoso.com> or <domain:corp.contoso.com> is a semicolon delimited list of multiple forests and/or domains to include in the search
  • <Login> is the login username used in the authentication step above NOTE: not needed for a two-way trust
  • <Password> is the password used in the authentication step above NOTE: not needed for a two-way trust
  • <http://server:port> is the URL of the SharePoint web application

Determine the Current Search Scope

Open your SharePoint Management Shell as Administrator and execute the following command:

stsadm.exe -o getproperty -pn "peoplepicker-searchadforests" -url <http://server:port>
Where:
  • <http://server:port> is the URL of the SharePoint web application