Skip to content

Configure people picker over a one-way trust using PowerShell

In a previous post I have written about Using the people picker over a one-way trust. In that post I use STSADM commands as there are no other ways to configure this. A downside of the STSADM command is your domain password being visible on the command prompt in plain text for everybody to read.

With SharePoint 2010 Microsoft introduces several cmdlets to replace the “old” STSADM commands. But looking at the STSADM to Windows PowerShell mapping you will see the commands for configuring the people picker are not present.

Creating my own script

PowerShell contains a nice cmdlet called Get-Credential which uses a popup to request credentials from the user and stores the password in a SecureString. This triggered me to write a PowerShell script which will work the same as “STSADM -o setproperty -pn peoplepicker-searchadforests”, but instead of typing the credentials on the command line it will use the credential dialog for every trusted domain.

As written in my previous post the configuration is done in two steps.


First you need to create a secure store for the credentials. This is done by executing the SetAppPassword command on every server in your SharePoint Farm with the same password.


stsadm -o setapppassword -password <password>


SetAppPassword <password>

function SetAppPassword([String]$password) {
  $type = [Microsoft.SharePoint.Utilities.SPPropertyBag].Assembly
  $method = $type.GetMethod("FromString", "Static, NonPublic", $null,
                                                           @([String]), $null)
  $secureString = $method.Invoke($null, @($password))


The second step is to register the (trusted) domains to be visible in the people picker. Remember the setting is per web application and zone.


stsadm -o setproperty -url <url> -pn “peoplepicker-searchadforests” -pv “forest:<source forest>;domain:<trusted domain>,<trusted domain>\<account>,<password>


PeoplePickerSearchADForests <url> “forest:<source forest>;domain:<trusted domain>

function PeoplePickerSearchADForests(
                                 [String]$webApplicationUrl, [String]$value) {
  $webApplication = Get-SPWebApplication $webApplicationUrl

  $searchActiveDirectoryDomains = $webApplication.PeoplePickerSettings

  $currentDomain = (Get-WmiObject -Class Win32_ComputerSystem).Domain

  if (![String]::IsNullOrEmpty($value)) {
    $value.Split(@(';'), "RemoveEmptyEntries") | ForEach { 
        $strArray = $_.Split(@(';'))

        $item = New-Object Microsoft.SharePoint.Administration

        [String]$value = $strArray[0]

        $index = $value.IndexOf(':');
        if ($index -ge 0) {
            $item.DomainName = $value.Substring($index + 1);
        } else {
            $item.DomainName = $value;

        if ([System.Globalization.CultureInfo]::InvariantCulture.CompareInfo
                                .IsPrefix($value, "domain:","IgnoreCase")) {
            $item.IsForest = $false;
        } else {
            $item.IsForest = $true;

        if ($item.DomainName -ne $currentDomain) {
            $credentials = $host.ui.PromptForCredential("Foreign domain trust"
            + " credentials", "Please enter the trust credentials to connect "
            + "to the " + $item.DomainName + " domain", "", "")

            $item.LoginName = $credentials.UserName;



Using the script

I have attached the script so you can use it in any way you want. You can put the commands in you own .ps1 file, or load the script in your current session using the following syntax:

. .\<path to file>\PeoplePickerSearchADForests.ps1

(yes, that’s a dot, then a space, then the path to the script)


Leave a comment
  1. Colin Dekker / Mar 18 2011

    I used your script as a template and added it to my autospinstaller script. Posted it (with a reference to this article) on the autoinstaller discussion board on codeplex as well:

    Great script!

    • Michaël Hompus / Mar 23 2011

      Thank you, it was exactly my intention to use this in a automated scenario.

  2. Harv / Jul 26 2011

    Great stuff, very useful. Infuriating that Microsoft left the only path to do this via STSADM out of the box.


  3. Steve C / Jul 24 2014

    Great post, thanks.

    Is there something I need to do after this? IISRESET or something?

    As it doesn’t seem to take affect on the people picker.


Leave a comment