Skip to content
/

Configure people picker over a one-way trust using PowerShell

In a previous post I have written about Using the people picker over a one-way trust. In that post I use STSADM commands as there are no other ways to configure this. A downside of the STSADM command is your domain password being visible on the command prompt in plain text for everybody to read.

With SharePoint 2010 Microsoft introduces several cmdlets to replace the “old” STSADM commands. But looking at the STSADM to Windows PowerShell mapping you will see the commands for configuring the people picker are not present.

Creating my own script

PowerShell contains a nice cmdlet called Get-Credential which uses a popup to request credentials from the user and stores the password in a SecureString. This triggered me to write a PowerShell script which will work the same as “STSADM -o setproperty -pn peoplepicker-searchadforests”, but instead of typing the credentials on the command line it will use the credential dialog for every trusted domain.

As written in my previous post the configuration is done in two steps.

SetAppPassword

First you need to create a secure store for the credentials. This is done by executing the SetAppPassword command on every server in your SharePoint Farm with the same password.

STSADM:

stsadm -o setapppassword -password <password>

PowerShell:

SetAppPassword <password>

function SetAppPassword([String]$password) {
  $type = [Microsoft.SharePoint.Utilities.SPPropertyBag].Assembly
                     .GetType("Microsoft.SharePoint.Utilities.SPSecureString")
  $method = $type.GetMethod("FromString", "Static, NonPublic", $null,
                                                           @([String]), $null)
  $secureString = $method.Invoke($null, @($password))
  [Microsoft.SharePoint.SPSecurity]::SetApplicationCredentialKey($secureString)
}

PeoplePickerSearchADForests

The second step is to register the (trusted) domains to be visible in the people picker. Remember the setting is per web application and zone.

STSADM:

stsadm -o setproperty -url <url> -pn “peoplepicker-searchadforests” -pv “forest:<source forest>;domain:<trusted domain>,<trusted domain>\<account>,<password>

PowerShell:

PeoplePickerSearchADForests <url> “forest:<source forest>;domain:<trusted domain>

function PeoplePickerSearchADForests(
                                 [String]$webApplicationUrl, [String]$value) {
  $webApplication = Get-SPWebApplication $webApplicationUrl

  $searchActiveDirectoryDomains = $webApplication.PeoplePickerSettings
                                                 .SearchActiveDirectoryDomains
  $searchActiveDirectoryDomains.Clear()

  $currentDomain = (Get-WmiObject -Class Win32_ComputerSystem).Domain

  if (![String]::IsNullOrEmpty($value)) {
    $value.Split(@(';'), "RemoveEmptyEntries") | ForEach { 
        $strArray = $_.Split(@(';'))

        $item = New-Object Microsoft.SharePoint.Administration
                                  .SPPeoplePickerSearchActiveDirectoryDomain

        [String]$value = $strArray[0]

        $index = $value.IndexOf(':');
        if ($index -ge 0) {
            $item.DomainName = $value.Substring($index + 1);
        } else {
            $item.DomainName = $value;
        }

        if ([System.Globalization.CultureInfo]::InvariantCulture.CompareInfo
                                .IsPrefix($value, "domain:","IgnoreCase")) {
            $item.IsForest = $false;
        } else {
            $item.IsForest = $true;
        }

        if ($item.DomainName -ne $currentDomain) {
            $credentials = $host.ui.PromptForCredential("Foreign domain trust"
            + " credentials", "Please enter the trust credentials to connect "
            + "to the " + $item.DomainName + " domain", "", "")

            $item.LoginName = $credentials.UserName;
            $item.SetPassword($credentials.Password);
        }

        $searchActiveDirectoryDomains.Add($item);
    }

    $webApplication.Update()
  }
}

Using the script

I have attached the script so you can use it in any way you want. You can put the commands in you own .ps1 file, or load the script in your current session using the following syntax:

. .\<path to file>\PeoplePickerSearchADForests.ps1

(yes, that’s a dot, then a space, then the path to the script)

PeoplePickerSearchADForests.zip

6 Comments

Leave a comment
  1. Colin Dekker / Mar 18 2011

    I used your script as a template and added it to my autospinstaller script. Posted it (with a reference to this article) on the autoinstaller discussion board on codeplex as well:

    http://autospinstaller.codeplex.com/discussions/250320

    Great script!

    • Michaël Hompus / Mar 23 2011

      Thank you, it was exactly my intention to use this in a automated scenario.

  2. Harv / Jul 26 2011

    Great stuff, very useful. Infuriating that Microsoft left the only path to do this via STSADM out of the box.

    Regards,
    Harv

  3. insurance sales jobs mn / May 27 2014

    Hi, I read your new stuff like every week. Your humoristic style is witty, keep
    doing what you’re doing!

  4. Steve C / Jul 24 2014

    Great post, thanks.

    Is there something I need to do after this? IISRESET or something?

    As it doesn’t seem to take affect on the people picker.

    THx

  5. Fantastic goods from you, man. I’ve understand your stuff previous to and you’re just too excellent.
    I actually like what you’ve acquired here, certainly like what you’re stating and the way in which you
    say it. You make it enjoyable and you still take care of to keep it
    smart. I cant wait to read far more from you. This is really a tremendous site.

Leave a comment


*