Archive for the 'Active Directory' Category

Resolving “User does not exist or is not unique” error in SharePoint 2010

Let’s say you have a SharePoint farm running in your DMZ, part of EXTERNAL domain. There is also an internal domain called INTERNAL. There is a one-way trust from EXTERNAL to INTERNAL domain – External trusts Internal. You are trying to add a user from INTERNAL to your EXTERNAL SharePoint 2010 site and grant them permission, and you’re getting the following error:

User does not exist or is not unique

In the SharePoint logs, you find something like this:

Error in resolving user ‘internal\john.smith:
System.Runtime.InteropServices.COMException (0x8007052E): Logon failure:
unknown user name or bad password.

You suspect that the issue is related to the peoplepicker misconfiguration. Reading the TechNet article on the topic provides some clues:

http://technet.microsoft.com/en-us/library/cc263460(v=office.12).aspx

Running the following STSADM command:

stsadm -o setapppassword -password somepassword12345678

stsadm -o setproperty -url https://sharepointsite -pn
“peoplepicker-searchadforests” -pv
“domain:internal.domain.com,internal\username,password”

However, the error persists – still getting the same error! What gives?

The command is not correct – make sure that you use the proper terms for your AD configuration.
In my case, instead of “domain:internal.domain.com”, I had to use “forest:internal.domain.com”. Here’s the full command:

stsadm -o setapppassword -password somepassword12345678

stsadm -o setproperty -url https://sharepointsite -pn
“peoplepicker-searchadforests” -pv
forest:internal.domain.com,internal\username,password”

How to discover properties for Active Directory user accounts

There are times when a network admin or developer needs to access certain properties of Active Directory user accounts, and some of the properties may not visible in the MMC console. But how do you know which properties and methods are available for the User object in AD? It can be quite difficult to find documentation on this topic, but there is a site on MSDN which lists all methods and properties for the IDSUser object available through ADSI for access through scripts and applications:

http://msdn.microsoft.com/en-us/library/aa746340(VS.85).aspx

What this section does not tell you is what are the types of these fields – string, array, etc. For example, the Description field is not a string, it’s a an array of strings. If you try to access an array field with a script that uses a string variable, it will inevitably fail.

How do you find that out? You can find it out by running WMI CIM Studio on your server. Download it here:

http://www.microsoft.com/downloads/details.aspx?familyid=6430F853-1120-48DB-8CC5-F2ABDC3ED314&displaylang=en

Install WMI CIM studio on your Windows Server machine and connect it to the following namespace on your domain controller:

\\YOUR_DOMAIN_CONTROLLER\root\directory\LDAP

When connected, navigate to this location:

DS_LDAP_Root_Class > ds_top > ads_person > ads_organizationalperson

The user properties and their corresponding types will be listed in the right pane.


RSS Information Week Headlines

  • An error has occurred; the feed is probably down. Try again later.

RSS SharePoint Team Blog

  • An error has occurred; the feed is probably down. Try again later.

RSS InfoPath Team Blog

  • An error has occurred; the feed is probably down. Try again later.

RSS Joel Oleson Blog

  • An error has occurred; the feed is probably down. Try again later.

RSS Susan Hanley’s KM Blog

  • An error has occurred; the feed is probably down. Try again later.

Blog Stats

  • 350,848 hits