SharePoint: People Picker error: “user does not exist or is not unique” – similar account names

 

 

Consider the following scenario:

  • SharePoint 2013 or 2016 servers are in the contoso.com domain

  • contoso.com has a trust relationship with the corp.fabrikam.com domain.

  • The peoplepicker-searchadforests property is configured like this: "forest:contoso.com;forest:corp.fabrikam.com,corp\SPadmin,***** "

  • You use People Picker to find a user. If the users account name (samAccountName) is unique, you have no issues adding it to SharePoint.

  • However, if the users account name matches the first characters in another users account name, you can find the user, but the following error occurs trying to add them to site permissions:

    "The user does not exist or is not unique"

     

    For example, consider the following user names:

    - Corp\JoshR

    - Corp\JoshR01

    - Corp\JoshRichards

     

    If you try to add "Corp\JoshR01" or "Corp\JoshRichards" you get no error. But if you try to add "Corp\JoshR" you get: "The user does not exist or is not unique".

 

 

Cause:

Misconfiguration of the People Picker settings for the web application.

This issue is only a problem in a very unique scenario where three different pieces must line up to create the problem:

 

1. The "forest" keyword was used in the peoplepicker-searchadforests command for the fabrikam.com forest, but was not pointed to the root of the forest.  Example: forest: corp.fabrikam.com.

2. Domain credentials were supplied to connect to the Fabrikam forest as a specified account.

3. The account name for the user you were trying to add with People Picker matches the first characters in the account name for another user.  Example:

Corp\JoshR

Corp\JoshR01

Corp\JoshRichards

 

 

Resolution:

Change the "forest" keyword to "domain" for the corp.fabrikam.com domain. This is the correct configuration since "corp" is not the forest root.

 

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:contoso.com;domain:corp.fabrikam.com,corp\SPadmin,***** " -url https://theWebApp

 

 

PowerShell equivalent:

 

$wa = get-spwebapplication https://theWebApp

$searchad = $wa.peoplepickersettings.searchactivedirectorydomains

$newdomain1 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain

$newdomain1.domainname = "contoso.com"

$newdomain1.Isforest = $true

$searchad.add($newdomain1)

$newdomain2 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain

$newdomain2.domainname = "corp.fabrikam.com"

$newdomain2.Isforest = $false

$newdomain2.loginname = "corp\SPadmin"

[System.Security.SecureString]$secureStringValue = Read-Host "Enter the service account password: " -AsSecureString;

$newdomain2.setpassword($securestringvalue)

$searchad.add($newdomain2)

$wa.update()

 

 

A second option:

Continue using the "forest" keyword, but point it at the forest root instead of a child domain:

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:contoso.com;forest:fabrikam.com,corp\SPadmin,***** " -url https://theWebApp

 

PowerShell equivalent:

 

$wa = get-spwebapplication https://theWebApp

$searchad = $wa.peoplepickersettings.searchactivedirectorydomains

$newdomain1 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain

$newdomain1.domainname = "contoso.com"

$newdomain1.Isforest = $true

$searchad.add($newdomain1)

$newdomain2 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain

$newdomain2.domainname = " fabrikam.com"

$newdomain2.Isforest = $true

$newdomain2.loginname = "corp\SPadmin"

[System.Security.SecureString]$secureStringValue = Read-Host "Enter the service account password: " -AsSecureString;

$newdomain2.setpassword($securestringvalue)

$searchad.add($newdomain2)

$wa.update()

 

 

This seems like a "bug". Is it?

No. I'll say that it's some unusual behavior, but it only occurs when People Picker is configured incorrectly.