SharePoint: People Picker error: “user does not exist or is not unique” – similar account names
Consider the following scenario:
- SharePoint 2013 or 2016 servers are in the contoso.com domain
- contoso.com has a trust relationship with the corp.fabrikam.com domain.
- The peoplepicker-searchadforests property is configured like this: “forest:contoso.com;forest:corp.fabrikam.com,corp\SPadmin,*****“
- You use People Picker to find a user. If the users account name (samAccountName) is unique, you have no issues adding it to SharePoint.
-
However, if the users account name matches the first characters in another users account name, you can find the user, but the following error occurs trying to add them to site permissions:
“The user does not exist or is not unique”
For example, consider the following user names:
– Corp\JoshR
– Corp\JoshR01
– Corp\JoshRichards
If you try to add “Corp\JoshR01” or “Corp\JoshRichards” you get no error. But if you try to add “Corp\JoshR” you get: “The user does not exist or is not unique“.
Cause:
Misconfiguration of the People Picker settings for the web application.
This issue is only a problem in a very unique scenario where three different pieces must line up to create the problem:
1. The “forest” keyword was used in the peoplepicker-searchadforests command for the fabrikam.com forest, but was not pointed to the root of the forest. Example: forest: corp.fabrikam.com.
2. Domain credentials were supplied to connect to the Fabrikam forest as a specified account.
3. The account name for the user you were trying to add with People Picker matches the first characters in the account name for another user. Example:
Corp\JoshR
Corp\JoshR01
Corp\JoshRichards
Resolution:
Change the “forest” keyword to “domain” for the corp.fabrikam.com domain. This is the correct configuration since “corp” is not the forest root.
stsadm -o setproperty -pn peoplepicker-searchadforests -pv “forest:contoso.com;domain:corp.fabrikam.com,corp\SPadmin,*****” -url http://theWebApp
PowerShell equivalent:
$wa = get-spwebapplication http://theWebApp
$searchad = $wa.peoplepickersettings.searchactivedirectorydomains
$newdomain1 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain
$newdomain1.domainname = “contoso.com”
$newdomain1.Isforest = $true
$searchad.add($newdomain1)
$newdomain2 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain
$newdomain2.domainname = “corp.fabrikam.com”
$newdomain2.Isforest = $false
$newdomain2.loginname = “corp\SPadmin”
[System.Security.SecureString]$secureStringValue = Read-Host “Enter the service account password: ” -AsSecureString;
$newdomain2.setpassword($securestringvalue)
$searchad.add($newdomain2)
$wa.update()
A second option:
Continue using the “forest” keyword, but point it at the forest root instead of a child domain:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv “forest:contoso.com;forest:fabrikam.com,corp\SPadmin,*****” -url http://theWebApp
PowerShell equivalent:
$wa = get-spwebapplication http://theWebApp
$searchad = $wa.peoplepickersettings.searchactivedirectorydomains
$newdomain1 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain
$newdomain1.domainname = “contoso.com”
$newdomain1.Isforest = $true
$searchad.add($newdomain1)
$newdomain2 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain
$newdomain2.domainname = “fabrikam.com“
$newdomain2.Isforest = $true
$newdomain2.loginname = “corp\SPadmin”
[System.Security.SecureString]$secureStringValue = Read-Host “Enter the service account password: ” -AsSecureString;
$newdomain2.setpassword($securestringvalue)
$searchad.add($newdomain2)
$wa.update()
This seems like a “bug”. Is it?
No. I’ll say that it’s some unusual behavior, but it only occurs when People Picker is configured incorrectly.