SharePoint: People Picker error: “user does not exist or is not unique” – similar account names
Consider the following scenario:
SharePoint 2013 or 2016 servers are in the contoso.com domain
contoso.com has a trust relationship with the corp.fabrikam.com domain.
The peoplepicker-searchadforests property is configured like this: "forest:contoso.com;forest:corp.fabrikam.com,corp\SPadmin,***** "
You use People Picker to find a user. If the users account name (samAccountName) is unique, you have no issues adding it to SharePoint.
However, if the users account name matches the first characters in another users account name, you can find the user, but the following error occurs trying to add them to site permissions:
"The user does not exist or is not unique"
For example, consider the following user names:
- Corp\JoshR
- Corp\JoshR01
- Corp\JoshRichards
If you try to add "Corp\JoshR01" or "Corp\JoshRichards" you get no error. But if you try to add "Corp\JoshR" you get: "The user does not exist or is not unique".
Cause:
Misconfiguration of the People Picker settings for the web application.
This issue is only a problem in a very unique scenario where three different pieces must line up to create the problem:
1. The "forest" keyword was used in the peoplepicker-searchadforests command for the fabrikam.com forest, but was not pointed to the root of the forest. Example: forest: corp.fabrikam.com.
2. Domain credentials were supplied to connect to the Fabrikam forest as a specified account.
3. The account name for the user you were trying to add with People Picker matches the first characters in the account name for another user. Example:
Corp\JoshR
Corp\JoshR01
Corp\JoshRichards
Resolution:
Change the "forest" keyword to "domain" for the corp.fabrikam.com domain. This is the correct configuration since "corp" is not the forest root.
stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:contoso.com;domain:corp.fabrikam.com,corp\SPadmin,***** " -url https://theWebApp
PowerShell equivalent:
$wa = get-spwebapplication https://theWebApp
$searchad = $wa.peoplepickersettings.searchactivedirectorydomains
$newdomain1 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain
$newdomain1.domainname = "contoso.com"
$newdomain1.Isforest = $true
$searchad.add($newdomain1)
$newdomain2 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain
$newdomain2.domainname = "corp.fabrikam.com"
$newdomain2.Isforest = $false
$newdomain2.loginname = "corp\SPadmin"
[System.Security.SecureString]$secureStringValue = Read-Host "Enter the service account password: " -AsSecureString;
$newdomain2.setpassword($securestringvalue)
$searchad.add($newdomain2)
$wa.update()
A second option:
Continue using the "forest" keyword, but point it at the forest root instead of a child domain:
stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:contoso.com;forest:fabrikam.com,corp\SPadmin,***** " -url https://theWebApp
PowerShell equivalent:
$wa = get-spwebapplication https://theWebApp
$searchad = $wa.peoplepickersettings.searchactivedirectorydomains
$newdomain1 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain
$newdomain1.domainname = "contoso.com"
$newdomain1.Isforest = $true
$searchad.add($newdomain1)
$newdomain2 = new-object Microsoft.SharePoint.Administration.sppeoplepickersearchactivedirectorydomain
$newdomain2.domainname = " fabrikam.com"
$newdomain2.Isforest = $true
$newdomain2.loginname = "corp\SPadmin"
[System.Security.SecureString]$secureStringValue = Read-Host "Enter the service account password: " -AsSecureString;
$newdomain2.setpassword($securestringvalue)
$searchad.add($newdomain2)
$wa.update()
This seems like a "bug". Is it?
No. I'll say that it's some unusual behavior, but it only occurs when People Picker is configured incorrectly.