Slow People Picker in SharePoint

Have you experienced problems with People Picker taking too long to find a user? Almost a minute or may be more. Does your SharePoint Environment functions with multiple domains?
One of the reasons for sluggish behavior of people picker is the People Picker property called “SearchActiveDirectoryDomains” which usually scopes the entire AD with its sub trees and trusted AD’s while searching for the users account.
Powershell
$webapp = Get-SPWebApplication < Web Application URL >
$webapp.peoplePickerSettings

In order to fix this problem we can configure People Picker to search through particular domains (in 2 way trusted) using below STSADM commands.

Get People Picker SearchADForest values
Stsadm -o getproperty -pn peoplepicker-searchadforests -url “https://SharePoint.com”

Clear People Picker SearchADForest values if exist
Stsadm -o setproperty -pn peoplepicker-searchadforests -pv “” -url “https://SharePoint.com”

Revolutionize Your Business With Generative AI

From product design and software development to virtual agents, content creation, and reporting, GenAI is transforming business. Our AI experts help you unlock GenAI’s full potential and drive growth.

Let’s Get Started

Set People Picker SearchADForest domains. For e.g. “Italy.mydomain.com” & “Hungary.mydomain.com”
stsadm -o setproperty -pn peoplepicker-searchadforests -pv “domain:Hungary.mydomain.com;domain:Italy.mydomain.com” -url “https://SharePoint.com”

The people picker query uses the application pool account to search the target domains. In case they do not have permissions on the target domain, we can also specify other accounts which have permissions using the below command.

stsadm -o setproperty -pn peoplepicker-searchadforests -pv “domain:Hungary.MyDomain.com,domain\user,password;domain:Italy.MyDomain.com,domain\user,password” –url “https://Sharepoint.com”

The above command needs to be run on every WFE for People Picker to start targetting correct AD domains.

However if AD domain has 1-way trust we need to addtionally configure a Secure Store before trying to scope people picker to perticular domains. Inorder to accomplish this we need to run a SetAppPassword command on all the SharePoint WFE’s.

stsadm -o setapppassword -password

When we run SetAppPassword, it creates the following registry value:
HKEY_Local_Machine\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\14.0\Secure
AppCredentialKey : REG_BINARY

AppCredentialKey is used to send encrypted and decrypted information to the PeoplePicker-SearchADForests. It should therefore be same across all the sharepoint servers and should be run on every sharepoint WFE using the same password.