PeoplePicker can't find disabled AD Accounts (514)

Question

Update (08.07.2015):

I tried WireShark on one WFE during a peoplepicker request.
The disabled accounts are clearly shown in the LDAP AD (GC) response.
SharePoint 2013 still doesn't show the disabled account in the GUI

Conclusion: SharePoint does filter out "UserAccountControl = 514" ({if}?) somewhere else in the code (xxx.dll?). I don't know why Microsoft changed the behaviour from 2007/2010 to 2013.

Can i change this??? Is it configurable???

Dear StackOverFlow Community

We have SharePoint 2013 SP1 and CU Sept. 2014.

Problem:

Since last year we are filtering in "AD Import" disabled Users out. We didn't need them in our Intranet environment. But now we are building a collaboration platform. And some poeple need to authorise disabled users for their workspaces. (Site Collection)

The idea was, to use the people picker to find all (enabled and disabled) users and thats it. But i can't find any disabled users with people picker.

The question is:

Why does it not work? (It should because many SharePoint Administrators claims to see the disabled users over people picker)

I tried to enforce the people picker to find explicit users with (userAccountControl:1.2.840.113556.1.4.803:=2). (i set just the filter not the query)

$wa.PeoplePickerSettings.ActiveDirectoryCustomFilter = "(&(objectCategory=person)(objectClass=user)(! (userAccountControl:1.2.840.113556.1.4.803:=2))"

Still doesen't find any disabled users. Even with $null value as you can see below:

PS C:\Windows\system32> $wa.PeoplePickerSettings

SearchActiveDirectoryDomains : {}

ActiveDirectoryCustomQuery :

ActiveDirectoryCustomFilter :

OnlySearchWithinSiteCollection : False

PeopleEditorOnlyResolveWithinSiteCollection : False

DistributionListSearchDomains : {}

ActiveDirectorySearchTimeout : 00:00:30

NoWindowsAccountsForNonWindowsAuthenticationMode : True

ServiceAccountDirectoryPaths : {}

ReferralChasingOption : None

ActiveDirectoryRestrictIsolatedNameLevel : False

AllowLocalAccount : True

ShowUserInfoListSuggestionsInClaimsMode : True

UpgradedPersistedProperties : {}

PS C:\Windows\system32>

Observation:

It seems like it can find Users who were in the "User List" on the Site Collection (but only over email address). Users who perhaps were logged once on the WebApplication and now are disabled. In my understanding, the people picker does:

Check the UserList on the site collection
Check direct in the AD (or Global Catalog)

We still have a 2007 environment which has no problem with people picker to find any disabled users. Why does SP2013 make so much trouble? I even tried to import every user (enabled and disabled) in our test lab to find out, if it has something to do with the LDAP filtering in the AD Import. But it wasn't much help for this situation. The disabled users are now imported, but people picker still doesent find any disabled users.

I tried to find someone with the same problem --> https://sharepoint.stackexchange.com/questions/80032/unable-to-get-disabled-ad-accounts-in-people-picker (no solution here...)

I posted the same question in Technet --> https://social.technet.microsoft.com/Forums/en-US/75272928-6370-4d8d-9b8f-ce5ec6642407/peoplepicker-cant-find-disabled-ad-users-514?forum=sharepointgeneral

I just want to know how I can find disabled users in people picker. This should be the normal case. As long as you don't set custom filters to it, people picker should find every user account in the specific domain. But in my case it doesn't.

We just have one domain and not multidomain environment.

PeoplePicker can't find disabled AD Accounts (514)

Answers (1)

Related Questions

PeoplePicker can&#39;t find disabled AD Accounts (514)

Answers (1)

Related Questions

PeoplePicker can't find disabled AD Accounts (514)