Configure PeoplePicker to hide users with specifc custom attribute

Question

SharePoint On Prem. 2013. Currently the people picker is configured to see users in DomainA, DomainB and DomainC. That was OK, but now users in DomainA have been added to DomainC as part of an integration activity. The people picker now shows duplicates for users in A and C. I do not want to hide all users in Domain C. I only want to hide those users in Domain C who are already in A.

I added a custom attribute to a test user in Domain C and mapped it to "someattribute" in the user profile service. I populated the custom attribute for my test user with the text "sometext"

I then configured people picker using LDAP query thus:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(&(objectCategory=user)(!someattribute=sometext))" -url http://mywebapp

Unfortunately instead of hiding the user in Domain C with the custom attribute set, this always shows the user in Domain C and hides the duplicate user in Domain A instead.

Any help from the experts here appreciated. If there is a better way than doing it like this, let me know.

Answer 1

Zero responses? OK for anyone else looking for an answer to this, I could not get the custom attribute approach to work. I think this is because the attribute only exists in Domain C, not the others and this led to unpredictable results.

I didn't want to start creating new attributes in the other two domains, so instead I had a group created in Domain C and added some users to it that have accounts in both Domains A and C.

I then configured the people picker to filter on the group like this: (&(objectCategory=user)(!memberOf=CN=groupmigrated,OU=X,OU=Groups,DC=DomainC,DC=com))

The breakthrough for me was using dsquery to get the CN/OU path of the new group.

Hope this helps someone.