Issue
You receive the error The user does not exist or is not unique when trying to locate a newly created Active Directory user with the SharePoint people picker.
Products Affected
- Microsoft Office SharePoint Server 2007
- Windows SharePoint Services 3.0
- SharePoint Server 2010
- SharePoint Foundation 2010
- SharePoint Server 2013
- SharePoint Foundation 2013
Cause
The web application has been limited to search for Active Directory users under a specific Organizational Unit (OU) using the SiteUserAccountDirectoryPath property. To verify the web application has been limited:
- Open an elevated command prompt (if applicable)
- If STSADM is in your path, run:
stsadm -o getsiteuseraccountdirectorypath -url http://webappurl
Where http://webappurl is the URL for the web application. If STSADM isn't in your path, CD to the SharePoint hive's bin directory and run the previous stsadm operation.
If this property is set, you will see output similar to the following:
<SiteUserAccountDirectoryPath>OU=SharePoint Users,OU=Accounts,DC=example,DC=com</SiteUserAccountDirectoryPath>
The account you are trying to add doesn't reside within this OU.
Resolution
There are three ways to resolve this issue:
Method 1
Move the user account into this OU. Do this only if the user should reside in this OU and it has erroneously been created in the wrong OU or the domain Users container
Method 2
If the account is an administrative account or service account, your Active Directory design likely requires this account to be located in a different OU on purpose and moving it is not an option. In this case there is the ServiceAccountDirectoryPaths people picker property that you can use to specify a list of other OUs which contain these accounts. Accounts in these administrative OUs will resolve and can be selected in the people picker.
Use the setproperty stsadm operation to modify the peoplepicker-serviceaccountdirectorypaths propery:
stsadm -o setproperty -url http://webappurl -pn "peoplepicker-serviceaccountdirectorypaths" -pv "OU=Administrator Accounts,OU=Accounts,DC=example;DC=com"
You can specify more than one OU (for example if your administrators and service accounts are in different OUs) by seperating the OU distinguished names with semicolons:
stsadm -o setproperty -url http://webappurl -pn "peoplepicker-serviceaccountdirectorypaths" -pv "OU=Service Accounts,OU=Accounts,DC=example;DC=com;OU=Administrator Accounts,OU=Accounts,DC=example;DC=com"
Method 3
Modify the SiteUserAccountDirectoryPath property by clearing the property to let the people picker use the entire domain, or set the property to to an OU that contains all desired accounts with the setsiteuseraccountdirectorypath stsadm operation:
To clear:
stsadm -o setsiteuseraccountdirectorypath -url http://webapp -path ""
To set another value, specify the distinguished name for the new OU:
stsadm -o setsiteuseraccountdirectorypath -url http://webapp -path "OU=Accounts,DC=example,DC=com"
