I was working with some folks that wanted to limit the SharePoint 2010 People Picker to only pull users from a single group. There is an stsadm command to achieve this, though the TechNet example is not very realistic. (Title=David?? Really?!?!)

Creating the expression took me back to an old blog post from my friend Wayne: http://mindsharpblogs.com/wayne/archive/2005/06/15/497.html He goes into great detail about how to use LDIFDE to test your expressions.

In our case we had an AD Group “Humane Resources” that ​was in an OU called “SharePoint Users” in the domain “doghousetoys.com”. This translates to:

stsadm -o setproperty -url http://site -pn peoplepicker-searchadcustomfilter -pv "(|(memberOf=CN=Humane Resources,OU=SharePoint Users,DC=doghousetoys,DC=com))"

You can get the distinguishedName of the container from the Attributes tab in ADUC.

One important note if you are testing this. SharePoint will always validate users from BOTH AD and the local site. So if I have members of the local site that are not in “Humane Resources” they will still show up in the people picker.