Tuesday, 14 September 2010

Restrict site collection users to a specific OU using PowerShell

There may be a scenario where you might want to restrict a site collection to only permit users from a specific Organizational Unit (OU) hierarchy in Active Directory for assigning permissions. For example, I have two OUs in AD called IT Team and Accounts. IT Team contains a user called “Shaun Young” and all other users are present in the Accounts OU, as shown below:



In SharePoint, I have a site collection called “IT Team” which by default allows me to add any user from Active Directory:

Before command

For this example, I want to restrict the site collection so that only members of the IT Team OU are able to be given permissions to the site collection. I can do this in PowerShell by simply typing one line:

Set-SPSite -Identity "http://portal/sites/IT Team" -UserAccountDirectoryPath "ou=IT Team,dc=pacdomain2,dc=local"

Now when I search for an account, it shows me an error if I try any account from the Accounts OU:

after command

Note that specifying an OU using this command will still allow the principal picker to search for users below the OU that you have restricted – in other words, you are not restricting the ability to add users from just one OU, as you can still find users from the entire OU hierarchy below it.

To restore the site collection back to the default setting, type the command again with a double quote for the UserAccountDirectoryPath setting, as follows:

Set-SPSite -Identity "http://portal/sites/IT Team" -UserAccountDirectoryPath ""

The functionality provided by this cmdlet mirrors that provided by the setsiteuseraccountdirectorypath stsadm command introduced in Office SharePoint Server 2007 SP1, which has an article on TechNet here. There is some important information in this article that describes the behaviour of this command should you use it on new or existing site collections:

If a site collection is new and an administrator uses the setsiteuseraccountdirectorypath operation to specify a target OU, only users under the specified path can be added to the site collection and no one else can be added to the site collection.

If users have already been added to a site collection and the setsiteuseraccountdirectorypath operation is run, only users under the specified path will be able to be added going forward.

Unlike the Peoplepicker-serviceaccountdirectorypaths property where multiple OUs can be specified, only a single OU can be set at a time when the setsiteuseraccountdirectorypath operation is used. As a result, this operation should only be run once per site collection.


  1. When i try this i can then only select members that already exist on the site. I remember reading before that you had to "activate" thisa ability. Do you knwo what is going wrong?