Disclaimer mumbo jumbo: The following has been discovered based on sheer brute force and trial and error.
Have you ever wondered what the people picker control for Person Or Group column performs its check against? Ever wonder what happens if you specify a SharePoint Group? What about that search window that appears when you click on the address book icon?
Well here is what I found. First let us clarify which column I am talking about. When you create a new column in SharePoint, one of the column types is Person or Group as shown below.
There are a couple of optional settings you can set along with column type Person or Group, but we will come back to that later. When you save the new column configuration and create a new item in the list, you will notice that a new control appears called People Picker Control. (I honestly do not know if this is the "official" name of this control but it is commonly used in the SharePoint community, so I'll use it here too 
)
Now that we've created the column, let's talk about some particulars regarding its behavior. First let's talk about fundamentals. This column is actually simply a lookup to the People and Group of the given Site Collection. Instead of providing a lengthy drop down menu of all users or groups existing in the site collection, it tries to find the best match.
So how does it work? Well, in the input field, you enter a name, either a full name or part of a name, then click the Check Name icon 
. When the Check Name action is invoked, the People Picker control searches for a match based on the following:
- It checks for an exact match. So if you enter Jeff Kozloff the People Picker first checks all profiles in the User Information List of the given Site Collection to see if a value in Name matches exactly Jeff Kozloff or any SharePoint Group. If there is no match, it then goes to all trusted Active Directories in the forest and checks all user object's Display Name for a match. If a match is found, the value entered is locked, and if you hover your mouse over it, you will see the associated Account Name:
If there is no match, it then moves to items 2 and 3 below:
- It will try to find any profiles or SharePoint Groups that begin with the text entered in the control (basically checking for first name), first checking User Information List of the local site collection then the domain forest,
- It will try to find any profiles that end with the text entered in the control (basically checking for last name), first checking User Information List of the local site collection, and,
- It will try to find any SharePoint Groups of the given site collection that contains the entered value.
When it finds possible matches from check number 2 through 4, it displays a red underline to let you know it found possible matches.
By clicking on the underline, the matches are displayed in a drop down menu allowing you to select the correct entry:
As mentioned, the above menu of options is a mix between User Information List profiles, Active Directory user objects and SharePoint Groups. Also remember that User Information List of the Site Collection takes priority over Active Directory user objects, so if you were to enter qa\Jeffk in the field and there is a profile entry in User Information List with Name = Jeff Kozloff - QA but the domain has a match with Display Name = Jeff Kozloff you will see Jeff Kozloff - QA in the menu not Jeff Kozloff.
Once you click the Check Name, the value you entered is locked and you cannot modify it without removing the full value, hence the Remove option in the menu. The option More Names... opens the Find dialog window which provides a nice transition for us. In the Person or Group control there is an icon called Browse 
, and as a result of clicking this icon, a new window will appear:
Variation to the Check Name action, this Find interface checks for the entered string in either Display Name, E-mail Address, or Account Name and displays potential results, as shown below:
*Please excuse the blotches in the image above -- security and privacy reasons, you know how it is*
Information displayed in the Find window again comes first from User Information List then Active Directory and the Find also tries to match SharePoint Groups.
So what actually happens if you select a User Object from Active Directory? Have you ever noticed if you select an Active Directory Object that does not exist in the User Information List, you can click on the name in the List View and see their SharePoint profile? Yup that's right, SharePoint actually creates them a profile in the User Information List. Let me emphasize one thing, this does not grant them rights to the site. To view their profile directly, go to People and Groups page either by clicking on the link in the Quick Launch (as shown below) or going to Site Settings:
In the People and Groups area, you will notice a view called All People. This is where profiles are lists that list all users, whether they are a member of a specific group or only identified in a Person or Group column.
Now you may be wondering, what if you do want to grant a user access to SharePoint ... will it create another profile? Nope, based on the Account Name (i.e. qa\jeffk), if a profile already exists with this account, it simply maps that existing profile to the designated SharePoint group or Permission Level.
Now let's jump back to configuration of the column and the optional settings I skipped over in the beginning:
Allow multiple selections allows the user to enter multiple Users or Groups instead of a single entry. When this option is selected to Yes, the user can enter multiple selections, each separated by a semi-colon:
Allow selection of allows you to define the scope of the find to include SharePoint Groups or not.
Choose From - All Users or SharePoint Group allows you the ability to focus the search either across all User Information List AND Active Directory, or ONLY a given SharePoint Group. One big note is that if you add an Active Directory Security Group to a SharePoint Group, and you select a specific SharePoint Group in configuration of this column, it does not enumerate the users contained in the Active Directory group for any matches. It will only look at individual entries or list (if it matches) the Active Directory Security Group itself.
Show Field allows you to define which column will be displayed to the end user from the User Information list.
I hope you found this as enlightening as I did. Next I plan to talk about Active Directory Security Groups and how SharePoint handles them.
Posted
Oct 09 2008, 08:52 AM
by
Jeff Kozloff
Jeff originally joined Bamboo Solutions in June of 1999 as a part-time Test Engineer (basically a gopher). He continued with Bamboo as a part time tester while obtaining my Bachelors of Science in Computer Science degree at Longwood University. Upon graduation in 2004, Jeff accepted a full time position at Bamboo as a Helpdesk Specialist and became Manager of the Helpdesk team in 2006. In October of 2007 until present, Jeff took a role as Project Manager in the Solution group bringing his in depth technical knoweldge of SP to Bamboo's customers.