Accidental cross domain results in People Picker

For a while I have had an open ticket with a client in regards to odd behavior while trying to create a new site collection.  The odd behaviour follows : "In Central Administration – when trying to create a new site collection and using the people picker to select the Site Collection Administrator, users from other domains are appearing."  Obviously for a hosting provider this is pretty bad behavior to have happen. 

It turns out that there are a very large amount of posts out there for allowing a people picker to search cross forest or cross domain, and very few about how to lock them down or limit them, so here we are.

Like most organisations, we try to lock our active directory environments down as much as possible, and this means removing list view for all authenticated users, except to their own OU.  Having a client be able to view entire organisations that were in different domains or forests is fairly counter-productive and needs immediate resolution.

I had initially thought that this might be fixed with AD permissions, but thats a bridge I'd rather not cross right now, if possible I'd rather fix this up at the people picker level.

There are quite a few commands that might help out here :

• We could limit the people picker to a specific OU.  That would fix the problem, unless the same OU exists on one of the other domains.
• We could limit the people picker to only show people within the site collection.  That would work ordinarily, but when creating a new site collection, you may want users that dont exist in a site collection yet.  And besides, which site collection would this pick to find the users in?  Thats one for another time.
• We could limit the people picker to only one domain.  Bingo.

The peoplepicker-searchadforests command is perfect for this.   So I tap in the following command :

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domaintosearch.com,USERNAME,PASSWORD" -url http://centraladminurl

Sidenote : The first time I ran this I got an error

Cannot retrieve the information for application credential key.

This was as I had not set an apppassword.  A quick run of "stsadm -o setapppassword -password PASSWORD" fixed this very quickly.  Make sure you keep that password written down, just in case.

Figuring that this is happening at the Central Administration level, I use the Central Admin web application as my target.  This returns a successful result, and so I go off to Central Administration again to test this.  It didn't work, I could still see multiple other domains. 

After a bit of musing, I decided to this feature against the Web Application I was trying to create the site collection into.  Bingo this worked.   Obviously when creating a new site collection,  the Central Administration people picker must inherit the settings from the selected Web Application, this would probably explain that long wait when you select a different Web Application.

Additional Note :

Make sure if you run this, you add the username and password to the command.  If you don't you'll lock your people picker down so well you wont find anyone.