A scenario that is happening more frequently in SharePoint 2010 is using a single zone for multiple authentication providers. One of the reasons folks do this is because they want to use a some type of claims authentication - like FBA or SAML - but they also want to add Windows claims so that the zone can be indexed by the SharePoint crawler. The problem with that approach is two-fold:
So, what can we do about that? Well to solve the first problem, we can write a custom login selection page. I've covered that scenario already in my posting at http://blogs.technet.com/b/speschka/archive/2011/04/30/bypassing-the-multi-authentication-provider-selection-page-in-sharepoint-2010.aspx. But what about the second item - hiding AD users from showing up in people picker search results? In comes the April 2011 CU to the rescue! <QUICK NOTE: You may experience some issues with this in the April CU; the June CU will have an updated version. Your mileage may vary so please feel free to test.> Once you've applied the CU you will see that your SPClaimProviderDefinitions now include a new property called "IsVisible". You can simply set this to false for the Active Directory provider and it will no longer show up when you use the people picker.
Here's a little PowerShell snippet that shows you how to do this:
$cpm = Get-SPClaimProviderManager$ad = get-spclaimprovider -identity "AD"$ad.IsVisible = $false$cpm.Update()
A couple of things to note:
In my limited testing I didn't even have to do an IISRESET after making this change; I could just go in and Active Directory no longer showed up in the list of authentication providers in the left pane of the people picker. Conversely when I changed it back it started showing up again immediately without an IISRESET.
At this time the biggest limitation with this is that it does not appear you can enforce this setting on a per-zone basis, which would be ideal. If I find out otherwise about that I will update this post.