Doing some quick research I found that some settings available through stsadm that control how the People Picker behaves. This is described in the Microsoft TechNet article on Configure the People Picker. In particular we were interested in 2 properties
- peoplepicker-Peopleeditoronlyresolvewithinsitecollection - To force People Picker to only return users who have permissions in the site collection when the Check Names button is clicked
- peoplepicker-onlysearchwithinsitecollection - To force People Picker to only return users who have permissions in the site collection when the Select People and Groups dialog box is used
It appears that the phrase "have permissions in the site collection" did not mean what I expected. I would have expected that this would include anybody who has security permissions to the site. Instead, it means that a permission is set. That is the user is in the SPWeb.AllUsers collection (ie: has accessed the system).
Furthermore, the Check Names button has more than one function. If you enter an exact match, then Check Names verifies the name you entered. If you enter a partial match, it actually does a search which is controlled by the peoplepicker-onlysearchwithinsitecollection property.
Clear as mud?