I’ve heard a few comments and suggestions in the Sharepoint community that a MOSS07 Farm Administrator doesn’t need to be part of the administrator group on the server. If that’s the case, then I simply don’t see how it’s manageable. First off you need to work with IIS – either doing iisreset /noforce or checking settings in IIS. Secondly how can you check the Sharepoint logs when the directory is by default is locked down from read access. Thirdly, functions in central administration won’t work (e.g. adding a site collection) because the application complains that you have to be part of the administration group. Lastly, if you’re working in a multi-forest environment, people picker requires specific logins to correctly resolve a user account, so that kind of knowledge is possessed by someone with trusted access.
Either when you’re trying to add a user account from a different domain to a SharePoint site collection or using People Picker you get a “no exact match found”.
The service account attached to the Sharepoint Web Application is used for user account verification. In the case where there is only a one-way trust between the domains, a login for the requested domain is required. For example, when you add a user from a different domain to the security list for a file, where the current login does not have permissions to the queried domain a login popup appears. Since a login dialog doesn’t appear for Sharepoint, an additional login is required.
In a multi forest network, separate logins will have to be registered against each domain. Assuming you have a login with permissions to the domains that are found in different forests you can run the following command on the Sharepoint server to register the login password (domain:<domain>, login, password; domain<domain>, login, password):
stsadm.exe -o setproperty -url "<https://SharepointPortal>" -pn "peoplepicker-searchadforests" -pv "domain:na.aecomnet.com,na\mosssp,Password; domain:as.aecomnet.com,nas\mossspas,Password; domain:corp.aecomnet.com,aecom/mossspcorp,Password; domain:au.aecomnet.com,au\mosstest,mos5test"