Minimum permissions for peoplepicker-searchadforests and 1-way trust

Question

We have two different domains A.LOCAL and B.LOCAL. There is a one way trust configured and SP2010 is installed on B.LOCAL. I want to be able to pick accounts from both A and B. I am able to get the people picker to work exactly how I want when I use A\ADomainAdmin but if I use A\AUser it doesn't resolve anyone from A.

Works:

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:A.LOCAL,A\ADomainAdmin,Pa$$word;domain:B.LOCAL,B\BUser,Pa$$word" -url

Doesn't Work:

stsadm -o setproperty -pn peoplepicker-searchadforests -pv "forest:A.LOCAL,A\AUser,Pa$$word;domain:B.LOCAL,B\BUser,Pa$$word" -url

Using a Domain Admin account for A is not a long term solution. What are the minimum rights for peoplepicker-searchadforests to resolve cross domain?

Answer 1

The only permission you should require is the "list contents" right. By default the domain user group has this permission.

Did you configure the encryption key?

Technet has a post on PP issues: http://blogs.msdn.com/b/rajank/archive/2009/09/20/all-you-want-to-know-about-people-picker-in-sharepoint-functionality-configuration-troubleshooting-part-2.aspx