Checking if account exists in another domain
Posted on 2009-12-21
Given the string "DomainB\Kevin", can I check that this represents a valid user in DomainB, if my process is running in DomainA, and my process does not have the rights to browse DomainB?
I have two domains, DomainA and DomainB with two-way trusts.
The domain administrator has created a group in DomainA, called GroupA and a group in DomainB, GroupB. GroupA contains a few users from DomainA and GroupB contains a few users from DomainB.
Finally, a third group has been created in DomainA, GroupAB. This group contains GroupA and GroupB.
In DomainA, our service is running. The service has a list of users, identified with their domain-usernames (e.g. DomainA\Joe or DomainB\Kevin).
Now, the process needs to find out any of the users in list is no longer active, i.e. has been removed from AD or has been set to inactive.
For DomainA-users this is easy: using ADSI, we can simply query AD for users the domain-username from the list. However, for DomainB it's not that straightforward. Due to security regulations, a user in DomainA does not have access to DomainB. This means that our service cannot use ADSI to connect to DomainB.
So, my question is: Is there any way for the service to find out if entries in the list exist or not? (Without adding the permissions to access DomainB.)
I'm thinking there must be a way:
We have an ASP.NET-application in DomainA. It only allows users in GroupAB to have access, and this works for users in both DomainA and DomainB. This means that the ASP.NET worker process somehow must be able to verify that DomainB users are members of GroupAB. And this without access rights to DomainB.
Hope I have made myself understood.