[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Checking if account exists in another domain

Posted on 2009-12-21
Medium Priority
Last Modified: 2013-12-04
Short question:
Given the string "DomainB\Kevin", can I check that this represents a valid user in DomainB, if my process is running in DomainA, and my process does not have the rights to browse DomainB?

Long question:

I have two domains, DomainA and DomainB with two-way trusts.
The domain administrator has created a group in DomainA, called GroupA and a group in DomainB, GroupB. GroupA contains a few users from DomainA and GroupB contains a few users from DomainB.
Finally, a third group has been created in DomainA, GroupAB. This group contains GroupA and GroupB.

In DomainA, our service is running. The service has a list of users, identified with their domain-usernames (e.g. DomainA\Joe or DomainB\Kevin).
Now, the process needs to find out any of the users in list is no longer active, i.e. has been removed from AD or has been set to inactive.

For DomainA-users this is easy: using ADSI, we can simply query AD for users the domain-username from the list. However, for DomainB it's not that straightforward. Due to security regulations, a user in DomainA does not have access to DomainB. This means that our service cannot use ADSI to connect to DomainB.

So, my question is: Is there any way for the service to find out if entries in the list exist or not? (Without adding the permissions to access DomainB.)

I'm thinking there must be a way:
We have an ASP.NET-application in DomainA. It only allows users in GroupAB to have access, and this works for users in both DomainA and DomainB. This means that the ASP.NET worker process somehow must be able to verify that DomainB users are members of GroupAB. And this without access rights to DomainB.

Hope I have made myself understood.

Question by:gunman69
1 Comment
LVL 33

Accepted Solution

NJComputerNetworks earned 2000 total points
ID: 26095502
As far as I know, there is no way to query a remote domain without credentials in the remote domain.  If you could, you would have a security hole...something you don't want.  The ASP.net worker process, may be configured with an account that has access to both domains.  I would think that if you have a TRUST (2-way) using an account that has read access in both domains should not be a problem.  (just my thoughts... maybe there is some solution here that I am not seeing... I would leave this ticket open for a while_)

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Integration Management Part 2
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question