Checking if account exists in another domain

Posted on 2009-12-21
Last Modified: 2013-12-04
Short question:
Given the string "DomainB\Kevin", can I check that this represents a valid user in DomainB, if my process is running in DomainA, and my process does not have the rights to browse DomainB?

Long question:

I have two domains, DomainA and DomainB with two-way trusts.
The domain administrator has created a group in DomainA, called GroupA and a group in DomainB, GroupB. GroupA contains a few users from DomainA and GroupB contains a few users from DomainB.
Finally, a third group has been created in DomainA, GroupAB. This group contains GroupA and GroupB.

In DomainA, our service is running. The service has a list of users, identified with their domain-usernames (e.g. DomainA\Joe or DomainB\Kevin).
Now, the process needs to find out any of the users in list is no longer active, i.e. has been removed from AD or has been set to inactive.

For DomainA-users this is easy: using ADSI, we can simply query AD for users the domain-username from the list. However, for DomainB it's not that straightforward. Due to security regulations, a user in DomainA does not have access to DomainB. This means that our service cannot use ADSI to connect to DomainB.

So, my question is: Is there any way for the service to find out if entries in the list exist or not? (Without adding the permissions to access DomainB.)

I'm thinking there must be a way:
We have an ASP.NET-application in DomainA. It only allows users in GroupAB to have access, and this works for users in both DomainA and DomainB. This means that the ASP.NET worker process somehow must be able to verify that DomainB users are members of GroupAB. And this without access rights to DomainB.

Hope I have made myself understood.

Question by:gunman69
    1 Comment
    LVL 33

    Accepted Solution

    As far as I know, there is no way to query a remote domain without credentials in the remote domain.  If you could, you would have a security hole...something you don't want.  The worker process, may be configured with an account that has access to both domains.  I would think that if you have a TRUST (2-way) using an account that has read access in both domains should not be a problem.  (just my thoughts... maybe there is some solution here that I am not seeing... I would leave this ticket open for a while_)

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now