... query the AD for the names and allow the customers to use these name within my app and assign them to my app user groups. In my estimation this will take at least five grand and knowing how cheap is this customer, it will probably won't go past the quote.
That's good too, since you offered a solution they turned down.
In our case we wouldn't get away with charging AND it was in our interest to tick all the "allowed on the network" boxes, so we did it. The hardest part was wading through various mechanisms to validate AD which from memory ended up using a DLL declaration rather than LDAP or WSH or other methods that some customers lock down.
"... They ne'er cared for us
yet: suffer us to famish, and their store-houses
crammed with grain; make edicts for usury, to
support usurers; repeal daily any wholesome act
established against the rich, and provide more
piercing statutes daily, to chain up and restrain
the poor. If the wars eat us not up, they will; and
there's all the love they bear us."
-- Shakespeare: Coriolanus, Act 1, scene 1