• f

    fritz

    2 years ago
  • c

    Chris Ray

    2 years ago
    I have looked at both, but I don't see the data I need in those tables/fields. ntdomains provides a great source of domain related data, but nothing about who administers the domain. user_groups seems like it needs to be joined with another table to provide the most use.
  • f

    fritz

    2 years ago
    Right for user_groups you join against users to see all the groups a given user belongs to, eg:
    osquery> SELECT u.username, ug.gid FROM users u, user_groups ug USING (uid) WHERE uid = 502;
    +------------+-----+
    | username   | gid |
    +------------+-----+
    | fritz-imac | 20  |
    | fritz-imac | 12  |
    | fritz-imac | 61  |
    | fritz-imac | 79  |
    | fritz-imac | 80  |
    | fritz-imac | 81  |
    | fritz-imac | 98  |
    | fritz-imac | 702 |
    | fritz-imac | 703 |
    | fritz-imac | 33  |
    | fritz-imac | 100 |
    | fritz-imac | 204 |
    | fritz-imac | 250 |
    | fritz-imac | 395 |
    | fritz-imac | 398 |
    | fritz-imac | 399 |
    | fritz-imac | 400 |
    | fritz-imac | 701 |
    +------------+-----+
  • c

    Chris Ray

    2 years ago
    ahh! Briliant, thank you!
  • @fritz I have changed the query to have a "WHERE ug.gid = 512" 512 = Domain Admins group, which on the dev server has one user in it, however when I query the user_groups table that gid does not show up What could cause this?
  • I figured it out, domain admins are nested within gid 544 (Administrators group).
  • When selecting from user_groups you only see the parent containers, not the nested container membership