https://fleetdm.com logo
  • f

    fritz

    2 years ago
    https://osquery.slack.com/archives/C08V7KTJB/p1589387568462600 @Chris Ray Have you looked at:https://osquery.io/schema/4.3.0#ntdomains https://osquery.io/schema/4.3.0#user_groups
  • c

    Chris Ray

    2 years ago
    I have looked at both, but I don't see the data I need in those tables/fields. ntdomains provides a great source of domain related data, but nothing about who administers the domain. user_groups seems like it needs to be joined with another table to provide the most use.
  • f

    fritz

    2 years ago
    Right for user_groups you join against users to see all the groups a given user belongs to, eg:
    osquery> SELECT u.username, ug.gid FROM users u, user_groups ug USING (uid) WHERE uid = 502;
+------------+-----+
| username   | gid |
+------------+-----+
| fritz-imac | 20  |
| fritz-imac | 12  |
| fritz-imac | 61  |
| fritz-imac | 79  |
| fritz-imac | 80  |
| fritz-imac | 81  |
| fritz-imac | 98  |
| fritz-imac | 702 |
| fritz-imac | 703 |
| fritz-imac | 33  |
| fritz-imac | 100 |
| fritz-imac | 204 |
| fritz-imac | 250 |
| fritz-imac | 395 |
| fritz-imac | 398 |
| fritz-imac | 399 |
| fritz-imac | 400 |
| fritz-imac | 701 |
+------------+-----+
  • c

    Chris Ray

    2 years ago
    ahh! Briliant, thank you!
  • @fritz I have changed the query to have a "WHERE ug.gid = 512" 512 = Domain Admins group, which on the dev server has one user in it, however when I query the user_groups table that gid does not show up What could cause this?
  • I figured it out, domain admins are nested within gid 544 (Administrators group).
  • When selecting from user_groups you only see the parent containers, not the nested container membership