Is it possible to list all members of the

Administrators

group? I have found several posts online regarding members of

Administrators

, but this only takes local users into account. It does not show domain users or domain groups. There are the

users

and

groups

tables, but nothing that I can find like a

group_members

sort of table.

Are you looking for https://osquery.io/schema/5.11.0/#user_groups

No. That only shows the relationship between local users and local groups. It does not show any details on domain users or groups within local groups.

Hrm. I think we probably filter out domain stuff. I remember it’s been an issue in the past. (Domains often have thousands of users and groups, and that’s caused performance issues). This may not be possible

Can't the group itself just be queried for the SID's that are members? You shouldn't have to enumerate all domain users/groups to identify members of a local group. If we could get the SID's of the members, I can easily "enrich" that with the actual usernames (we are using this data in Elastic for SIEM).

I think you have two questions/suggestions. One is why osquery doesn’t include domain groups. And the other is why

user_groups

seems to be indexed by user, and not by group.

The

user_groups

table only takes local users into account. I need a way to audit all members of the local Administrators groups; regardless if the member is a local user/group or domain user/group. The reason I suggested a

group_members

sort of table is because

users

only shows information on local users,

groups

only shows information on local groups, and

user_groups

only correlates those local users to local groups. None of those query the groups directly for their members. I am not sure what method Osquery uses for its queries of users and groups, but

NET LOCALGROUP Administrators

shows all members (local users, local groups, domain users, and domain groups), and WMI can be used as well. This might be a bit ugly, but here is a WMI example to get all members (local users, local groups, domain users, and domain groups) from the Administrators group. I tested this on a domain VM with the NIC removed, and it successfully returned all the members I am expecting to see.

Dim strComputer
Dim objWMI

strComputer = CreateObject("WScript.Network").ComputerName
Set objWMI = GetObject("WinMgmts:{ImpersonationLevel=Impersonate}!\\" & strComputer & "\Root\CIMV2")

Set colItems = objWMI.ExecQuery("SELECT * FROM Win32_GroupUser WHERE GroupComponent = " & chr(34) & "Win32_Group.Domain='" & strComputer & "',Name='Administrators'" & Chr(34))

For Each objItem in colItems
  arrComponent = Split(objItem.PartComponent, ",")
  
  if inStr(arrComponent(0), "Win32_UserAccount") Then
    strAccountType = "User"
  ElseIf inStr(arrComponent(0), "Win32_Group") Then
    strAccountType = "Group"
  End If

  strMemberName = Replace(Replace(arrComponent(1), Chr(34), ""), "Name=", "")
  DomainNameArray = Split(arrComponent(0), "=")
  strDomainName = Replace(DomainNameArray(1), Chr(34), "")
  If UCase(strDomainName) <> UCase(strComputer) Then
    strMemberName = strDomainName & "\" & strMemberName
    strDomain = "Domain"
  Else
    strDomain = "Local"
  End If

  msgBox strDomain & " " & strAccountType & ": " & strMemberName, 0+64, "Administrators Group Member"
Next