Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hello, I would like to ask why the osquery query table Users can query the domain account information, I would like to know how to query the users table

Tables are documented on the schema webpage at <http://osquery.io/schema|osquery.io/schema> and for each, there's a link to the "table spec" file which sometimes has query examples at the bottom.

The `users` table on Windows doesn't really query domain account information. It lists the domain user accounts that have logged into the local endpoint and left a record in the registry.

There's currently no domain-user-enumerating table

Unless osquery is running on a domain controller. Then you will be enumerating domain users.

69.png

68.png

Hello, yes, my domain controller has osquery deployed, but when I query the users table of other machines, all domain accounts will also appear, why?Here are the results I got after querying the two machines, both containing the native account and the domain account but both machines are my domain management controller

This may not answer your question but, the `users` table reads both the local machine users and the Roaming Profiles registry key which should (?) only have the domain users that have signed in locally.