Hello, I would like to ask why the osquery query table Users can query the domain account information, I would like to know how to query the users table

Tables are documented on the schema webpage at osquery.io/schema and for each, there's a link to the "table spec" file which sometimes has query examples at the bottom. The

users

table on Windows doesn't really query domain account information. It lists the domain user accounts that have logged into the local endpoint and left a record in the registry.

Unless osquery is running on a domain controller. Then you will be enumerating domain users.

Hello, yes, my domain controller has osquery deployed, but when I query the users table of other machines, all domain accounts will also appear, why?Here are the results I got after querying the two machines, both containing the native account and the domain account but both machines are my domain management controller

This may not answer your question but, the

users

table reads both the local machine users and the Roaming Profiles registry key which should (?) only have the domain users that have signed in locally.