Hi, I'm trying to figure out local Admins on Windows endpoints but I'm struggling because osquery only returns local accounts. User accounts from the domain are missing. Here is the query I use:

SELECT * FROM users JOIN user_groups ON users.uid = user_groups.uid WHERE user_groups.gid = 544;

A quick look at the user_groups table reveals that only local user accounts are related to local groups.

SELECT * FROM user_groups;

Am I missing something?

Yes — osquery limits the scope of what it gathers to local users. I believe this is mentioned in the table schema. At least one of the reasons for this, is that most domains have a lot of users, and it tends to not be what people want returned. (Imagine a domain with thousands of users)

Hi @tokcum did you figured out some way to do this?