Title
#windows
c

Chris Ray

05/13/2020, 8:06 PM
I have looked at both, but I don't see the data I need in those tables/fields. ntdomains provides a great source of domain related data, but nothing about who administers the domain. user_groups seems like it needs to be joined with another table to provide the most use.
f

fritz

05/13/2020, 11:42 PM
Right for user_groups you join against users to see all the groups a given user belongs to, eg:
osquery> SELECT u.username, ug.gid FROM users u, user_groups ug USING (uid) WHERE uid = 502;
+------------+-----+
| username   | gid |
+------------+-----+
| fritz-imac | 20  |
| fritz-imac | 12  |
| fritz-imac | 61  |
| fritz-imac | 79  |
| fritz-imac | 80  |
| fritz-imac | 81  |
| fritz-imac | 98  |
| fritz-imac | 702 |
| fritz-imac | 703 |
| fritz-imac | 33  |
| fritz-imac | 100 |
| fritz-imac | 204 |
| fritz-imac | 250 |
| fritz-imac | 395 |
| fritz-imac | 398 |
| fritz-imac | 399 |
| fritz-imac | 400 |
| fritz-imac | 701 |
+------------+-----+
c

Chris Ray

05/14/2020, 1:57 PM
ahh! Briliant, thank you!
2:27 PM
@fritz I have changed the query to have a "WHERE ug.gid = 512" 512 = Domain Admins group, which on the dev server has one user in it, however when I query the user_groups table that gid does not show up What could cause this?
2:44 PM
I figured it out, domain admins are nested within gid 544 (Administrators group).
2:44 PM
When selecting from user_groups you only see the parent containers, not the nested container membership