IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

ADQuery 2.4.2.0001 en

From Tanium Knowledge Base
Jump to navigation Jump to search


Introduction: Active Directory Query

Systems administrators are often asked to gather information from managed systems about their Active Directory (AD) status, local user accounts, local groups, and answer questions such as:

  • Who are the Primary Users of all systems?
  • What AD groups is the system a member of?
  • What AD groups are the system's users a member of?
  • What local groups exist and what is their membership?
  • What local users exist, what is their group membership, and what is their status?

The Tanium platform is well-suited to gathering this sort of information, but care needs to be taken when implementing certain tooling. What seems like a simple command or query could have a greater impact than expected. For example: If there is a requirement to gather AD account information from a single system, having that single system perform a query of the AD Domain Controller (DC) would be reasonable. Since Tanium sensors are designed to run quickly, return data as rapidly as possible, and are typically run against thousands of systems at once, asking 1,000 endpoints to all provide that same information could result in an effective DDOS of those DCs. Implementing tooling which causes thousands of systems to instantaneously perform a direct query to their AD DC is not a good. The content contained in the Tanium Active Directory Query solution is intended to address the need to collect AD information from managed systems while avoiding the dangers of the direct query approach.

Tanium Active Directory Query gathers AD information by leveraging a combination of Tanium Actions and Sensors. The AD Query Actions should be configured with a distribute over time (DOT) setting which introduces a random delay into the action execution. A random value between 0 and the specified max delay is used for the actual delay time on each system. Thus, the time of when the action starts on any system will not necessarily be even. Actions won’t necessarily start exactly 5 seconds apart. The randomness of the algorithm will effectively spread the actions out in a reasonable manner. When viewed from the perspective of all targeted systems, the action is effectively run over an extended time and spread out over the distribute over time period - starting from the specified start time.

This approach to collecting AD information provides benefits such as:

  • Each system's query to their DC is performed without running the risk of overloading the DC with too many simultaneous requests.
  • The inventory of the computer, users, and groups is stored locally on each system in the Tools\ADQuery folder in XML files for later use by other packages or collected by sensors.
  • Sensors are used to retrieve inventoried information -an operation that is fast, low cost, and has no impact on the DCs.
  • Any sensor starting with 'AD Query -' will query the XML files created by the 'Collect Active Directory Info' package.

Download Location

This content is available at: https://content.tanium.com/files/published/ADQuery/2018-11-27_06-45-52_2.4.2.0001-g725d657/ADQuery.xml

Usage

Target the Windows endpoints that are to query Active Directory and deploy the package 'Collect Active Directory Info'. It is strongly recommended to use a distribute over time setting of three hours and a reissue interval of four hours when creating this Saved Action.

Questions

AD Query - All Windows

Get Is Windows from all machines

Returns all Windows computers. Can be used for targeting of the Collect Active Directory Info package.

Packages:

AD Query - Has Stale Computer Results

Get AD Query - Has Stale Results[Computer,4] from all machines with AD Query - Has Stale Results[Computer,4] contains True

Returns computers that have AD computer data older than four hours. Can be used for targeting of the Collect Active Directory Info package.

Packages:

AD Query - Has Stale Local Administrator Results

Get AD Query - Has Stale Results[Groups,4] from all machines with AD Query - Has Stale Results[Groups,4] equals True

Returns computers that have Local Administrator data older than four hours. Can be used for targeting of the Collect Active Directory Info package.

Packages:

AD Query - Has Stale Results

Get Target from all machines with ( AD Query - Has Stale Results[Computer,4] contains True or ( AD Query - Has Stale Results[User,4] contains True or AD Query - Has Stale Results[Groups,4] contains True ) )

Returns computers that have AD user, computer, or Local Administrator data older than four hours. Can be used for targeting of the Collect Active Directory Info package.

Packages:

AD Query - Has Stale User Results

Get AD Query - Has Stale Results[User,4] from all machines with AD Query - Has Stale Results[User,4] contains True

Returns computers that have AD user data older than four hours. Can be used for targeting of the Collect Active Directory Info package.

Packages:

Packages

Collect Active Directory Info

Queries Active Directory for three data types.

  • Computer
    • Collects AD attributes and any groups the computer is a member of
    • Inventory is written to compAttr.xml

  • User
    • Inventories all local user accounts
    • Inventories all domain accounts for users who have recently logged in
    • Collects AD attributes and any groups (local and domain) the user is a member of
    • Queries Security Event Log for logon events from the last 30 days to determine a primary user
    • Marks a user attribute as the primary user
    • Inventory is written to userAttr.xml

  • Local Group Membership
    • Collects all local groups and their members
    • Inventory is written to localGroups.xml

This package must be run with a Distribute Over Time (DOT) value in order to reduce the number of systems simultaneously querying Domain Controllers.

Notes:

  • Package runtime output is logged to a rolling logfile in the Tools\ADQuery folder.
  • This package has a built in fail safe that will only allow it to be run once every three hours. To manually override this behavior run this package with a Minimum time between runs value which is less than the action reissue interval.

This package contains 1 files and 0 sensors.

Properties:

Property Value
Command Line cmd /c cscript //T:300 collectAdInfo.vbs /ComputerInv:$1 /GroupInv:$2 /UserInv:$3 /DCsAreAllowed:$4 /ProfileCount:$5 /CompPropsInv:"$6" /UserPropsInv:"$7" /UserSIDsNoInventory:"$8" /UserNamesNoInventory:"$9" /UserSIDsNoPrimary:"$10" /UserNamesNoPrimary:"$11" /MinMinsBetweenRuns:$12 /LogVerbosity:$13
Command Timeout 300

Parameters:

Name Description Type Default Value
Collect Computer Attributes Collects all computer object attributes from Active Directory. Checkbox UnChecked
Collect User Attributes Collects user object attributes from all local users and all domain users who have a user profile on the computer. Checkbox UnChecked
Collect Local Group Memberships Collects direct memberships of all local groups. Checkbox UnChecked
Collect data from DCs Allow running script on Domain Controllers Checkbox UnChecked
Number of user profiles Number of user profiles to inventory (number > 0) Numeric 30
Computer properties to include Comma delimited list of computer properties to include in inventory. Text
User properties to include Comma delimited list of user properties to include in inventory. Text
User SIDs to exclude Comma delimited list of user SIDs which will be excluded from inventory. Valid RegEx may be specified. Text
User names to exclude Comma delimited list of user names which will be excluded from inventory. Valid RegEx may be specified. Text
User SIDs to exclude Comma delimited list of user SIDs which will be excluded from primary user detection. Valid RegEx may be specified. Text
User names to exclude Comma delimited list of user names which will be excluded from primary user detection. Valid RegEx may be specified. Text
Minimum time between runs The minimum number of minutes that must elapse before the script is allowed to run again. When running this script via a Scheduled Action with a reissue, the reissue interval must be larger than this value. Numeric 180
Log Verbosity Amount of info written to log (0:Nothing,1:Error,2:Warn,3:Info,4:Debug,5:Trace). The log is saved on each system under <Tanium Client installation folder>\Tools\AD Query\ Numeric 4

Files:

Name
collectAdInfo.vbs

Sensors

AD Query - Computer Attributes

The value of the specified attribute of the computer's Active Directory object.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Parameters:

Name Help Type Default Value
Active Directory Attribute Enter the Active Directory computer attribute to query Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Computer Group Memberships

All Active Directory group memberships the computer is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).

The sensor returns the group's Well Known Name.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Computer Groups

The distinguishedName of any Active Directory groups the computer is explicitly a member of (no nested groups). Also returns the computer's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Computer Has Group Membership

Searches the computer's group inventory for membership in the specified group(s).
Returns True if the computer is a member of the Active Directory group.
Returns False if no match was found.

The sensor's default behavior checks the group's Well Known Name. Prefacing the Group input with 'name:' will cause the sensor to search the non-translated name.

The group may be specified as groupname and domain\groupname syntax.
Multiple groups may be specified if separated by a comma. Ex: group,corp\group

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Parameters:

Name Help Type Default Value
Groups The name of the group to test for membership. The group may be specified as groupname and domain\groupname syntax. Multiple groups may be specified if separated by a comma. Ex: group,corp\group Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Computer Site Name

The computer's Active Directory Site Name

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Domain Controller

The name of the Active Directory Domain Controller responding to queries.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Domain Controller Site Name

The Active Directory Site Name of the Domain Controller responding to queries.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Has Stale Results

Returns True/False value based on the time the AD Query XML files were generated and a time period the Active Directory data should be considered stale.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Parameters:

Name Help Type Default Value
AD Data Type AD Query XML file to check. Selection Available:

Computer
User
Groups

Hours Old Number of hours for data to be considered stale. Numeric 4

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Last Run Status

Status information recorded when the inventory script last ran.
This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Local Administrators

Users and groups who are a member of the local Administrators group.

The sensor returns the Well Known Name of users and groups.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Columns:

Name Description Type Hidden
Name The group member's name Text
Location The group member's location Text
Type The group member type (user or group) Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Local Group Membership

Searches local group inventory to return group names and membership.

The sensor returns the Well Known Name of users and groups who are a member of the specified group(s).

Input 'all' in the Group field to return all inventoried groups.
The group may be a local group or an Active Directory group.
The group may be specified as groupname and domain\groupname syntax.
Multiple groups may be specified if separated by a comma. Ex: group,Local\group,corp\group,.\group

The sensor's default behavior checks the group's Well Known Name. Prefacing the Group input with 'name:' will cause the sensor to search the non-translated name.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Columns:

Name Description Type Hidden
Group The name of the group to check membership Text
Member The group member name Text
Location The group member's location Text
Type The group member type (user or group) Text

Parameters:

Name Help Type Default Value
Group(s) Report members of this comma delimited list of group names Text Administrators

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Local Groups

The names of all local groups. No group members are returned.

The sensor returns the group's Well Known Name.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Local Objects Potentially Renamed

A multi-column list containing current object name, the well known name of the object, the object type, the system locale ID, and the system locale strings.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Columns:

Name Description Type Hidden
Name The object's localized name Text
Well Known Name The object's well known name Text
Type The object type (user or group) Text
Locale ID The system's locale ID Numeric
Locale Strings The system's locale string Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Local User Account Control Flags

Parses the UserFlags attribute of local user accounts to report the following account control flags:

 account disabled
allow encrypted password
expire password
has logon script
password expired
password required
smartcard required
user can change password


The sensor's default behavior checks the Well Known Name of users. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name.

Input 'all' into the Users field to return the account control value from all inventoried users.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory..

Columns:

Name Description Type Hidden
User The name of the user Text
Account Control Flag The account control flag name Text
Value The account control flag value Text

Parameters:

Name Help Type Default Value
User The name of the user to report. Input 'all' to return the account control value from all inventoried users. Text
Control Flag The user account control value to report. Selection Available:

account disabled
allow encrypted password
has logon script
expire password
password expired
password required
smartcard required
user can change password

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Local Users

Listing of all local users.

The sensor returns the Well Known Name of local users.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Logged In User Details

The following Active Directory attributes of the logged-in user: name (cn or name), department, co (country), city (l), email (mail), and telephoneNumber.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Columns:

Name Description Type Hidden
Name The user's name (attributes: cn or name) Text
Department The user's department (attribute: department) Text
Country The user's country (attribute: co) Text
City The user's city (attribute: l) Text
Email The user's email address (attribute: mail) Text
Phone Number The user's telephone number (attribute: telephoneNumber) Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Logged In User Group Memberships

All group memberships the logged in user is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).

The sensor returns the group's Well Known Name.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Logged In User Groups

The distinguishedName of any Active Directory groups the user is explicitly a member of (no nested groups). Also returns the user's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Mismatched Site Names

Determines if there is an Active Directory Site Name mis-match between the computer and the Domain Controller responding to queries.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Columns:

Name Description Type Hidden
Computer Site Name The Active Directory Site Name of the system Text
Domain Controller Site Name The Active Directory Site Name of the system's Domain Controller Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Primary User

The computer's primary user

The sensor returns the Well Known Name of the primary user.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Primary User Details

The following Active Directory attributes of the primary user: name (cn or name), department, co (country), city (l), email (mail), and telephoneNumber.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Columns:

Name Description Type Hidden
Name The user's name (attributes: cn or name) Text
Department The user's department (attribute: department) Text
Country The user's country (attribute: co) Text
City The user's city (attribute: l) Text
Email The user's email address (attribute: mail) Text
Phone Number The user's telephone number (attribute: telephoneNumber) Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Primary User Group Memberships

All groups the primary user of the computer is a member of -both explicitly and implicitly. Nested groups are also returned. The group is returned in NT format (SomeDomain\SomeGroup).

The sensor returns the group's Well Known Name.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Primary User Groups

The distinguishedName of Active Directory group memberships for the computer's primary user. The groups returned are those which the user is explicitly a member of (no nested groups). Also returns the user's Primary Group. The group is returned from the memberOf attribute and is in RFC 1779 format (CN=TestGroup,OU=Sales,DC=MyDomain,DC=com).

his sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - Primary User Has Group Membership

Searches Primary User group inventory for membership.
Returns True if the user is a member of the group.
Returns False if no match was found.

The sensor's default behavior checks the Well Known Name of users and groups. Prefacing each input with 'name:' will cause the sensor to search the non-translated name.

The group may be a local group or an Active Directory group.
The group may be specified as groupname and domain\groupname syntax.

Multiple groups may be specified if separated by a comma. Ex: group,Local\group,corp\group,.\group

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Parameters:

Name Help Type Default Value
Groups The name of the group to test for membership. The group may be a local group or an Active Directory group. The group may be specified as groupname and domain\groupname syntax. Multiple groups may be specified if separated by a comma. Ex: group,.\group,corp\group Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - User Attributes

Returns the value of the attribute for the user.

Input 'all' in the User field to return the attribute value for all inventoried users.
The user may be a local account or an Active Directory account.
The attribute may be a local or Active Directory attribute.

The sensor's default behavior searches the user's Well Known Name. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Parameters:

Name Help Type Default Value
User The name of the user to query. Input 'all' to return the attribute value from all inventoried users. Text
Attribute The attribute name to query Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - User Group Memberships

All group memberships the specified user is a member of -both explicitly and implicitly. Nested groups are also returned. The result is returned in NT format as UserDomain\UserName|GroupDomain\GroupName.

The sensor's default behavior checks the Well Known Name of users and returns the Well Known Name of any groups the user is a member of. Prefacing the User input with 'name:' will cause the sensor to search the non-translated name.

User names may be specified as username, domain\username.
Multiple users may be specified if separated by a comma. Ex: user,Local\user,corp\user,.\user
Input 'all' into the Users field to return group membership of all inventoried users.

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Columns:

Name Description Type Hidden
User The name of the user Text
Group The name of the group the user is a member of Text

Parameters:

Name Help Type Default Value
Users The name of the user to report group membership. User names may be specified as username and domain\username. Multiple users may be specified if separated by a comma. Ex: user,.\user,corp\user Input 'all' to return group membership of all inventoried users. Text

Supported Platforms:

Platform Query Type
Windows VBScript

AD Query - User Has Group Membership

Searches user group inventory for membership.
Returns True if the user is a member of the group.
Returns False if no match was found.

The sensor's default behavior checks the Well Known Name of users and groups. Prefacing each input with 'name:' will cause the sensor to search the non-translated name.

Input 'any' in the User field to test any inventoried user for membership.
The user may be a local account or an Active Directory account.
The user may be specified as username and domain\username syntax.
Multiple users may be specified when separated by a comma. Ex: user,Local\localuser,corp\user,.\user

The group may be a local group or an Active Directory group.
The group may be specified as groupname and domain\groupname syntax.
Multiple groups may be specified if separated by a comma. Ex: group,Local\group,corp\group,.\group

This sensor is dependent on the AD Query content pack and will only return data after the Collect Active Directory Info package has completed an inventory.

Parameters:

Name Help Type Default Value
Users Name of the user to test for group membership. The user may be a local account or an Active Directory account. The user may be specified as username and domain\username syntax. Multiple users may be specified when separated by a comma. Ex: user,.\localuser,corp\user. Input 'any' to test any inventoried user for membership. Text
Groups The name of the group to test for membership. The group may be a local group or an Active Directory group. The group may be specified as groupname and domain\groupname syntax. Multiple groups may be specified if separated by a comma. Ex: group,.\group,corp\group Text

Supported Platforms:

Platform Query Type
Windows VBScript