IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Active Directory Query (Version 2.3)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. This document is intended to document changes between releases of Active Directory Query.

Active Directory Query 2.3

Release Date: October 9th, 2018

For more information on the contents of this solution, please see here.

New Features

  • A minimum of three hours must elapse between each execution of the Collect Active Directory Info package. If the package has already run, it will not allow itself to run again if this amount of time has not yet elapsed. This time period is controlled via the Minimum time between runs package parameter.
  • All local users are now collected into inventory.
  • All built-in groups will be collected into inventory when the Collect Active Directory Info package is run on Domain Controllers.
  • Specific users may be excluded from general inventory using the following Collect Active Directory Info package parameters:
    • User names to exclude (from inventory)
    • User SIDs to exclude (from inventory)
  • Specific users may be excluded from general inventory using the following Collect Active Directory Info package parameters:
    • User names to exclude (from Primary User detection)
    • User SIDs to exclude (from Primary User detection)
  • Added the following parameters to the Collect Active Directory Info package:
    • General
      • Number of user profiles
        • The number of user profiles to inventory (number > 0)
    • Inventory
      • Computer properties to include
        • Comma delimited list of computer properties to include in inventory.
      • User properties to include
        • Comma delimited list of user properties to include in inventory.
      • User SIDs to exclude
        • Comma delimited list of user SIDs which will be excluded from inventory. Valid RegEx may be specified.
      • User names to exclude
        • Comma delimited list of user names which will be excluded from inventory. Valid RegEx may be specified.
    • Primary User
      • User SIDs to exclude
        • Comma delimited list of user SIDs which will be excluded from primary user detection. Valid RegEx may be specified.
      • User names to exclude
        • Comma delimited list of user names which will be excluded from primary user detection. Valid RegEx may be specified.
  • The list of users to exclude from inventory may now be updated from the following files if they exist within the Collect Active Directory Info package or the Tools\ADQuery folder:
    • UserSIDsNoInventory.txt
    • UserNamesNoInventory.txt
  • The list of users to exclude from Primary User detection may now be updated from the following files if they exist within the Collect Active Directory Info package or the Tools\ADQuery folder:
    • UserSIDsNoPrimary.txt
    • UserNamesNoPrimary.txt
  • The Collect Active Directory Info package script has been updated to support named command line arguments (ComputerInv, UserInv, GroupInv). Backward compatibility is maintained for custom packages which use unnamed arguments. It is recommended these custom packages be updated to use the new named arguments, as support will be dropped in a future release for the unnamed arguments.
  • Added version string to the Collect Active Directory Info package script.
  • Updated the Collect Active Directory Info package script to use an LDAP query to retrieve computer and user attributes from AD.
  • The AD Query - Logged In User Details and AD Query - Primary User Details sensors have been updated to accommodate an override option which allows customers to specify the attribute to use as the source for each sensor column. These overrides are read from a file named SensorAttributeOverrides.xml if it exists in the <Tanium Client>\Tools\ADQuery folder. The format of this file is illustrated in the example below.
<Overrides>
  <PrimaryUserDetails>
    <name>displayName</name>
    <department>department</department>
    <country>co</country>
    <city>l</city>
    <email>mail</email>
    <telephoneNumber>telephoneNumber</telephoneNumber>
  </PrimaryUserDetails>
  <LoggedInUserDetails>
    <name>displayName</name>
    <department>department</department>
    <country>co</country>
    <city>l</city>
    <email>mail</email>
    <telephoneNumber>telephoneNumber</telephoneNumber>
  </LoggedInUserDetails>
</Overrides>
  • Added the ability to specify 'all' in the User parameter of the AD Query - User Attributes sensor to allow returning the value of the specified attribute from all users. This enables targeting deployments to a system which has any user who has an attribute with a specific value.
  • Added the following sensors:
    • AD Query - Computer Site Name
    • AD Query - Domain Controller
    • AD Query - Domain Controller Site Name
    • AD Query - Mismatched Site Names
    • AD Query - Last Run Status
    • AD Query - Local Objects Potentially Renamed.
    • AD Query - Local Users
    • AD Query - Local User Account Control Flags

Updates

  • The Collect Active Directory Info package script now stores groups into inventory using their ‘name’ attribute. This change accommodates names with special characters.
  • The Collect Active Directory Info package script now stores user into inventory using their ‘sAMAccountName’ attribute.
  • When running the Collect Active Directory Info package script, if the number of users found on a system (all local accounts and user’s who have logged in using domain accounts) is greater than the count of users requested to collect into inventory, the list of users will be sorted by profile use date, and then truncated to the count of users to inventory. This will limit the inventory to only include the most recently used user profiles.
  • Updated user and group entries in the inventory to use "Local" instead of “.” when indicating the object is local. This helps standardize naming conventions.
  • Local attributes which do not have a value set will be added to the inventory with a value of ‘Not Set’.
  • Attributes which have an unsupported value type will be added to the inventory with a value of ‘Value type not supported’.
  • Attributes which are an array and fail conversion will be added to the inventory with a value of ‘Value failed conversion’.
  • Minor updates to sensor descriptions and help texts.
  • Some sensors did not include the user's domain in their output. Those sensors now include the user's domain with their name in the format of domain\username.
  • Some sensors used a period (.) when indicating the local domain of a user or group. Those sensors now use Local to indicate the object’s domain in the format of Local\username or Local\groupname.
  • Removed the domain join check from the following sensors:
    • AD Query - User Attributes
    • AD Query - User Group Memberships
    • AD Query - User Has Group Membership
  • The process used to determine Primary User has been updated to perform the following steps when determining which user should be considered a Primary User:
  • The Windows Security Event Log is queried for logon events that occurred within the last 30 days. The returned data list is sorted to place users with the most logon events at the top in a descending order. The first user in the sorted data list who is included in user inventory and not excluded from Primary User detection is set as the Primary User.
  • If no Primary User was set via Event Log search, a check is performed to determine if a user is currently logged in. If a user is logged in, is included in user inventory, and not excluded from Primary User detection, it is set as the Primary User.
  • If no Primary User was set via currently logged in user detection, the inventory list of users is sorted to place users with the most recently changed profile at the top in a descending order. The first user profile that was most recently updated and which is not excluded from Primary User detection is set as the Primary User.
  • Added default output to some sensors to avoid [No Results].
  • Removed the Enable Name Translation parameter from the Collect Active Directory Info package. This parameter controlled if the names of all user and group objects will be translated to an English name associated with the object’s Well Known SID. This is no longer required, as the inventory now includes the object's current name and well known name.

Bug Fixes

  • Corrected an issue within the Collect Active Directory Info package script where a query filter was incorrectly limiting the list of local groups returned from WMI.
  • Corrected an issue within the Collect Active Directory Info package script where some objects were saved to the local group inventory using the incorrect location (Local or Domain).
  • On systems running a language other than United States English, it was found calling Now() will output date and time in the system's locale format instead of the expected United States English format. The output of date stamps has been switched to use a format defined by Date() & " " & Time() instead of Now().
  • Some sensors were searching the collected inventory without accounting for case variances of attribute names. These sensors now perform a case-insensitive search.
  • The parameters of some saved questions were not adjusted when some sensor parameters changed in a previous content release. Those saved questions now use the correct parameters.
  • The Collect Active Directory Info package script no longer attempts to force attribute values to ascii format or test if the value is ascii. Customers who add additional attributes to the list of attributes included in the inventory should verify those attribute values are string, number, or an array of strings and numbers. Attributes having a value type other than those previously listed will be discarded.
  • The Collect Active Directory Info package script has improved handling of supported and unsupported attribute value types.

Known Issues and Workarounds

As with all content updates, it is recommended this update to AD Query be thoroughly tested in a lab environment to validate the content performs in an expected manner. Please engage your TAM if you find any issues while testing. After the content has been tested in your lab, it is recommended that it be slowly deployed in your production environment - validating it's success after each deployment.

The Deploy Collect Active Directory Info scheduled action has been removed. Please delete existing scheduled actions for Collect Active Directory Info and manually create a new scheduled action with appropriate parameters that targets the Windows endpoints you need to inventory.

Product Documentation and Resources