View Other Properties

Contents

View Other Properties

How to List Users Across All Mac, Windows, and Linux Devices

Using Kolide, you can easily view and query Users across your fleet.

Introduction

Most modern operating systems (including macOS, Windows and common Linux distributions) include the concept of users. A user (account) allows an end-user to authenticate (typically login via password) to a system and access the resources to which they have adequate permission to view/modify.

Each user on a device is represented by a unique identifier (typically a UID), which allows the operating system to correlate that user with the various resources and their individual access permissions.

Each user account typically has a home directory where they can store data, which is inaccessible to other users on the device (without authentication).

Users can be part of one or many user groups which grant them additional privileges or permissions. For example on a macOS device a user may be part of the 'admin' group which allows them to perform certain actions (such as creating or deleting other user accounts, and changing system-wide settings).

What User Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Users from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Users Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

description Text

Optional user description

directory Text

User's home directory

failed_logins_count Bigint

The number of failed login attempts using an incorrect password. Count resets after a correct password is entered

Data only available for:

Note on data collection: On macOS this data is collected only for user accounts that are listed in the Users & Groups preference pane in the System Preferences app. On Windows this information is obtained from WMI.

gid Text

Group ID

gid_signed Bigint

User ID as int64 signed

Data only available for:
last_logged_in_at Timestamp

The time the user last logged on to the system

Data only available for:
logins_count Bigint

The number of times the account was logged in

Note on data collection: On macOS and Linux, this information is obtained via the last command's binary log and looking for entries that corresponding with login events. Since this log can be deleted, the value may occasionally reset to zero. On Windows this information is obtained from WMI.

password_expires_at Timestamp

The time the password is scheduled to expire

Data only available for:
password_last_set_at Timestamp

The time the password was last changed

Data only available for:
shell Text

User's configured default shell

type Text

Whether the account is roaming (domain), local, or a system profile

Data only available for:
uid Text

User ID

uid_signed Bigint

User ID as int64 signed

Data only available for:
user_created_at Timestamp

When the account was first created

Data only available for:

Note on data collection: On macOS this data is collected only for user accounts that are listed in the Users & Groups preference pane in the System Preferences app.

username Text

The unique username used to log in

uuid Text

User's UUID (macOS) or SID (Windows)

Data only available for:
windows_user_type Enum::Text

Type of account to which the user has privileges

Data only available for:

Can be one of the following:

  • Normal Account
  • Duplicate Account
  • Workstation Trust Account
  • Server Trust Account
  • Interdomain Trust Account
  • Unknown
collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Find devices whose password has not been reset for more than 90 days
Kolide SQL
SELECT 
  device_name, 
  username, 
  password_last_set_at,
  ROUND(EXTRACT(epoch FROM CURRENT_TIMESTAMP(0)::TIMESTAMP WITHOUT TIME ZONE - password_last_set_at)/86400) AS password_age_days
FROM device_users 
WHERE password_last_set_at IS NOT NULL
-- Specify threshold for password age
AND password_last_set_at < (NOW() - interval '90 days')
-- Omit system accounts on macOS
AND uuid NOT LIKE 'FFFFEEEE%'
Example Results
username device_name password_age_days password_last_set_at
jenkins Jenkins-MacBook-Pro 131 2022-01-15T22:11:28.000Z
corbin corbin-mbp-2 873 2020-01-04T20:21:26.000Z
ashley Ashleys-MacBook-Pro-3 160 2021-12-17T19:41:55.000Z
max-headroom Maxs-MacBook-Air 481 2021-01-30T16:56:22.000Z
enoch enoch-imac 623 2020-09-10T20:00:15.000Z
Enumerate interactive macOS user accounts
Kolide SQL
WITH
_human_users AS (
  SELECT 
    device_name, uid, username, directory, shell, uuid, d.type AS device_type
  FROM device_users du
  JOIN devices d ON du.device_id = d.id
  WHERE SUBSTR(uuid,1,7) != 'FFFFEEE' 
  AND shell != '/usr/bin/false'
  AND directory LIKE '/Users/%'
  AND d.type = 'Mac'
  GROUP BY device_name, username, uid, directory, shell, uuid, d.type
),
merge_user_data AS (
  SELECT
  device_name, uid, username, shell
  FROM _human_users)
SELECT * FROM merge_user_data;
Example Results
uid shell username device_name
501 /bin/zsh jarvis Tonys-MacBook-Pro
501 /bin/zsh dave daves-imac
501 /bin/bash alicia Alicias-MacBook-Air
501 /bin/zsh fyne balthazar
501 /bin/zsh caitlin Caitlins-MacBook-Pro
501 /bin/zsh zoomroom Conference-Room-Zoom
501 /bin/zsh chris Chris-M1

Why Should I Collect Users?

Understanding the user accounts on a device, and the level of permission which they have, is a common device compliance requirement for Security and IT teams. It is generally recommended that you do not have any more accounts with admin level privileges than absolutely necessary.

Many applications are installed on a per-user basis and it can be important to collect user information in order to correlate specific software or preferences with an individual user account.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

User information may contain usernames or full names of private (non-work) accounts which are not intended to be shared with an employer. For example, if you are using a BYOD device and you keep a separate user account for contracting work for another company, you may wish not to share this information with your organization.

When you use Kolide to list User data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.

Share this story:

Related Device Properties:

New
Windows Update Settings
updates, operating-system, security
New
Windows Pending Updates
updates, operating-system, security
New
Mac System Extensions
operating-system, kernel, extensions, stability
View full list of Kolide's Device Properties
Try Kolide Free
Try Kolide Free