ThePirateWhoSmellsOfSunflowers
commented
2 months ago Hi!
The property member exists only for groups under CN=Builtin,CN=domain,CN=local, other groups like Domain Computers and Domain Users are usually found under CN=Users,CN=domain,CN=local and do not have this property.
No, for example, "Domain Admins" is under Users and has this attribute
$ python pywerview.py get-netgroup -u cersei.lannister -w sevenkingdoms.local -p il0vejaime -t kingslanding.sevenkingdoms.local --groupname "Domain Admins" --full-data
objectclass: top, group
cn: Domain Admins
description: Designated administrators of the domain
member: CN=robert.baratheon,OU=Crownlands,DC=sevenkingdoms,DC=local,
CN=cersei.lannister,OU=Crownlands,DC=sevenkingdoms,DC=local,
CN=Administrator,CN=Users,DC=sevenkingdoms,DC=local
distinguishedname: CN=Domain Admins,CN=Users,DC=sevenkingdoms,DC=local
[...]But, as you mentioned, members of (at least) Domain Users (RID 513), Domain Guests (RID 514), Domain Computers (RID 515) and Domain Controllers (RID 516) should be searched with their primarygroupid, you can do it with get-netuser.
This is a "known issue", already discussed here https://github.com/the-useless-one/pywerview/issues/23#issuecomment-1820991457
Closing now, please re open if needed.
:sunflower:
The property
memberexists only for groups underCN=Builtin,CN=domain,CN=local, other groups likeDomain ComputersandDomain Usersare usually found underCN=Users,CN=domain,CN=localand do not have this property. Members of these groups have a property calledprimaryGroupIDwhich matches the end of the group sid.Example: Group name: Domain Computers Group SID: S-1-5-21-3849739739-0375018374-839205837-515 Computer primaryGroupID: 515
Src: https://github.com/dirkjanm/BloodHound.py/blob/master/bloodhound/enumeration/memberships.py#L62