User

Field Type Possible Operators Description

Field	Type	Possible Operators	Description
Guid	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	A unique identifier that is a combination of GUID of selected `Scan` and Active Directory `ObjectGUID` of the object.
FSName	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	A special unique identifier that is a combination of the `SamAccountName of the object` and the `Fully Qualified Domain Name of the Domain`.
ObjectSid	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	Active Directory security identifier of object. (Ldap Display Name: objectSid)
Name	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	Name of the specified object. (Ldap Display Name: name)
IsEnabled	BOOLEAN	`N/A`	Indicates whether the user is enabled.
DistinguishedName	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	Active Directory distinguished name of the object. (Ldap Display Name: distinguishedName)
session_count	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	Indicates that how many sessions the object has on computers.
IsPrivileged	BOOLEAN	`N/A`	Indicates that the object is Privileged.
IsAdmin	BOOLEAN	`N/A`	Indicates that the object is Admin.
WhenChanged	DATE	`SMALLER`, `LARGER`, `BETWEEN`, `EQUAL`	The date when this object was last changed. (Ldap Display Name: whenChanged)
IsProtected	BOOLEAN	`N/A`	Indicates that the object is a direct or nested member of the Protected Users group.
GivenName	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	Contains the given name (first name) of the user. (Ldap Display Name: givenName)
WhenCreated	DATE	`SMALLER`, `LARGER`, `BETWEEN`, `EQUAL`	The date when this object was created. (Ldap Display Name: whenCreated)
MsDSSupportedEncryptionTypes	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	The encryption algorithms supported by user, computer or trust accounts. The KDC uses this information while generating a service ticket for this account. Services and Computers can automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute. (LDAP Display Name: msDS-SupportedEncryptionTypes)
IsPasswordExpired	BOOLEAN	`N/A`	Indicates whether the object's password is expired and should be changed.
risk	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	The risk score of the object that calculated based on vulnerability counts and severities.
UserAccountControl	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	Flags that control different attributes and behavior of the objects. (Ldap Display Name: userAccountControl) (Field Reference)
AllowedtoDelegateSpn	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	Contains Service Principal Name definitions in the context of Constrained Delegation. (LDAP Display Name: msDS-AllowedToDelegateTo)
SAMAccountName	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. (Ldap Display Name: sAMAccountName)
DontReqPasswd	BOOLEAN	`N/A`	Indicates whether the object's password can be blank.
DontReqPreauth	BOOLEAN	`N/A`	Indicates whether the Kerberos Pre-Authentication mechanism was disabled for the object.
Cn	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	The name that represents an object. Used to perform searches. (Ldap Display Name: cn)
HasReversibleEncryption	BOOLEAN	`N/A`	Indicates whether the object is using reversible encryption instead of hash to keep credentials.
SidHistory	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property. (Ldap Display Name: sIDHistory)
IsServiceUser	BOOLEAN	`N/A`	Indicates whether the object is managing services through Service Principal Name.
IsTrustAccount	BOOLEAN	`N/A`	Indicates whether the object is used to manage the related trust.
PwdLastSet	DATE	`SMALLER`, `LARGER`, `BETWEEN`, `EQUAL`	The date and time that the password for this account was last changed. If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon. (Ldap Display Name: pwdLastSet)
Description	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	Description text to display for an object. (Ldap Display Name: description)
IsUsingDESAlgorithmForHashing	BOOLEAN	`N/A`	Indicates whether the object is using an insecure DES algorithm in Kerberos protocol.
AdminCount	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). (Ldap Display Name: adminCount)
HasNonExpiringPassword	BOOLEAN	`N/A`	Indicates whether the object's password is set to never expire.
UserPrincipalName	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	Internet-style unique login name for a user based on the Internet standard RFC 822. A UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). (Ldap Display Name: userPrincipalName)
HasLocalService	BOOLEAN	`N/A`	Indicates whether the object has managing local services (without SPN).
LastLogon	DATE	`SMALLER`, `LARGER`, `BETWEEN`, `EQUAL`	The last time the user logged on. This attribute is not replicated to other Domain Controllers. (Ldap Display Name: lastLogon)
HasUnconstrainedDelegation	BOOLEAN	`N/A`	Indicates whether the Unconstrained Delegation is activated on the object.
IsAccountLocked	BOOLEAN	`N/A`	Indicates whether the account password was locked due to multiple incorrect password attempts.
LogonCount	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	The number of times the account has successfully logged on. This attribute is not replicated to other Domain Controllers. (Ldap Display Name: logonCount)
BadPwdCount	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	The number of times the object tried to log on to the account using an incorrect password. (Ldap Display Name: badPwdCount)
HasConstrainedDelegation	BOOLEAN	`N/A`	Indicates whether the Constrained Delegation is activated on the object.
PasswordExpirationDate	DATE	`SMALLER`, `LARGER`, `BETWEEN`, `EQUAL`	The expiration date of the object's password.
HasResourceBasedConstrainedDelegation	BOOLEAN	`N/A`	Indicates whether the Resource Based Constrained Delegation is activated on the object.
IsStealth	BOOLEAN	`N/A`	Indicates that the object can compromise admin objects with at least one attack path.
group_delegated_localadmin_count	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	Indicates that the object has group delegated local admin privilege on how many computers.
PrimaryGroupID	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	Contains the relative identifier (RID) for the primary group of the object. (Ldap Display Name: primaryGroupID)
DisplayName	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	The display name for an object. This is usually the combination of the users first name, middle initial, and last name. (LDAP Display Name: displayName)
SAMAccountType	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	Specifies the account type of the security principal objects in Active Directory. (LDAP Display Name: sAMAccountType) (Field Reference)
LastLogonTimestamp	DATE	`SMALLER`, `LARGER`, `BETWEEN`, `EQUAL`	The time that the user last logged into the domain. This attribute is replicated to other Domain Controllers but not updated until after 14 (msDS-LogonTimeSyncInterval) days. (Ldap Display Name: lastLogonTimestamp)
Sn	TEXT	`LIKE`, `EQUAL`, `NOT_EQUAL`	This attribute contains the family or last name for a user. (LDAP Display Name: Sn)
IsSensitive	BOOLEAN	`N/A`	Indicates whether the object's NOT_DELEGATED bit of UserAccountControl is set. This attribute is used to disable Kerberos delegations for objects.
first_degree_localadmin_count	NUMBER	`EQUAL`, `BETWEEN`, `SMALLER`, `LARGER`, `SMALLER_EQUAL`, `LARGER_EQUAL`	Indicates that the account has explicit local admin privilege on how many computers.
HasProtocolTransition	BOOLEAN	`N/A`	Indicates whether the Constrained Delegation with Protocol transition is activated on the object.
IsLocalAdmin	BOOLEAN	`N/A`	Indicates that the object is a member (direct or nested) of a local administrators group in at least one computer.

Guid

TEXT

LIKE, EQUAL, NOT_EQUAL

A unique identifier that is a combination of GUID of selected Scan and Active Directory ObjectGUID of the object.

FSName

TEXT

LIKE, EQUAL, NOT_EQUAL

A special unique identifier that is a combination of the SamAccountName of the object and the Fully Qualified Domain Name of the Domain.

ObjectSid

TEXT

LIKE, EQUAL, NOT_EQUAL

Active Directory security identifier of object. (Ldap Display Name: objectSid)

Name

TEXT

LIKE, EQUAL, NOT_EQUAL

Name of the specified object. (Ldap Display Name: name)

IsEnabled

BOOLEAN

N/A

Indicates whether the user is enabled.

DistinguishedName

TEXT

LIKE, EQUAL, NOT_EQUAL

Active Directory distinguished name of the object. (Ldap Display Name: distinguishedName)

session_count

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

Indicates that how many sessions the object has on computers.

IsPrivileged

BOOLEAN

N/A

Indicates that the object is Privileged.

IsAdmin

BOOLEAN

N/A

Indicates that the object is Admin.

WhenChanged

DATE

SMALLER, LARGER, BETWEEN, EQUAL

The date when this object was last changed. (Ldap Display Name: whenChanged)

IsProtected

BOOLEAN

N/A

Indicates that the object is a direct or nested member of the Protected Users group.

GivenName

TEXT

LIKE, EQUAL, NOT_EQUAL

Contains the given name (first name) of the user. (Ldap Display Name: givenName)

WhenCreated

DATE

SMALLER, LARGER, BETWEEN, EQUAL

The date when this object was created. (Ldap Display Name: whenCreated)

MsDSSupportedEncryptionTypes

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

The encryption algorithms supported by user, computer or trust accounts. The KDC uses this information while generating a service ticket for this account. Services and Computers can automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute. (LDAP Display Name: msDS-SupportedEncryptionTypes)

IsPasswordExpired

BOOLEAN

N/A

Indicates whether the object's password is expired and should be changed.

risk

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

The risk score of the object that calculated based on vulnerability counts and severities.

UserAccountControl

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

Flags that control different attributes and behavior of the objects. (Ldap Display Name: userAccountControl) (Field Reference)

AllowedtoDelegateSpn

TEXT

LIKE, EQUAL, NOT_EQUAL

Contains Service Principal Name definitions in the context of Constrained Delegation. (LDAP Display Name: msDS-AllowedToDelegateTo)

SAMAccountName

TEXT

LIKE, EQUAL, NOT_EQUAL

The logon name used to support clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. (Ldap Display Name: sAMAccountName)

DontReqPasswd

BOOLEAN

N/A

Indicates whether the object's password can be blank.

DontReqPreauth

BOOLEAN

N/A

Indicates whether the Kerberos Pre-Authentication mechanism was disabled for the object.

TEXT

LIKE, EQUAL, NOT_EQUAL

The name that represents an object. Used to perform searches. (Ldap Display Name: cn)

HasReversibleEncryption

BOOLEAN

N/A

Indicates whether the object is using reversible encryption instead of hash to keep credentials.

SidHistory

TEXT

LIKE, EQUAL, NOT_EQUAL

Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property. (Ldap Display Name: sIDHistory)

IsServiceUser

BOOLEAN

N/A

Indicates whether the object is managing services through Service Principal Name.

IsTrustAccount

BOOLEAN

N/A

Indicates whether the object is used to manage the related trust.

PwdLastSet

DATE

SMALLER, LARGER, BETWEEN, EQUAL

The date and time that the password for this account was last changed. If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon. (Ldap Display Name: pwdLastSet)

Description

TEXT

LIKE, EQUAL, NOT_EQUAL

Description text to display for an object. (Ldap Display Name: description)

IsUsingDESAlgorithmForHashing

BOOLEAN

N/A

Indicates whether the object is using an insecure DES algorithm in Kerberos protocol.

AdminCount

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively). (Ldap Display Name: adminCount)

HasNonExpiringPassword

BOOLEAN

N/A

Indicates whether the object's password is set to never expire.

UserPrincipalName

TEXT

LIKE, EQUAL, NOT_EQUAL

Internet-style unique login name for a user based on the Internet standard RFC 822. A UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). (Ldap Display Name: userPrincipalName)

HasLocalService

BOOLEAN

N/A

Indicates whether the object has managing local services (without SPN).

LastLogon

DATE

SMALLER, LARGER, BETWEEN, EQUAL

The last time the user logged on. This attribute is not replicated to other Domain Controllers. (Ldap Display Name: lastLogon)

HasUnconstrainedDelegation

BOOLEAN

N/A

Indicates whether the Unconstrained Delegation is activated on the object.

IsAccountLocked

BOOLEAN

N/A

Indicates whether the account password was locked due to multiple incorrect password attempts.

LogonCount

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

The number of times the account has successfully logged on. This attribute is not replicated to other Domain Controllers. (Ldap Display Name: logonCount)

BadPwdCount

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

The number of times the object tried to log on to the account using an incorrect password. (Ldap Display Name: badPwdCount)

HasConstrainedDelegation

BOOLEAN

N/A

Indicates whether the Constrained Delegation is activated on the object.

PasswordExpirationDate

DATE

SMALLER, LARGER, BETWEEN, EQUAL

The expiration date of the object's password.

HasResourceBasedConstrainedDelegation

BOOLEAN

N/A

Indicates whether the Resource Based Constrained Delegation is activated on the object.

IsStealth

BOOLEAN

N/A

Indicates that the object can compromise admin objects with at least one attack path.

group_delegated_localadmin_count

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

Indicates that the object has group delegated local admin privilege on how many computers.

PrimaryGroupID

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

Contains the relative identifier (RID) for the primary group of the object. (Ldap Display Name: primaryGroupID)

DisplayName

TEXT

LIKE, EQUAL, NOT_EQUAL

The display name for an object. This is usually the combination of the users first name, middle initial, and last name. (LDAP Display Name: displayName)

SAMAccountType

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

Specifies the account type of the security principal objects in Active Directory. (LDAP Display Name: sAMAccountType) (Field Reference)

LastLogonTimestamp

DATE

SMALLER, LARGER, BETWEEN, EQUAL

The time that the user last logged into the domain. This attribute is replicated to other Domain Controllers but not updated until after 14 (msDS-LogonTimeSyncInterval) days. (Ldap Display Name: lastLogonTimestamp)

TEXT

LIKE, EQUAL, NOT_EQUAL

This attribute contains the family or last name for a user. (LDAP Display Name: Sn)

IsSensitive

BOOLEAN

N/A

Indicates whether the object's NOT_DELEGATED bit of UserAccountControl is set. This attribute is used to disable Kerberos delegations for objects.

first_degree_localadmin_count

NUMBER

EQUAL, BETWEEN, SMALLER, LARGER, SMALLER_EQUAL, LARGER_EQUAL

Indicates that the account has explicit local admin privilege on how many computers.

HasProtocolTransition

BOOLEAN

N/A

Indicates whether the Constrained Delegation with Protocol transition is activated on the object.

IsLocalAdmin

BOOLEAN

N/A

Indicates that the object is a member (direct or nested) of a local administrators group in at least one computer.

PreviousComputer NextGroup

Last updated 1 year ago