Queried Domain Admins

%3CLINGO-SUB%20id%3D%22lingo-sub-253617%22%20slang%3D%22en-US%22%3EQueried%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253617%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20looking%20at%20a%20computer%20and%20on%20the%20logs%2C%20it%20shows%20a%20name%20of%20a%20person%20who%20is%20not%20a%20Domain%20Admin%20but%20has%20queried%20Domain%20Admins%20Queried%20next%20to%20his%20name.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20does%20this%20mean%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-253617%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-254079%22%20slang%3D%22en-US%22%3ERe%3A%20Queried%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-254079%22%20slang%3D%22en-US%22%3E%3CP%3ENicholas%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%20Thank%20you%20for%20the%20replay.%26nbsp%3B%20This%20is%20not%20normal%20on%20our%20network.%26nbsp%3B%20What%20type%20of%20steps%20could%20you%20recommend%20to%20help%20look%20into%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-254062%22%20slang%3D%22en-US%22%3ERe%3A%20Queried%20Domain%20Admins%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-254062%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EIt%20means%20a%20process%20running%20as%20the%20user%20ran%20a%20query%20against%20the%20domain%20admins%20group%20to%20enumerate%20the%20members%20of%20this%20group.%26nbsp%3B%20Some%20apps%20do%20this.%26nbsp%3B%20Is%20this%20something%20you%20would%20expect%20apps%20on%20your%20network%20to%20do%3F%26nbsp%3B%20if%20so%2C%20its%20likely%20normal.%26nbsp%3B%20if%20not%20its%20worth%20looking%20in%20to.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I was looking at a computer and on the logs, it shows a name of a person who is not a Domain Admin but has queried Domain Admins Queried next to his name.

 

What does this mean?

2 Replies
Highlighted

Hi

It means a process running as the user ran a query against the domain admins group to enumerate the members of this group.  Some apps do this.  Is this something you would expect apps on your network to do?  if so, its likely normal.  if not its worth looking in to.

Highlighted

Nicholas,

  Thank you for the replay.  This is not normal on our network.  What type of steps could you recommend to help look into this?