IT Hygiene
15 views
Skip to first unread message
German DiCasas
Mar 16, 2026, 1:08:02 PM (11 hours ago) Mar 16
to Wazuh | Mailing List
Hi team
There are any way to see the users created localy over Identity section? I mean, I can see users that loged in from DC but are not created localy. The same with groups, I added localy a group to administrators groups on agent but I cant see that over wazuh.
So, What exactly am I seeing?
Regards
German
Santiago Padilla Alvarez
Mar 16, 2026, 1:50:33 PM (11 hours ago) Mar 16
to Wazuh | Mailing List
Hi!
What you are seeing in IT Hygiene -> Identity is Syscollector inventory data, not authentication events and not a strict local SAM only view. The version 4.14 introduced users/groups inventory and the agent collects it periodically by default through Syscollector, then stores it in the wazuh-states-inventory-users-* and wazuh-states-inventory-groups-* indices. The default scan interval is 1 hour.
Your second observation also fits a current limitation. There is an open issue stating that local-group inventory on Windows fails to show AD principals nested in local groups and the documented schema only exposes group.users rather than a generic all members including nested groups/principals field. That means adding a group to Administrators may not appear the way you expect in Identity.
So, you are seeing a periodic endpoint-side inventory snapshot of users and groups that Syscollector can enumerate on that host, with some Windows-specific enrichment, not a pure list of locally created users/groups and not a full effective-membership graph for local groups like Administrators.
I’ll also leave here the documentation where the available fields I mentioned are detailed.
What you are seeing in IT Hygiene -> Identity is Syscollector inventory data, not authentication events and not a strict local SAM only view. The version 4.14 introduced users/groups inventory and the agent collects it periodically by default through Syscollector, then stores it in the wazuh-states-inventory-users-* and wazuh-states-inventory-groups-* indices. The default scan interval is 1 hour.
- The users tab = user accounts the agent found on that endpoint.
- The groups tab = groups the agent found on that endpoint.
- The fields behind that view include things like user.groups, user.last_login, user.type, and for groups, group.users, a list of users that belong to the group.
Your second observation also fits a current limitation. There is an open issue stating that local-group inventory on Windows fails to show AD principals nested in local groups and the documented schema only exposes group.users rather than a generic all members including nested groups/principals field. That means adding a group to Administrators may not appear the way you expect in Identity.
So, you are seeing a periodic endpoint-side inventory snapshot of users and groups that Syscollector can enumerate on that host, with some Windows-specific enrichment, not a pure list of locally created users/groups and not a full effective-membership graph for local groups like Administrators.
I’ll also leave here the documentation where the available fields I mentioned are detailed.
Reply all
Reply to author
Forward
0 new messages