User

This article applies to BHCE and BHE

User node.svg

Node properties

The node supports the properties of the table below.

Properties which are blank/null will not be shown in the Entity Panel.

Entity Panel name Description
Tier Zero / High Value BloodHound Enterprise: Whether the object is part of Tier Zero of the Microsoft's Active Directory Tier Model, or the Control Plane of Microsoft's Enterprise Access Model.

BloodHound CE: Whether the object is currently marked as High Value. By default any object that belongs to Tier Zero is marked as High Value.
Display Name The display name for the object.
Object ID The object's security identifier (SID), a unique identifier in the directory.
ACL Inheritance Denied Identifies whether an object is allowing ACL inheritance to itself.
Admin Count Whether the object currently, or possibly ever has belonged to a certain set of highly privileged groups. For Active Directory nodes this is related to the AdminSDHolder object and the SDProp process. Read more about that here.
Admin Rights Count The number of computers that the object has been added to the local administrators group on.
Allows Unconstrained Delegation

Whether the object is allowed to perform unconstrained kerberos delegation. See more info about that here.

Created The time when the object was created in the directory.
Description The contents of the description field for the object.
Do Not Require Pre-Authentication Whether object is not required to perform Kerberos pre-authentication. Pre-authentication is also known as Kerberos ticket-granting-ticket (TGT).
Email The contents of the email field for the object.
Enabled Whether the computer object is enabled.
Last Logon The last time the domain controller you got this data from handled a logon request for the object. Attribute 'lastlogon'.
Last Logon (Replicated) The last time any domain controller handled a logon for this object,

the value is, by default, only updated if the latest logon is greater than or equal to 14 days than the previous value. Attribute 'lastlogontimestamp'.

Logonscript The path for the user's logon script.
Profilepath The path to the user's profile.
Sidhistory Whether the principal has a SID History used for domain migration. 
Owned BloodHound Enterprise: Not applicable.

BloodHound CE: Whether the object is marked as Owned, used to mark that the object has been compromised.
Password Last Set The human-readable date for when the user’s password last changed. This is stored internally in Unix epoch format
Passwordnotreqd Whether the UAC flag is set on the object to not require the object to have a password. Note that this does not necessarily mean the object does not have a password, just that the object is allowed to not have one.
Pwdneverexpires Whether the UAC flag is set to not require the object to update its password.
Sensitive Whether the UAC flag is to disallow Kerberos delegation for this object. If this is “True”, then the object cannot be abused as part of a Kerberos delegation attack.
Serviceprincipalnames The list of SPNs on the object. Very useful for determining any non-default services that may be running on the computer, such as MSSQL
SIDHistory Previous SID(s) for the object. Used if the object was moved from another domain.
Title The contents of the title field for the object.
Trustedtoauth Whether the object is allowed to perform constrained kerberos delegation. See more info about that here.

Updated