Hi,
I’ve observed a discrepancy between the number of users shown in AD_Miner’s General Overview and the actual number of users in the BloodHound dataset.
BloodHound total users: 132
AD_Miner "Users" (General Overview): 17
After reviewing the execution logs, I noticed the following:
[74/160] Requesting : Number of domain accounts enabled
[-] Done in 0.00 s - 17 objects
This exactly matches the "Users" value shown in the General Overview.
Issue
This suggests that the "Users" metric in the overview is actually:
Number of enabled domain accounts
rather than:
Total number of user objects in the domain
Other metrics in the same overview (e.g., Domain Controllers, Groups, Computers) appear to represent full counts.
Additionally, this count seems incomplete, as there are more enabled users in the BloodHound dataset than the 17 reported here.
Questions
Is the "Users" value in the General Overview intentionally based on the "enabled domain accounts" query?
If so, what exact filtering criteria are applied?
Why does this number not match the actual count of enabled users in BloodHound?
Suggestion
To avoid confusion, it might help to:
Rename the metric to something like "Enabled Users (filtered)"
Or clarify in the documentation/UI what this number represents
Or provide both:
Total users
Enabled users
Additional context
The logs clearly show that the value comes from:
Requesting : Number of domain accounts enabled
which strongly suggests this is not a full user count but a filtered subset.
Thanks for your work — AD_Miner is very useful, and clarifying this would make interpretation much easier.
Hi,
I’ve observed a discrepancy between the number of users shown in AD_Miner’s General Overview and the actual number of users in the BloodHound dataset.
BloodHound total users: 132
AD_Miner "Users" (General Overview): 17
After reviewing the execution logs, I noticed the following:
[74/160] Requesting : Number of domain accounts enabled
[-] Done in 0.00 s - 17 objects
This exactly matches the "Users" value shown in the General Overview.
Issue
This suggests that the "Users" metric in the overview is actually:
Number of enabled domain accounts
rather than:
Total number of user objects in the domain
Other metrics in the same overview (e.g., Domain Controllers, Groups, Computers) appear to represent full counts.
Additionally, this count seems incomplete, as there are more enabled users in the BloodHound dataset than the 17 reported here.
Questions
Is the "Users" value in the General Overview intentionally based on the "enabled domain accounts" query?
If so, what exact filtering criteria are applied?
Why does this number not match the actual count of enabled users in BloodHound?
Suggestion
To avoid confusion, it might help to:
Rename the metric to something like "Enabled Users (filtered)"
Or clarify in the documentation/UI what this number represents
Or provide both:
Total users
Enabled users
Additional context
The logs clearly show that the value comes from:
Requesting : Number of domain accounts enabled
which strongly suggests this is not a full user count but a filtered subset.
Thanks for your work — AD_Miner is very useful, and clarifying this would make interpretation much easier.