The FNMS beacon calls ActiveDirectoryImport.exe which uses a Windows system API for querying AD. It first obtains a list of all the organizational units (OU). The specific search for each OU to obtain users is then:
with the query results returned being "cn", "distinguishedName", "sAMAccountName", "mail", "objectGUID", "objectSid", "userAccountControl".
It then checks that each record has at least a cn, distinguishedName and userAccountControl. In addition it also checks that the name is not a conflict by ensuring that the distinguishedName does not include a "CNF:".
Finally, there is a check to make sure that the user is not a duplicate or a trust account and that they are a normal account.
The following checks could be made for users that may be missing from a .actdir file:
1. Is the OU for the user being reported. If not, then all the users in that OU will not be reported. Are the missing users non-normal accounts, trust accounts or duplicate accounts.
2. If the OU is missing, we could investigate that further.