At least the number of people who could do this at least is very limited and hopefully trusted. If you ask each of them if they did it and someone doesn't admit to it, there is obviously an issue. It could have happened in a demotion too and possibly an admin didn't notice it. Was the previous role holder demoted? joe
________________________________ From: [EMAIL PROTECTED] on behalf of Bernard, Aric Sent: Mon 9/26/2005 7:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain-wide operations masters change Are you asking if there is a way to do this with out using the event logs? The only option I can think of is gathering all of the persons with permissions and beating them about the head until somebody confesses. Come to think of it that could generate some false positives. :-) If you have access to the logs and need to narrow down the time in which the change occurred, you can look at the whenChanged attribute (in GMT) for the following objects CN=RID Manager$,CN=System,DC=YourDomain,DC=YourDomainSuffix CN=Infrastructure, DC=YourDomain,DC=YourDomainSuffix The PDC role is defined in an attribute fSMORoleOwner on the domain head object for the domain in question. Determining when this attribute was changed would have to be done with repadmin or another utility (as opposed to ADSIEdit which can give you the information on the other two). I believe that event ID 1458 is what you need to look for in the Application log on either (or both) the system that originally held the role and the one that requested the transfer. The user that requested the transfer should be identified. If you do not have access to the logs I suggest that you discuss changing your log retention policies by either keeping more information "live" on the DC or by archiving old information on a regular basis. Another option would be to implement some sort of log collection system. HTH Aric ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, September 26, 2005 2:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain-wide operations masters change Know of an easy way to find out who? I'm assuming auditing, but our security logs are unwieldy and if it happened over a couple days ago, well you know how that goes. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, September 26, 2005 3:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain-wide operations masters change No automatic change mechanism for OM roles. Someone did it. :-) Regards, Aric ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, September 26, 2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain-wide operations masters change I just noticed our domain-wide operations masters levels all changed. We've had the same pdc/rid/infrastructure master for years, and suddenly, it's on a different domain controller. Is there any way this could have changed automatically? Or did a domain admin have to physically make this change? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<<winmail.dat>>