Hi Michael If you have Account Management auditing enabled you should see 624 events that show the account used to create new accounts. Here's an example.
*** Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 624 Date: 1/12/2006 Time: 2:48:41 p.m. User: DEV\su-141820 Computer: ADC01 Description: User Account Created: New Account Name: jamesb New Domain: DEV New Account ID: DEV\jamesb Caller User Name: su-141820 Caller Domain: DEV Caller Logon ID: (0x0,0x72DE0) Privileges - Attributes: Sam Account Name: jamesb Display Name: James Blench User Principal Name: [EMAIL PROTECTED] Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: - Sid History: - Logon Hours: <value not set> For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. *** The name of the account used to create the new user is shown in the Caller User Name field (in this case su-141820, which is a member of Domain Admins). Tony ---------- Original Message ---------------------------------- From: "Thommes, Michael M." <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Thu, 30 Nov 2006 18:33:22 -0600 I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/