Nope, it's not a typo- note the difference between *owner* and *creator*. When a user who is a member of the Domain Admins group, by default, the DA group is the *owner* of the object. However, what is logged in the audit (security event) log does list the specific account that was used to *create* the object. As far as changing the behavior for #2, there is a group policy setting "System Objects: Default owner for objects created by members of the Administrators group" in the Computer Configuration\Windows Settings\Local Policies\Security Options section of group policy. That setting can be set to "Administrators group" or to "Object creator". That may be what you're thinking of. That setting, however, refers to system objects (thus the "system objects" predicate. :-) ) You may also be thinking of the ability in the property sheets for any object to set the owner of DA-owned objects to either a specific DA account or to the group. I don't remember you misreading one of my posts; you must have a much better memory than I do. Then again, I usually can't remember what I ate for breakfast. :-) Laura
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, November 30, 2006 10:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Hi Laura, I know I misread one of your posts once before, so I'm sorry in advance if I'm doing it again (!), but aren't you making a conflicting statement in nos. 2 & 3 below? Or is #3 supposed to say "that is NOT a member of Domain Admins..." ? Also, is there a mechanism of some sort which changes the behavior in #2 such that the actual account used would become the object's owner (rather than DAs group)? I remember reading something like this once, but I could be thinking of something else way off base :-( In any case, I completely agree that delegating the creation right is the [way!] better option here! Thanks as always, DaveC _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM This email was sent to you by Reuters, the global news and information company. To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
