RE: [ActiveDir] dynamic variables within an event log entry?

Fri, 01 Dec 2006 04:24:45 -0800 

Hi Laura,

    (Brian's answer came in after I sent my email out.)  The problem
with using adfind (in my experience) is that the creator (Caller User
Name) is not part of the AD object's attributes, only the owner, which
will be "Domain Admins" for accounts created by members of Domain Admins
(as you pointed out).  I would like my daily report to contain the
actual name (samaccountname) that created the account.  Maybe the only
way I can create the report I am looking for (account name, DN, when
created, and creator name) is to collect eventid 624 records and filter
them on creation date.  However, I am still looking for suggestions.
Thanks.

 

Mike Thommes

 

________________________________

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 11:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

Okay, the below totally cracked me up. :-) Brian gave you the ADFind
answer, but I guess I would also ask in what format you need to retrieve
this information and whether or not you're plugging it into something.
I'm not sure that last sentence even made sense, sorry. I'm sleep
deprived. 

 

Laura

         

        
________________________________


        From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
        Sent: Thursday, November 30, 2006 10:40 PM
        To: ActiveDir@mail.activedir.org
        Subject: RE: [ActiveDir] dynamic variables within an event log
entry?

        Tony and Laura,

           Thanks for the replies!  Actually, I am already trapping
eventid 624 and I see the "Caller User Name:" entry with the right
value.  Where I got confused was when I built a daily job using adfind
(with the -owner switch) to produce a list of users created during the
previous 24 hours.  Laura's #2 answer explains why I see what I do for
accounts created by members of the "Domain Admins".  Her #1 answer is
going to make me rethink how we do some of the account creations.  Her
#3 answer begs the question of how would I construct a query to produce
new accounts created over a 24 hour period?  Adfind was the first (and
maybe only) tool that popped into my head to do this.  Other
suggestions?  Thanks!

         

        Mike Thommes

        
________________________________


        From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
        Sent: Thursday, November 30, 2006 8:22 PM
        To: ActiveDir@mail.activedir.org
        Subject: RE: [ActiveDir] dynamic variables within an event log
entry?

         

        1. This is one of the eight gazillion reasons to discourage the
use of accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.

        2. By default, when a member of the Domain Admins group creates
an object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 

        3. When I create an object with an account that is a member of
Domain Admins, the creator of the object shows as that account, not as
Domain Admins. Why aren't you just looking at that value in the event
logs, rather than looking at the ownership of the object? That's why
auditing allows tracking of who creates/modifies/deletes directory
objects.

         

        Laura

         

                
________________________________


                From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
                Sent: Thursday, November 30, 2006 7:33 PM
                To: ActiveDir@mail.activedir.org
                Subject: [ActiveDir] dynamic variables within an event
log entry?

                I wonder if someone could explain to me (or point me at
some reference) about what mechanism is used to populate the information
in a Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

                 

                This makes auditing somewhat less worthwhile.  Is this
design on purpose or a deficiency?  Any help is appreciated.  Thanks!

                 

                Mike Thommes

                 

                --
                No virus found in this incoming message.
                Checked by AVG Free Edition.
                Version: 7.5.430 / Virus Database: 268.15.2/559 -
Release Date: 11/30/2006 5:07 AM

         

        --
        No virus found in this outgoing message.
        Checked by AVG Free Edition.
        Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM

         

        --
        No virus found in this incoming message.
        Checked by AVG Free Edition.
        Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM

Reply via email to