RE: [ActiveDir] LDAP Display Name for Security Properties

[Robbie Allen]

Title: Message

This is an example of why it would be nice if the object GUID of the security principal that performed the write was included in the metadata for the modified object.  I mentioned this to one of the AD developers during the MEC AD Community session, and he said he would take it back to the AD team.   On a related note, if the object GUID of the writer was included in the metadata, then all that would be needed to have a complete change log history of objects stored in the metadata would be the before and after values of modified attributes.  Granted, this could greatly increase the size of the DIT, especially over time, but I think it would be cool to have as an option ;-)  And yes some of this can be done with the dirsync control and change notifications, but it would be nice if it was stored directly in AD.   Robbie Allen -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Monday, November 11, 2002 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP Display Name for Security Properties Rick,   Unfortunately, if we are talking about the same dialog box with the ACL and the ACE's (in advance view) these are Security Principals with permissions that they have on this object.   It's likely that one of these objects DID join it to the domain, but if it was the Domain Administrators group, and there are 5 members, which member performed the join of the computer?   Maybe someone esle can provide better or more complete information, but I don't believe that there is any information that will tell you which Security Principal actually joined a computer to the domain.  This is even compunded further by the fact that BY DEFAULT any user can join up to 10 machines to the domain, IIRC.   Now, the problem gets even more difficult to track.  Auditing is the only way to confirm who did what - but that, again, assumes that auditing was on, configured, and the logs are available.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jones, Rick J.(Desktop Engineering) Sent: Monday, November 11, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP Display Name for Security Properties Anyone know the LDAP Display Name for the security properties on a Computer Account? When I open Active Directory Computers and Users and right click on a computer account, click on security (with advanced options turned on) I get a list of accounts. One of those is the account name that was used to join the computer to the domain (I believe), what I need to do is be able to query that information so we can find out who joined these computers to the domain. Rick J. Jones