Cool thanks Steve, I wasn't even aware that was hiding out there in the policies. This functionality should have been available a while ago, the field for specifying it has been in the token for a long long time (Owner field of _TOKEN_OWNER struct). I had played with adjusting that before but it would only impact the local system since a new token would be generated when accessing remote resources on the remote resource. It appears this only applies to K3 and XP which would seem accurate, I also assume it means changing the policy for any machine you want this functionality on, say for instance the DC policy for only on DCs and other policies say the domain policy if you want it on all machines?
Note that Technet seems to have a documentation issue here, I looked it up at "http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv erHelp/094905e1-bfc8-4c9b-990a-6a7353d1950b.mspx" and it says the permission is for determining which users and groups have the authority to run volume maintenance tasks. Do you happen to have a setting laying about that lets you specify anything created should have a c/o of administrators? Primarily I see the benefit here in AD versus the file system. Quite a few customers I know of are manually scanning for and setting administrators because they don't want people to have c/o rights over objects. Thanks, joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Sunday, July 24, 2005 2:12 AM To: [email protected] Subject: Re: [ActiveDir] How to find creator of computer account? You may want to test setting this policy on the DC's Computer Configuration \ Windows Settings \ Local Policies \ Security Option -> System Objects: Default owner for objects created by members of the Administrators group OPTIONS: Object Creator Administrators group You'll want "object creator" set. steve ----- Original Message ----- From: "Thommes, Michael M." <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, July 22, 2005 12:13 PM Subject: RE: [ActiveDir] How to find creator of computer account? Thanks Jorge (and joe)! Unfortunately, that is what I am seeing - "domain admins" is the owner. I was hoping for a more specific userid which I guess we could get if we provision the ability to join computers to the domain differently than we do now. -mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, July 22, 2005 11:34 AM To: [email protected]; [email protected] Subject: RE: [ActiveDir] How to find creator of computer account? if you have delegated the creation of computer accounts look at the owner of the computer account. when an object is created the user who creates it automagically becomes the owner of it. If I'm correct this, however, does not apply for members of the administrators, domain admins and enterprise admins groups. Then the owner will be the administrators group Cheers, #JORGE# ________________________________ From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Fri 7/22/2005 6:31 PM To: [email protected] Subject: [ActiveDir] How to find creator of computer account? Is there any way to find the creator of a computer account other than looking at the security log events written to the DCs when the computer join takes place? With ADSIEdit I can see the creation date of the account, but no information on the creator name or SID. Maybe it is buried in there and I just can't see it? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
