Hi Joe assume it means > changing the policy for any machine you want this functionality on, say for > instance the DC policy for only on DCs and other policies say the domain > policy if you want it on all machines?
Yes. > Do you happen to have a setting laying about that lets you specify anything > created should have a c/o of administrators? Afraid not - I dont think such a beast exists... steve ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Sunday, July 24, 2005 8:47 AM Subject: RE: [ActiveDir] How to find creator of computer account? > Cool thanks Steve, I wasn't even aware that was hiding out there in the > policies. This functionality should have been available a while ago, the > field for specifying it has been in the token for a long long time (Owner > field of _TOKEN_OWNER struct). I had played with adjusting that before but > it would only impact the local system since a new token would be generated > when accessing remote resources on the remote resource. It appears this only > applies to K3 and XP which would seem accurate, I also assume it means > changing the policy for any machine you want this functionality on, say for > instance the DC policy for only on DCs and other policies say the domain > policy if you want it on all machines? > > Note that Technet seems to have a documentation issue here, I looked it up > at > "http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv > erHelp/094905e1-bfc8-4c9b-990a-6a7353d1950b.mspx" and it says the permission > is for determining which users and groups have the authority to run volume > maintenance tasks. > > > Do you happen to have a setting laying about that lets you specify anything > created should have a c/o of administrators? Primarily I see the benefit > here in AD versus the file system. Quite a few customers I know of are > manually scanning for and setting administrators because they don't want > people to have c/o rights over objects. > > > Thanks, joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick > Sent: Sunday, July 24, 2005 2:12 AM > To: [email protected] > Subject: Re: [ActiveDir] How to find creator of computer account? > > You may want to test setting this policy on the DC's > > Computer Configuration \ Windows Settings \ Local Policies \ Security Option > -> > > System Objects: Default owner for objects created by members of the > Administrators group > OPTIONS: > Object Creator > Administrators group > > > You'll want "object creator" set. > > > steve > > ----- Original Message ----- > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Friday, July 22, 2005 12:13 PM > Subject: RE: [ActiveDir] How to find creator of computer account? > > > Thanks Jorge (and joe)! Unfortunately, that is what I am seeing - > "domain admins" is the owner. I was hoping for a more specific userid > which I guess we could get if we provision the ability to join computers > to the domain differently than we do now. > > -mike > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, > Jorge de > Sent: Friday, July 22, 2005 11:34 AM > To: [email protected]; [email protected] > Subject: RE: [ActiveDir] How to find creator of computer account? > > if you have delegated the creation of computer accounts look at the > owner of the computer account. when an object is created the user who > creates it automagically becomes the owner of it. If I'm correct this, > however, does not apply for members of the administrators, domain admins > and enterprise admins groups. Then the owner will be the administrators > group > > Cheers, > #JORGE# > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Thommes, Michael > M. > Sent: Fri 7/22/2005 6:31 PM > To: [email protected] > Subject: [ActiveDir] How to find creator of computer account? > > > > Is there any way to find the creator of a computer account other than > looking at the security log events written to the DCs when the computer > join takes place? With ADSIEdit I can see the creation date of the > account, but no information on the creator name or SID. Maybe it is > buried in there and I just can't see it? TIA! > > Mike Thommes > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
