I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators .
This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes