I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows
event log entry.  The reason why I ask is that I see in the Security log
when a new user account is created by an account which is a member of
the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not
XYZ\adminacct1 .  If it is created by an account that is a member of the
Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .


This makes auditing somewhat less worthwhile.  Is this design on purpose
or a deficiency?  Any help is appreciated.  Thanks!


Mike Thommes

Reply via email to