Re: [ActiveDir] dynamic variables within an event log entry?

Thu, 30 Nov 2006 18:23:54 -0800 

Hi Michael

If you have Account Management auditing enabled you should see 624 events that 
show the account used to create new accounts.  Here's an example.

***
Event Type:     Success Audit
Event Source:   Security
Event Category: Account Management 
Event ID:       624
Date:           1/12/2006
Time:           2:48:41 p.m.
User:           DEV\su-141820
Computer:       ADC01
Description:
User Account Created:
        New Account Name:       jamesb
        New Domain:     DEV
        New Account ID: DEV\jamesb
        Caller User Name:       su-141820
        Caller Domain:  DEV
        Caller Logon ID:        (0x0,0x72DE0)
        Privileges              -
 Attributes:
        Sam Account Name:       jamesb
        Display Name:   James Blench
        User Principal Name:    [EMAIL PROTECTED]
        Home Directory: -
        Home Drive:     -
        Script Path:    -
        Profile Path:   -
        User Workstations:      -
        Password Last Set:      <never> 
        Account Expires:        <never> 
        Primary Group ID:       513
        AllowedToDelegateTo:    -
        Old UAC Value:  0x0
        New UAC Value:  0x15
        User Account Control:   
                Account Disabled 
                'Password Not Required' - Enabled 
                'Normal Account' - Enabled 
        User Parameters:        -
        Sid History:    -
        Logon Hours:    <value not set> 


For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
***

The name of the account used to create the new user is shown in the Caller User 
Name field (in this case su-141820, which is a member of Domain Admins).

Tony

---------- Original Message ----------------------------------
From: "Thommes, Michael M." <[EMAIL PROTECTED]>
Reply-To: [email protected]
Date:  Thu, 30 Nov 2006 18:33:22 -0600

I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows
event log entry.  The reason why I ask is that I see in the Security log
when a new user account is created by an account which is a member of
the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not
XYZ\adminacct1 .  If it is created by an account that is a member of the
Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose
or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes



 




________________________________________________________________
Sent via the WebMail system at mail.activedir.org


 
                   
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/[email protected]/

Reply via email to