1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
