Hi Laura,
I know I misread one of your posts once before, so I'm sorry in
advance if I'm doing it again (!), but aren't you making a conflicting
statement in nos. 2 & 3 below? Or is #3 supposed to say "that is NOT a
member of Domain Admins..." ?
Also, is there a mechanism of some sort which changes the behavior
in #2 such that the actual account used would become the object's owner
(rather than DAs group)? I remember reading something like this once,
but I could be thinking of something else way off base :-(
In any case, I completely agree that delegating the creation right
is the [way!] better option here!
Thanks as always,
DaveC
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22 PM
To: [email protected]
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?
1. This is one of the eight gazillion reasons to discourage the
use of accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.
2. By default, when a member of the Domain Admins group creates
an object in the directory, the Domain Admins group becomes the owner of
the object. That is by design.
3. When I create an object with an account that is a member of
Domain Admins, the creator of the object shows as that account, not as
Domain Admins. Why aren't you just looking at that value in the event
logs, rather than looking at the ownership of the object? That's why
auditing allows tracking of who creates/modifies/deletes directory
objects.
Laura
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: [email protected]
Subject: [ActiveDir] dynamic variables within an event
log entry?
I wonder if someone could explain to me (or point me at
some reference) about what mechanism is used to populate the information
in a Windows event log entry. The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 . If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .
This makes auditing somewhat less worthwhile. Is this
design on purpose or a deficiency? Any help is appreciated. Thanks!
Mike Thommes
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 -
Release Date: 11/30/2006 5:07 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM
This email was sent to you by Reuters, the global news and information company.
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except
where the sender specifically states them to be the views of Reuters Ltd.
