Tony and Laura, Thanks for the replies! Actually, I am already trapping eventid 624 and I see the "Caller User Name:" entry with the right value. Where I got confused was when I built a daily job using adfind (with the -owner switch) to produce a list of users created during the previous 24 hours. Laura's #2 answer explains why I see what I do for accounts created by members of the "Domain Admins". Her #1 answer is going to make me rethink how we do some of the account creations. Her #3 answer begs the question of how would I construct a query to produce new accounts created over a 24 hour period? Adfind was the first (and maybe only) tool that popped into my head to do this. Other suggestions? Thanks!
Mike Thommes ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
