Yep, you're right...I didn't distinguish the difference the first time
around. Good info as always.
Thanks!
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?
Nope, it's not a typo- note the difference between *owner* and
*creator*. When a user who is a member of the Domain Admins group, by
default, the DA group is the *owner* of the object. However, what is
logged in the audit (security event) log does list the specific account
that was used to *create* the object.
As far as changing the behavior for #2, there is a group policy
setting "System Objects: Default owner for objects created by members of
the Administrators group" in the Computer Configuration\Windows
Settings\Local Policies\Security Options section of group policy. That
setting can be set to "Administrators group" or to "Object creator".
That may be what you're thinking of. That setting, however, refers to
system objects (thus the "system objects" predicate. :-) ) You may also
be thinking of the ability in the property sheets for any object to set
the owner of DA-owned objects to either a specific DA account or to the
group.
I don't remember you misreading one of my posts; you must have a
much better memory than I do. Then again, I usually can't remember what
I ate for breakfast. :-)
Laura
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, November 30, 2006 10:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an
event log entry?
Hi Laura,
I know I misread one of your posts once before, so
I'm sorry in advance if I'm doing it again (!), but aren't you making a
conflicting statement in nos. 2 & 3 below? Or is #3 supposed to say
"that is NOT a member of Domain Admins..." ?
Also, is there a mechanism of some sort which
changes the behavior in #2 such that the actual account used would
become the object's owner (rather than DAs group)? I remember reading
something like this once, but I could be thinking of something else way
off base :-(
In any case, I completely agree that delegating the
creation right is the [way!] better option here!
Thanks as always,
DaveC
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables
within an event log entry?
1. This is one of the eight gazillion reasons to
discourage the use of accounts that are Domain Admins for routine
purposes that can be achieved without that level of rights.
2. By default, when a member of the Domain
Admins group creates an object in the directory, the Domain Admins group
becomes the owner of the object. That is by design.
3. When I create an object with an account that
is a member of Domain Admins, the creator of the object shows as that
account, not as Domain Admins. Why aren't you just looking at that value
in the event logs, rather than looking at the ownership of the object?
That's why auditing allows tracking of who creates/modifies/deletes
directory objects.
Laura
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables
within an event log entry?
I wonder if someone could explain to me
(or point me at some reference) about what mechanism is used to populate
the information in a Windows event log entry. The reason why I ask is
that I see in the Security log when a new user account is created by an
account which is a member of the Domain Admins group, the
_OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created
by an account that is a member of the Account Operators group, then
_OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators .
This makes auditing somewhat less
worthwhile. Is this design on purpose or a deficiency? Any help is
appreciated. Thanks!
Mike Thommes
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database:
268.15.2/559 - Release Date: 11/30/2006 5:07 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559
- Release Date: 11/30/2006 5:07 AM
This email was sent to you by Reuters, the global news
and information company.
To find out more about Reuters visit
www.about.reuters.com
Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to
be the views of Reuters Ltd.
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 -
Release Date: 11/30/2006 5:07 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM
This email was sent to you by Reuters, the global news and information company.
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except
where the sender specifically states them to be the views of Reuters Ltd.
