I'm glad you said that and not me! So much great content here - one of
the last things I'd want to do is pick on grammar, as it would seem rude
and unappreciative. Especially since never confident 100% in my own am
I. : - )
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 1:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?
Too bad I didn't actually put a verb in that second sentence.
:-)
That SHOULD have read, "When a user who is a member of the
Domain Admins group CREATES AN OBJECT, by default, the DA group is the
*owner* of the object."
No wonder you have a hard time following my posts. ;-)
Laura
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Friday, December 01, 2006 11:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an
event log entry?
Yep, you're right...I didn't distinguish the difference
the first time around. Good info as always.
Thanks!
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables
within an event log entry?
Nope, it's not a typo- note the difference
between *owner* and *creator*. When a user who is a member of the Domain
Admins group, by default, the DA group is the *owner* of the object.
However, what is logged in the audit (security event) log does list the
specific account that was used to *create* the object.
As far as changing the behavior for #2, there is
a group policy setting "System Objects: Default owner for objects
created by members of the Administrators group" in the Computer
Configuration\Windows Settings\Local Policies\Security Options section
of group policy. That setting can be set to "Administrators group" or to
"Object creator". That may be what you're thinking of. That setting,
however, refers to system objects (thus the "system objects" predicate.
:-) ) You may also be thinking of the ability in the property sheets for
any object to set the owner of DA-owned objects to either a specific DA
account or to the group.
I don't remember you misreading one of my posts;
you must have a much better memory than I do. Then again, I usually
can't remember what I ate for breakfast. :-)
Laura
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, November 30, 2006 10:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic
variables within an event log entry?
Hi Laura,
I know I misread one of your posts
once before, so I'm sorry in advance if I'm doing it again (!), but
aren't you making a conflicting statement in nos. 2 & 3 below? Or is #3
supposed to say "that is NOT a member of Domain Admins..." ?
Also, is there a mechanism of some
sort which changes the behavior in #2 such that the actual account used
would become the object's owner (rather than DAs group)? I remember
reading something like this once, but I could be thinking of something
else way off base :-(
In any case, I completely agree that
delegating the creation right is the [way!] better option here!
Thanks as always,
DaveC
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic
variables within an event log entry?
1. This is one of the eight gazillion
reasons to discourage the use of accounts that are Domain Admins for
routine purposes that can be achieved without that level of rights.
2. By default, when a member of the
Domain Admins group creates an object in the directory, the Domain
Admins group becomes the owner of the object. That is by design.
3. When I create an object with an
account that is a member of Domain Admins, the creator of the object
shows as that account, not as Domain Admins. Why aren't you just looking
at that value in the event logs, rather than looking at the ownership of
the object? That's why auditing allows tracking of who
creates/modifies/deletes directory objects.
Laura
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables
within an event log entry?
I wonder if someone could explain to me
(or point me at some reference) about what mechanism is used to populate
the information in a Windows event log entry. The reason why I ask is
that I see in the Security log when a new user account is created by an
account which is a member of the Domain Admins group, the
_OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created
by an account that is a member of the Account Operators group, then
_OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators .
This makes auditing somewhat less
worthwhile. Is this design on purpose or a deficiency? Any help is
appreciated. Thanks!
Mike Thommes
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database:
268.15.2/559 - Release Date: 11/30/2006 5:07 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database:
268.15.2/559 - Release Date: 11/30/2006 5:07 AM
This email was sent to you by Reuters,
the global news and information company.
To find out more about Reuters visit
www.about.reuters.com
Any views expressed in this message are
those of the individual sender, except where the sender specifically
states them to be the views of Reuters Ltd.
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database:
268.15.2/559 - Release Date: 11/30/2006 5:07 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559
- Release Date: 11/30/2006 5:07 AM
This email was sent to you by Reuters, the global news
and information company.
To find out more about Reuters visit
www.about.reuters.com
Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to
be the views of Reuters Ltd.
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.3/561 -
Release Date: 12/1/2006 6:36 AM
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.3/561 - Release Date:
12/1/2006 6:36 AM
This email was sent to you by Reuters, the global news and information company.
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except
where the sender specifically states them to be the views of Reuters Ltd.
