I did Laura's test (the thread was wearing me down ;-)). Even with the policy set to "Object Creator" it still shows Domain Admins as the owner if I create an object with an account that is member of Domain Admins. In my case the Domain Admins group is a member of the built-in Administrators group. This means that I saw the option in the security tab to change the ownership from Domain Admins to either Administrators or the account I was logged in with.
The conclusion is that you can't use this policy to change the behaviour for AD accounts. Might be different for local accounts on member servers and workstations - but I haven't tested this. Tony ---------- Original Message ---------------------------------- From: "Laura A. Robinson" <[EMAIL PROTECTED]> Reply-To: [email protected] Date: Tue, 05 Dec 2006 13:44:47 -0500 Have you tested this? _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 12:53 PM To: [email protected] Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists the object creator. If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS . Is this what you mean? If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the object was created (also note the date and time). On the DC that is listed as the originating DC for the account creation check the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have configured Account Management for SUCCESS (also the default if Im not mistaken). If it concerns OTHER objects you are lucky if you have configured directory service access for SUCCESS (also the default if Im not mistaken) AND you have configured one or more SACLs on objects or Ous with objects that should be audited jorge _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: dinsdag 5 december 2006 18:20 To: [email protected] Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? I'd say that you should test it. Create and link a policy where you've set "system objects: default owner for objects created by members of the administrators group" to "Object creator". Then create a user in AD and check the ownership. Laura _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, December 05, 2006 2:25 AM To: [email protected] Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? ? can you explain? Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address> _____ From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Tue 2006-12-05 01:45 To: [email protected] Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? Which will have no effect on the ownership of the directory objects. Laura _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, December 04, 2006 4:17 PM To: [email protected] Subject: RE: [ActiveDir] Is it possible to determine who created an AD object? look at the owner.... if it lists ADMINISTRATORS, you might wanna change the security option in the default DCs GPO which is called: "system objects: default owner for objects created by members of the administrators group" Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address> _____ From: [EMAIL PROTECTED] on behalf of Mitch Reid Sent: Mon 2006-12-04 21:14 To: [email protected] Subject: [ActiveDir] Is it possible to determine who created an AD object? ? We had a few user accounts that were deleted and then recreated and nobody will take responsibility. I used ADSIedit to verify the creation date/time. While auditing is enabled, the Security log rolled and we missed the event (yes I know it's an issue). Is there a way to see who created the the user object? Thanks, Mitch. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM ________________________________________________________________ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
