DING DING DING!!! WE HAVE A WINNER! "System Object" != "Directory Object".
If you're really feeling like having fun, test this out with file system objects and with messing around with Domain Admins versus Administrators membership. Okay, maybe not everybody finds that fun. Never mind. :-) Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray > Sent: Tuesday, December 05, 2006 3:12 PM > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > > I did Laura's test (the thread was wearing me down ;-)). > > Even with the policy set to "Object Creator" it still shows > Domain Admins as the owner if I create an object with an > account that is member of Domain Admins. In my case the > Domain Admins group is a member of the built-in > Administrators group. This means that I saw the option in > the security tab to change the ownership from Domain Admins > to either Administrators or the account I was logged in with. > > The conclusion is that you can't use this policy to change > the behaviour for AD accounts. Might be different for local > accounts on member servers and workstations - but I haven't > tested this. > > Tony > ---------- Original Message ---------------------------------- > From: "Laura A. Robinson" <[EMAIL PROTECTED]> > Reply-To: [email protected] > Date: Tue, 05 Dec 2006 13:44:47 -0500 > > Have you tested this? > > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Tuesday, December 05, 2006 12:53 PM > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > > > If you are member of ADMINISTRATORS directly or indirectly > through a CUSTOM group it will by default list > ADMINISTRATORS. Changing the policy lists the object creator. > > If you are member of DOMAIN ADMINS also, it will list DOMAIN > ADMINS…. Is this what you mean? > > > > If the latter is the case check with REPADMIN /SHOWOBJMETA on > which DC the object was created (also note the date and > time). On the DC that is listed as the originating DC for the > account creation check the security log. If it concerns > SECURITY PRINICIPAL objects you might be lucky if you have > configured Account Management for SUCCESS (also the default > if I’m not mistaken). If it concerns OTHER objects you are > lucky if you have configured directory service access for > SUCCESS (also the default if I’m not mistaken) AND you have > configured one or more SACLs on objects or Ous with objects > that should be audited > > > > jorge > > > > > _____ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Laura A. Robinson > Sent: dinsdag 5 december 2006 18:20 > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > > > I'd say that you should test it. Create and link a policy > where you've set "system objects: default owner for objects > created by members of the administrators group" to "Object > creator". Then create a user in AD and check the ownership. > > > > Laura > > > > > _____ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Tuesday, December 05, 2006 2:25 AM > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > ? > > can you explain? > > > > Met vriendelijke groeten / Kind regards, > > Ing. Jorge de Almeida Pinto > > Senior Infrastructure Consultant > > MVP Windows Server - Directory Services > > > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > > * Tel : +31-(0)40-29.57.777 > > * Mobile : +31-(0)6-26.26.62.80 > > * E-mail : <see sender address> > > > > > _____ > > > From: [EMAIL PROTECTED] on behalf of Laura > A. Robinson > Sent: Tue 2006-12-05 01:45 > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > Which will have no effect on the ownership of the directory objects. > > > > Laura > > > > > _____ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Monday, December 04, 2006 4:17 PM > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > look at the owner.... > > > > if it lists ADMINISTRATORS, you might wanna change the > security option in the default DCs GPO which is called: > "system objects: default owner for objects created by members > of the administrators group" > > > > Met vriendelijke groeten / Kind regards, > > Ing. Jorge de Almeida Pinto > > Senior Infrastructure Consultant > > MVP Windows Server - Directory Services > > > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > > * Tel : +31-(0)40-29.57.777 > > * Mobile : +31-(0)6-26.26.62.80 > > * E-mail : <see sender address> > > > > > _____ > > > From: [EMAIL PROTECTED] on behalf of Mitch Reid > Sent: Mon 2006-12-04 21:14 > To: [email protected] > Subject: [ActiveDir] Is it possible to determine who created > an AD object? > > ? > > We had a few user accounts that were deleted and then > recreated and nobody will take responsibility. > > I used ADSIedit to verify the creation date/time. > > > > While auditing is enabled, the Security log rolled and we > missed the event (yes I know it's an issue). > > > > Is there a way to see who created the the user object? > > > > > > Thanks, Mitch. > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, > confidential information and/or be subject to legal > privilege. It should not be copied, disclosed to, retained or > used by, any other party. If you are not an intended > recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.6/567 - Release > Date: 12/4/2006 > 7:18 AM > > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.6/567 - Release > Date: 12/4/2006 > 7:18 AM > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.6/567 - Release > Date: 12/4/2006 > 7:18 AM > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.9/571 - Release > Date: 12/5/2006 11:50 AM > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.9/571 - Release > Date: 12/5/2006 11:50 AM > > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.9/571 - Release > Date: 12/5/2006 11:50 AM > > > > > > > > > ________________________________________________________________ > Sent via the WebMail system at mail.activedir.org > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/[email protected]/ > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.9/571 - Release > Date: 12/5/2006 11:50 AM > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
