BTW, speaking strictly about directory objects, if you use an account that is NOT a member of Domain Admins but IS a member of Administrators (DLG), the ownership of the object works exactly the same way as it does if the account is a member of Domain Admins and not a direct member of Administrators.
File system objects are still a bit different. :-) Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray > Sent: Tuesday, December 05, 2006 3:12 PM > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > > I did Laura's test (the thread was wearing me down ;-)). > > Even with the policy set to "Object Creator" it still shows > Domain Admins as the owner if I create an object with an > account that is member of Domain Admins. In my case the > Domain Admins group is a member of the built-in > Administrators group. This means that I saw the option in > the security tab to change the ownership from Domain Admins > to either Administrators or the account I was logged in with. > > The conclusion is that you can't use this policy to change > the behaviour for AD accounts. Might be different for local > accounts on member servers and workstations - but I haven't > tested this. > > Tony > ---------- Original Message ---------------------------------- > From: "Laura A. Robinson" <[EMAIL PROTECTED]> > Reply-To: [email protected] > Date: Tue, 05 Dec 2006 13:44:47 -0500 > > Have you tested this? > > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Tuesday, December 05, 2006 12:53 PM > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > > > If you are member of ADMINISTRATORS directly or indirectly > through a CUSTOM group it will by default list > ADMINISTRATORS. Changing the policy lists the object creator. > > If you are member of DOMAIN ADMINS also, it will list DOMAIN > ADMINS…. Is this what you mean? > > > > If the latter is the case check with REPADMIN /SHOWOBJMETA on > which DC the object was created (also note the date and > time). On the DC that is listed as the originating DC for the > account creation check the security log. If it concerns > SECURITY PRINICIPAL objects you might be lucky if you have > configured Account Management for SUCCESS (also the default > if I’m not mistaken). If it concerns OTHER objects you are > lucky if you have configured directory service access for > SUCCESS (also the default if I’m not mistaken) AND you have > configured one or more SACLs on objects or Ous with objects > that should be audited > > > > jorge > > > > > _____ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Laura A. Robinson > Sent: dinsdag 5 december 2006 18:20 > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > > > I'd say that you should test it. Create and link a policy > where you've set "system objects: default owner for objects > created by members of the administrators group" to "Object > creator". Then create a user in AD and check the ownership. > > > > Laura > > > > > _____ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Tuesday, December 05, 2006 2:25 AM > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > ? > > can you explain? > > > > Met vriendelijke groeten / Kind regards, > > Ing. Jorge de Almeida Pinto > > Senior Infrastructure Consultant > > MVP Windows Server - Directory Services > > > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > > * Tel : +31-(0)40-29.57.777 > > * Mobile : +31-(0)6-26.26.62.80 > > * E-mail : <see sender address> > > > > > _____ > > > From: [EMAIL PROTECTED] on behalf of Laura > A. Robinson > Sent: Tue 2006-12-05 01:45 > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > Which will have no effect on the ownership of the directory objects. > > > > Laura > > > > > _____ > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Almeida Pinto, Jorge de > Sent: Monday, December 04, 2006 4:17 PM > To: [email protected] > Subject: RE: [ActiveDir] Is it possible to determine who > created an AD object? > > look at the owner.... > > > > if it lists ADMINISTRATORS, you might wanna change the > security option in the default DCs GPO which is called: > "system objects: default owner for objects created by members > of the administrators group" > > > > Met vriendelijke groeten / Kind regards, > > Ing. Jorge de Almeida Pinto > > Senior Infrastructure Consultant > > MVP Windows Server - Directory Services > > > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > > * Tel : +31-(0)40-29.57.777 > > * Mobile : +31-(0)6-26.26.62.80 > > * E-mail : <see sender address> > > > > > _____ > > > From: [EMAIL PROTECTED] on behalf of Mitch Reid > Sent: Mon 2006-12-04 21:14 > To: [email protected] > Subject: [ActiveDir] Is it possible to determine who created > an AD object? > > ? > > We had a few user accounts that were deleted and then > recreated and nobody will take responsibility. > > I used ADSIedit to verify the creation date/time. > > > > While auditing is enabled, the Security log rolled and we > missed the event (yes I know it's an issue). > > > > Is there a way to see who created the the user object? > > > > > > Thanks, Mitch. > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, > confidential information and/or be subject to legal > privilege. It should not be copied, disclosed to, retained or > used by, any other party. If you are not an intended > recipient then please promptly delete this e-mail and any > attachment and all copies and inform the sender. Thank you. > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.6/567 - Release > Date: 12/4/2006 > 7:18 AM > > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.6/567 - Release > Date: 12/4/2006 > 7:18 AM > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.6/567 - Release > Date: 12/4/2006 > 7:18 AM > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.9/571 - Release > Date: 12/5/2006 11:50 AM > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.9/571 - Release > Date: 12/5/2006 11:50 AM > > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.9/571 - Release > Date: 12/5/2006 11:50 AM > > > > > > > > > ________________________________________________________________ > Sent via the WebMail system at mail.activedir.org > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/[email protected]/ > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.430 / Virus Database: 268.15.9/571 - Release > Date: 12/5/2006 11:50 AM > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/[email protected]/
