Ah. And the PDC verus non-PDC? Red Herring? Cross-contamination? Crossed the streams and the sta-puff marshmallow man wasn't in sight. ;o)
-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, December 05, 2006 8:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Resending because I kept sending via the wrong account. Okay, folks, I think I may have an answer to the behavior I've been seeing with an account that is NOT a Domain Admin but IS an Administrator not showing as the individual owner of the object when the policy is set to "object creator". The only thing I can think of is this- I've been doing this all via TS connections. I'm not sure how I managed to do it, but I'm guessing that I never actually logged off the TestLaura account after I removed it from Domain Admins and made it a member of Administrators instead. I could have sworn that I'd logged the darn thing off a whole buncha times, but that's the only possibility that could explain why I was seeing the behavior I was seeing. I feel like an idiot now. :-) (No agreement from the peanut gallery, please; everybody has a bad day. I just tend to have mine very publicly.) In any case, PLEASE DO NOT USE DOMAIN ADMIN ACCOUNTS FOR ROUTINE TASKS THAT CAN BE PERFORMED USING NON-DA ACCOUNTS. (sorry, not yelling, just too lazy to do psuedo-italics) None of this ownership stuff and policy changing has any effect on accounts that are members of Domain Admins, only on accounts that are members of the domain's Administrators group without being DAs. You will still not be able to use ownership as a reliable indicator of object creator REGARDLESS. Since object owners can *give* ownership to anybody they desire (this has been possible since the NT days, just not exposed in the GUI until post Win2K), there's nothing to guarantee that that hasn't been done. If you want to know which user account was used to create objects in the directory, use the event logs and auditing. Do not use object ownership. Thank you very much, and we now return you to your regularly-scheduled programming. I'm gonna go eat. :-D Laura P.S. There were a bunch of rambling posts I sent before this one, but I think this one actually sums stuff up well enough, and I'm sure you're tired of seeing posts from me at this point! :-) To summarize: If you're not as dain bramaged as I am and you set the "System Objects: Default owner...: policy to "object creator", accounts that are members of Administrators but are NOT members of Domain Admins will show as the initial owner of the objects they create. Accounts that are members of Domain Admins will be unaffected by the policy. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
