RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-16 Thread joe
So what was the overall outcome here?
 
Did the PDC -vs not-PDC end up making a difference?
 
Administrators -vs- Domain Admins?
 
etc etc etc
 
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, December 05, 2006 8:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Well, I've done some more testing and the results are interesting. 
 
In both instances I have the policy in place and set to Object Creator.
 

1.  

If the account used for AD object creation is a member of Domain
Admins the owner is shown as Domain Admins.
2.  

If the account used for AD object creation is a member of
Administrators the owner is shown as the account used to create the object.

 
Tony
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, 6 December 2006 12:00 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
sorry to say, but I have different results...mailed them offline to Laura
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 23:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Just to make sure everybody understands what I am saying, I'm going to
summarize this one last time.
 
If I create an object in AD while I am logged on with an account that is a
member of Domain Admins, Domain Admins becomes the owner of the object. NOT
the Administrators group. NOT the object creator. DOMAIN ADMINS.
 
If I create an obect in AD while I am logged in with an account that is NOT
a member of Domain Admins and IS a member of the built-in Administrators
group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the
object. NOT Administrators, and NOT the object creator.
 
Period. End of story. The group policy setting System objects: Default
owner for objects created by members of the Administrators group DOES NOT
AFFECT DIRECTORY OBJECTS.
 
Test. It. Yourself. :-)
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Test what I wrote in my other response.


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY 

Re: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-06 Thread Mitch Reid

Thanks to all the work from Laura, Jorge and Tony.

Mitch


On 12/5/06, Tony Murray [EMAIL PROTECTED] wrote:


Well, I've done some more testing and the results are interesting.

In both instances I have the policy in place and set to Object Creator.


1.

   If the account used for AD object creation is a member of Domain
Admins the owner is shown as Domain Admins.
2.

   If the account used for AD object creation is a member of
Administrators the owner is shown as the account used to create the
object.


Tony



_

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, 6 December 2006 12:00 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


?
sorry to say, but I have different results...mailed them offline to Laura

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

_

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 23:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Just to make sure everybody understands what I am saying, I'm going to
summarize this one last time.

If I create an object in AD while I am logged on with an account that is a
member of Domain Admins, Domain Admins becomes the owner of the object.
NOT
the Administrators group. NOT the object creator. DOMAIN ADMINS.

If I create an obect in AD while I am logged in with an account that is
NOT
a member of Domain Admins and IS a member of the built-in Administrators
group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the
object. NOT Administrators, and NOT the object creator.

Period. End of story. The group policy setting System objects: Default
owner for objects created by members of the Administrators group DOES NOT
AFFECT DIRECTORY OBJECTS.

Test. It. Yourself. :-)

Laura


_

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


?
just like I wrote it and tony confirmed it

do you have other experiences?


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

_

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Test what I wrote in my other response.


_

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


?
which part?


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

_

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


_

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a
CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists
the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?



If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If
it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have
configured
directory service access for SUCCESS (also the default if I’m not
mistaken) AND you have configured one or more SACLs on objects or Ous with
objects that should be audited



jorge




_


From: [EMAIL PROTECTED]
[mailto:[EMAIL 

Re: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread John Singler

in-line:

Mitch Reid wrote:
We had a few user accounts that were deleted and then recreated and 
nobody will take responsibility.

I used ADSIedit to verify the creation date/time.
 
While auditing is enabled, the Security log rolled and we missed the 
event (yes I know it's an issue).


Assuming you backup the server, specifically the event logs, you can 
restore the security event log from around the time of the creation.



Is there a way to see who created the the user object?


Once you find the events (624) you will find who (Caller User Name) 
created it.


hth,

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
I'd say that you should test it. Create and link a policy where you've set
system objects: default owner for objects created by members of the
administrators group to Object creator. Then create a user in AD and
check the ownership.
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
can you explain?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Which will have no effect on the ownership of the directory objects.
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


look at the owner
 
if it lists ADMINISTRATORS, you might wanna change the security option in
the default DCs GPO which is called: system objects: default owner for
objects created by members of the administrators group
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD object?


? 
We had a few user accounts that were deleted and then recreated and nobody
will take responsibility.
I used ADSIedit to verify the creation date/time.
 
While auditing is enabled, the Security log rolled and we missed the event
(yes I know it's an issue).
 
Is there a way to see who created the the user object?
 
 
Thanks, Mitch.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006
11:50 AM
 
attachment: winmail.dat

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Almeida Pinto, Jorge de
If you are member of ADMINISTRATORS directly or indirectly through a
CUSTOM group it will by default list ADMINISTRATORS. Changing the policy
lists the object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS
Is this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC
the object was created (also note the date and time). On the DC that is
listed as the originating DC for the account creation check the security
log. If it concerns SECURITY PRINICIPAL objects you might be lucky if
you have configured Account Management for SUCCESS (also the default if
I'm not mistaken). If it concerns OTHER objects you are lucky if you
have configured directory service access for SUCCESS (also the default
if I'm not mistaken) AND you have configured one or more SACLs on
objects or Ous with objects that should be audited

 

jorge

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

 

I'd say that you should test it. Create and link a policy where you've
set system objects: default owner for objects created by members of the
administrators group to Object creator. Then create a user in AD and
check the ownership.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created
an AD object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 





From: [EMAIL PROTECTED] on behalf of Laura A.
Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created
an AD object?

Which will have no effect on the ownership of the directory
objects.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who
created an AD object?

look at the owner

 

if it lists ADMINISTRATORS, you might wanna change the
security option in the default DCs GPO which is called: system objects:
default owner for objects created by members of the administrators
group

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*   Tel : +31-(0)40-29.57.777

*   Mobile : +31-(0)6-26.26.62.80

*   E-mail : see sender address

 





From: [EMAIL PROTECTED] on behalf of
Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who
created an AD object?

? 

We had a few user accounts that were deleted and then
recreated and nobody will take responsibility.

I used ADSIedit to verify the creation date/time.

 

While auditing is enabled, the Security log rolled and
we missed the event (yes I know it's an issue).

 

Is there a way to see who created the the user object?

 

 

Thanks, Mitch.

This e-mail and any attachment is for authorised use by
the intended recipient(s) only. It may contain proprietary material,
confidential information and/or be subject to legal privilege. It should
not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this
e-mail and any attachment and all copies and inform the sender. Thank
you.

 

--
No virus found in this incoming 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
Have you tested this?


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not mistaken)
AND you have configured one or more SACLs on objects or Ous with objects
that should be audited

 

jorge

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

 

I'd say that you should test it. Create and link a policy where you've set
system objects: default owner for objects created by members of the
administrators group to Object creator. Then create a user in AD and
check the ownership.

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 


   _  


From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

Which will have no effect on the ownership of the directory objects.

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

look at the owner

 

if it lists ADMINISTRATORS, you might wanna change the security option in
the default DCs GPO which is called: system objects: default owner for
objects created by members of the administrators group

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*   Tel : +31-(0)40-29.57.777

*   Mobile : +31-(0)6-26.26.62.80

*   E-mail : see sender address

 


   _  


From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD object?

? 

We had a few user accounts that were deleted and then recreated and nobody
will take responsibility.

I used ADSIedit to verify the creation date/time.

 

While auditing is enabled, the Security log rolled and we missed the event
(yes I know it's an issue).

 

Is there a way to see who created the the user object?

 

 

Thanks, Mitch.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006
11:50 AM



--
No virus found in this incoming message.
Checked by AVG Free 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Almeida Pinto, Jorge de
?
which part?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?


Have you tested this?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?



If you are member of ADMINISTRATORS directly or indirectly through a 
CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists 
the object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN 
ADMINSâEUR¦. Is this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC 
the object was created (also note the date and time). On the DC that is listed 
as the originating DC for the account creation check the security log. If it 
concerns SECURITY PRINICIPAL objects you might be lucky if you have configured 
Account Management for SUCCESS (also the default if IâEUR(tm)m not mistaken). 
If it concerns OTHER objects you are lucky if you have configured directory 
service access for SUCCESS (also the default if IâEUR(tm)m not mistaken) AND 
you have configured one or more SACLs on objects or Ous with objects that 
should be audited

 

jorge

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?

 

I'd say that you should test it. Create and link a policy where you've 
set system objects: default owner for objects created by members of the 
administrators group to Object creator. Then create a user in AD and check 
the ownership.

 

Laura

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 





From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?

Which will have no effect on the ownership of the directory 
objects.

 

Laura

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Almeida Pinto, Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine 
who created an AD object?

look at the owner

 

if it lists ADMINISTRATORS, you might wanna change the 
security option in the default DCs GPO which is called: system objects: 
default owner for objects created by members of the administrators group

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*   Tel : +31-(0)40-29.57.777

*   

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Tony Murray

I did Laura's test (the thread was wearing me down ;-)).

Even with the policy set to Object Creator it still shows Domain Admins as 
the owner if I create an object with an account that is member of Domain 
Admins.  In my case the Domain Admins group is a member of the built-in 
Administrators group.  This means that I saw the option in the security tab to 
change the ownership from Domain Admins to either Administrators or the account 
I was logged in with.

The conclusion is that you can't use this policy to change the behaviour for AD 
accounts.  Might be different for local accounts on member servers and 
workstations - but I haven't tested this.

Tony
-- Original Message --
From: Laura A. Robinson [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Tue, 05 Dec 2006 13:44:47 -0500

Have you tested this?


   _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?



If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not mistaken)
AND you have configured one or more SACLs on objects or Ous with objects
that should be audited



jorge




   _


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



I'd say that you should test it. Create and link a policy where you've set
system objects: default owner for objects created by members of the
administrators group to Object creator. Then create a user in AD and
check the ownership.



Laura




   _


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

?

can you explain?



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address




   _


From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

Which will have no effect on the ownership of the directory objects.



Laura




   _


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

look at the owner



if it lists ADMINISTRATORS, you might wanna change the security option in
the default DCs GPO which is called: system objects: default owner for
objects created by members of the administrators group



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*   Tel : +31-(0)40-29.57.777

*   Mobile : +31-(0)6-26.26.62.80

*   E-mail : see sender address




   _


From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD object?

?

We had a few user accounts that were deleted and then recreated and nobody
will take responsibility.

I used ADSIedit to verify the creation date/time.



While auditing is enabled, the Security log rolled and we missed the event
(yes I know it's an issue).



Is there a way to see who created the the user object?





Thanks, Mitch.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
Test what I wrote in my other response.


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not
mistaken) AND you have configured one or more SACLs on objects or Ous with
objects that should be audited

 

jorge

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

 

I'd say that you should test it. Create and link a policy where you've set
system objects: default owner for objects created by members of the
administrators group to Object creator. Then create a user in AD and
check the ownership.

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 


   _  


From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

Which will have no effect on the ownership of the directory objects.

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

look at the owner

 

if it lists ADMINISTRATORS, you might wanna change the security option in
the default DCs GPO which is called: system objects: default owner for
objects created by members of the administrators group

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*   Tel : +31-(0)40-29.57.777

*   Mobile : +31-(0)6-26.26.62.80

*   E-mail : see sender address

 


   _  


From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD object?

? 

We had a few user accounts that were deleted and then recreated and nobody
will take responsibility.

I used ADSIedit to verify the creation date/time.

 

While auditing is enabled, the Security log rolled and we missed the event
(yes I know it's an issue).

 

Is there a way to see who created the the user object?

 

 

Thanks, Mitch.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
DING DING DING!!! WE HAVE A WINNER!

System Object != Directory Object.

If you're really feeling like having fun, test this out with file system
objects and with messing around with Domain Admins versus Administrators
membership. Okay, maybe not everybody finds that fun. Never mind. :-)

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
 Sent: Tuesday, December 05, 2006 3:12 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 
 I did Laura's test (the thread was wearing me down ;-)).
 
 Even with the policy set to Object Creator it still shows 
 Domain Admins as the owner if I create an object with an 
 account that is member of Domain Admins.  In my case the 
 Domain Admins group is a member of the built-in 
 Administrators group.  This means that I saw the option in 
 the security tab to change the ownership from Domain Admins 
 to either Administrators or the account I was logged in with.
 
 The conclusion is that you can't use this policy to change 
 the behaviour for AD accounts.  Might be different for local 
 accounts on member servers and workstations - but I haven't 
 tested this.
 
 Tony
 -- Original Message --
 From: Laura A. Robinson [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 Date:  Tue, 05 Dec 2006 13:44:47 -0500
 
 Have you tested this?
 
 
_  
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 12:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 
 
 If you are member of ADMINISTRATORS directly or indirectly 
 through a CUSTOM group it will by default list 
 ADMINISTRATORS. Changing the policy lists the object creator.
 
 If you are member of DOMAIN ADMINS also, it will list DOMAIN 
 ADMINS…. Is this what you mean?
 
  
 
 If the latter is the case check with REPADMIN /SHOWOBJMETA on 
 which DC the object was created (also note the date and 
 time). On the DC that is listed as the originating DC for the 
 account creation check the security log. If it concerns 
 SECURITY PRINICIPAL objects you might be lucky if you have 
 configured Account Management for SUCCESS (also the default 
 if I’m not mistaken). If it concerns OTHER objects you are 
 lucky if you have configured directory service access for 
 SUCCESS (also the default if I’m not mistaken) AND you have 
 configured one or more SACLs on objects or Ous with objects 
 that should be audited
 
  
 
 jorge
 
  
 
 
_  
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Laura A. Robinson
 Sent: dinsdag 5 december 2006 18:20
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
  
 
 I'd say that you should test it. Create and link a policy 
 where you've set system objects: default owner for objects 
 created by members of the administrators group to Object 
 creator. Then create a user in AD and check the ownership.
 
  
 
 Laura
 
  
 
 
_  
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 2:25 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 ? 
 
 can you explain?
 
  
 
 Met vriendelijke groeten / Kind regards,
 
 Ing. Jorge de Almeida Pinto
 
 Senior Infrastructure Consultant
 
 MVP Windows Server - Directory Services
 
  
 
 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 
 *  Tel : +31-(0)40-29.57.777
 
 * Mobile : +31-(0)6-26.26.62.80
 
 * E-mail  : see sender address
 
  
 
 
_  
 
 
 From: [EMAIL PROTECTED] on behalf of Laura 
 A. Robinson
 Sent: Tue 2006-12-05 01:45
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 Which will have no effect on the ownership of the directory objects.
 
  
 
 Laura
 
  
 
 
_  
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Almeida Pinto, Jorge de
 Sent: Monday, December 04, 2006 4:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 look at the owner
 
  
 
 if it lists ADMINISTRATORS, you might wanna change the 
 security option in the default DCs GPO which is called: 
 system objects: default owner for objects created by members 
 of the administrators group
 
  
 
 Met vriendelijke groeten / Kind regards,
 
 Ing. Jorge de Almeida Pinto
 
 Senior Infrastructure Consultant
 
 MVP Windows Server - Directory Services
 
  
 
 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 
 *   Tel : +31-(0)40-29.57.777
 
 *   Mobile : +31-(0)6-26.26.62.80
 
 *   E-mail : see sender address
 
  
 
 
_  
 
 
 From: 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Almeida Pinto, Jorge de
?
just like I wrote it and tony confirmed it
 
do you have other experiences?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?


Test what I wrote in my other response.




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


Have you tested this?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?



If you are member of ADMINISTRATORS directly or indirectly 
through a CUSTOM group it will by default list ADMINISTRATORS. Changing the 
policy lists the object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN 
ADMINSâEUR¦. Is this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on 
which DC the object was created (also note the date and time). On the DC that 
is listed as the originating DC for the account creation check the security 
log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have 
configured Account Management for SUCCESS (also the default if IâEUR(tm)m not 
mistaken). If it concerns OTHER objects you are lucky if you have configured 
directory service access for SUCCESS (also the default if IâEUR(tm)m not 
mistaken) AND you have configured one or more SACLs on objects or Ous with 
objects that should be audited

 

jorge

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?

 

I'd say that you should test it. Create and link a policy where 
you've set system objects: default owner for objects created by members of the 
administrators group to Object creator. Then create a user in AD and check 
the ownership.

 

Laura

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine 
who created an AD object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 





From: [EMAIL PROTECTED] on behalf of Laura A. Robinson

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
BTW, speaking strictly about directory objects, if you use an account that
is NOT a member of Domain Admins but IS a member of Administrators (DLG),
the ownership of the object works exactly the same way as it does if the
account is a member of Domain Admins and not a direct member of
Administrators.

File system objects are still a bit different. :-)

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
 Sent: Tuesday, December 05, 2006 3:12 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 
 I did Laura's test (the thread was wearing me down ;-)).
 
 Even with the policy set to Object Creator it still shows 
 Domain Admins as the owner if I create an object with an 
 account that is member of Domain Admins.  In my case the 
 Domain Admins group is a member of the built-in 
 Administrators group.  This means that I saw the option in 
 the security tab to change the ownership from Domain Admins 
 to either Administrators or the account I was logged in with.
 
 The conclusion is that you can't use this policy to change 
 the behaviour for AD accounts.  Might be different for local 
 accounts on member servers and workstations - but I haven't 
 tested this.
 
 Tony
 -- Original Message --
 From: Laura A. Robinson [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 Date:  Tue, 05 Dec 2006 13:44:47 -0500
 
 Have you tested this?
 
 
_  
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 12:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 
 
 If you are member of ADMINISTRATORS directly or indirectly 
 through a CUSTOM group it will by default list 
 ADMINISTRATORS. Changing the policy lists the object creator.
 
 If you are member of DOMAIN ADMINS also, it will list DOMAIN 
 ADMINS…. Is this what you mean?
 
  
 
 If the latter is the case check with REPADMIN /SHOWOBJMETA on 
 which DC the object was created (also note the date and 
 time). On the DC that is listed as the originating DC for the 
 account creation check the security log. If it concerns 
 SECURITY PRINICIPAL objects you might be lucky if you have 
 configured Account Management for SUCCESS (also the default 
 if I’m not mistaken). If it concerns OTHER objects you are 
 lucky if you have configured directory service access for 
 SUCCESS (also the default if I’m not mistaken) AND you have 
 configured one or more SACLs on objects or Ous with objects 
 that should be audited
 
  
 
 jorge
 
  
 
 
_  
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Laura A. Robinson
 Sent: dinsdag 5 december 2006 18:20
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
  
 
 I'd say that you should test it. Create and link a policy 
 where you've set system objects: default owner for objects 
 created by members of the administrators group to Object 
 creator. Then create a user in AD and check the ownership.
 
  
 
 Laura
 
  
 
 
_  
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 2:25 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 ? 
 
 can you explain?
 
  
 
 Met vriendelijke groeten / Kind regards,
 
 Ing. Jorge de Almeida Pinto
 
 Senior Infrastructure Consultant
 
 MVP Windows Server - Directory Services
 
  
 
 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 
 *  Tel : +31-(0)40-29.57.777
 
 * Mobile : +31-(0)6-26.26.62.80
 
 * E-mail  : see sender address
 
  
 
 
_  
 
 
 From: [EMAIL PROTECTED] on behalf of Laura 
 A. Robinson
 Sent: Tue 2006-12-05 01:45
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 Which will have no effect on the ownership of the directory objects.
 
  
 
 Laura
 
  
 
 
_  
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Almeida Pinto, Jorge de
 Sent: Monday, December 04, 2006 4:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who 
 created an AD object?
 
 look at the owner
 
  
 
 if it lists ADMINISTRATORS, you might wanna change the 
 security option in the default DCs GPO which is called: 
 system objects: default owner for objects created by members 
 of the administrators group
 
  
 
 Met vriendelijke groeten / Kind regards,
 
 Ing. Jorge de Almeida Pinto
 
 Senior Infrastructure Consultant
 
 MVP Windows Server - Directory Services
 
  
 
 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 
 *   Tel : +31-(0)40-29.57.777
 
 *   Mobile : +31-(0)6-26.26.62.80
 
 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
No, Jorge, Tony did not confirm what you wrote, he confirmed what I wrote in
my very first reply to you in this thread. I quote: Even with the policy
set to Object Creator it still shows Domain Admins as the owner if I
create an object with an account that is member of Domain Admins. 

 The policy you reference HAS NO EFFECT on directory objects. No matter what
that policy is set to, the owner of any directory object created by a member
of Domain Admins and/or Administrators IS OWNED BY DOMAIN ADMINISTRATORS-
NOT the Object creator.

Again, I would encourage you to test this yourself. One of the things I
always do is to test things before I make assertions about them, and
sometimes I don't really have a clear understanding until I test something
myself and see how it actually works. I think that if you test this out,
you'll find that you may currently misunderstand the policy and what it
affects.
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Test what I wrote in my other response.


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not
mistaken) AND you have configured one or more SACLs on objects or Ous with
objects that should be audited

 

jorge

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

 

I'd say that you should test it. Create and link a policy where you've set
system objects: default owner for objects created by members of the
administrators group to Object creator. Then create a user in AD and
check the ownership.

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 


   _  


From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
Just to make sure everybody understands what I am saying, I'm going to
summarize this one last time.
 
If I create an object in AD while I am logged on with an account that is a
member of Domain Admins, Domain Admins becomes the owner of the object. NOT
the Administrators group. NOT the object creator. DOMAIN ADMINS.
 
If I create an obect in AD while I am logged in with an account that is NOT
a member of Domain Admins and IS a member of the built-in Administrators
group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the
object. NOT Administrators, and NOT the object creator.
 
Period. End of story. The group policy setting System objects: Default
owner for objects created by members of the Administrators group DOES NOT
AFFECT DIRECTORY OBJECTS.
 
Test. It. Yourself. :-)
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Test what I wrote in my other response.


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not
mistaken) AND you have configured one or more SACLs on objects or Ous with
objects that should be audited

 

jorge

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

 

I'd say that you should test it. Create and link a policy where you've set
system objects: default owner for objects created by members of the
administrators group to Object creator. Then create a user in AD and
check the ownership.

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 


   _  


From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

Which will have no effect on the ownership of the directory 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Almeida Pinto, Jorge de
?
oh, and yes I did test it and got the results I mentioned earlier...when not a 
member of DA but a member of Adms it lists the object creator after changing 
the policy
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 22:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?



BTW, speaking strictly about directory objects, if you use an account that
is NOT a member of Domain Admins but IS a member of Administrators (DLG),
the ownership of the object works exactly the same way as it does if the
account is a member of Domain Admins and not a direct member of
Administrators.

File system objects are still a bit different. :-)

Laura

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
 Sent: Tuesday, December 05, 2006 3:12 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?


 I did Laura's test (the thread was wearing me down ;-)).

 Even with the policy set to Object Creator it still shows
 Domain Admins as the owner if I create an object with an
 account that is member of Domain Admins.  In my case the
 Domain Admins group is a member of the built-in
 Administrators group.  This means that I saw the option in
 the security tab to change the ownership from Domain Admins
 to either Administrators or the account I was logged in with.

 The conclusion is that you can't use this policy to change
 the behaviour for AD accounts.  Might be different for local
 accounts on member servers and workstations - but I haven't
 tested this.

 Tony
 -- Original Message --
 From: Laura A. Robinson [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 Date:  Tue, 05 Dec 2006 13:44:47 -0500

 Have you tested this?


_ 

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 12:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?



 If you are member of ADMINISTRATORS directly or indirectly
 through a CUSTOM group it will by default list
 ADMINISTRATORS. Changing the policy lists the object creator.

 If you are member of DOMAIN ADMINS also, it will list DOMAIN
 ADMINS�. Is this what you mean?

 

 If the latter is the case check with REPADMIN /SHOWOBJMETA on
 which DC the object was created (also note the date and
 time). On the DC that is listed as the originating DC for the
 account creation check the security log. If it concerns
 SECURITY PRINICIPAL objects you might be lucky if you have
 configured Account Management for SUCCESS (also the default
 if I�m not mistaken). If it concerns OTHER objects you are
 lucky if you have configured directory service access for
 SUCCESS (also the default if I�m not mistaken) AND you have
 configured one or more SACLs on objects or Ous with objects
 that should be audited

 

 jorge

 


_ 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Laura A. Robinson
 Sent: dinsdag 5 december 2006 18:20
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?

 

 I'd say that you should test it. Create and link a policy
 where you've set system objects: default owner for objects
 created by members of the administrators group to Object
 creator. Then create a user in AD and check the ownership.

 

 Laura

 


_ 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 2:25 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?

 ?

 can you explain?

 

 Met vriendelijke groeten / Kind regards,

 Ing. Jorge de Almeida Pinto

 Senior Infrastructure Consultant

 MVP Windows Server - Directory Services

 

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

 *  Tel : +31-(0)40-29.57.777

 * Mobile : +31-(0)6-26.26.62.80

 * E-mail  : see sender address

 


_ 


 From: [EMAIL PROTECTED] on behalf of Laura
 A. Robinson
 Sent: Tue 2006-12-05 01:45
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?

 Which will have no effect on the ownership of the directory objects.

 

 Laura

 


_ 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Almeida Pinto, Jorge de
 Sent: Monday, December 04, 2006 4:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Almeida Pinto, Jorge de
?
sorry to say, but I have different results...mailed them offline to Laura
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 23:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?


Just to make sure everybody understands what I am saying, I'm going to 
summarize this one last time.
 
If I create an object in AD while I am logged on with an account that is a 
member of Domain Admins, Domain Admins becomes the owner of the object. NOT the 
Administrators group. NOT the object creator. DOMAIN ADMINS.
 
If I create an obect in AD while I am logged in with an account that is NOT a 
member of Domain Admins and IS a member of the built-in Administrators group in 
Active Directory, DOMAIN ADMINS STILL becomes the owner of the object. NOT 
Administrators, and NOT the object creator.
 
Period. End of story. The group policy setting System objects: Default owner 
for objects created by members of the Administrators group DOES NOT AFFECT 
DIRECTORY OBJECTS.
 
Test. It. Yourself. :-)
 
Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


Test what I wrote in my other response.




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?


Have you tested this?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine 
who created an AD object?



If you are member of ADMINISTRATORS directly or 
indirectly through a CUSTOM group it will by default list ADMINISTRATORS. 
Changing the policy lists the object creator.

If you are member of DOMAIN ADMINS also, it will list 
DOMAIN ADMINSâEUR¦. Is this what you mean?

 

If the latter is the case check with REPADMIN 
/SHOWOBJMETA on which DC the object was created (also note the date and time). 
On the DC that is listed as the originating DC for the account creation check 
the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky 
if you have configured Account Management for SUCCESS (also the default if 
IâEUR(tm)m not 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
Yaargh. Now I started messing around further, because when I first tested
this when this thread began so as to verify my rather rusty recollection, my
recollection was that it worked as Jorge outlined (only for accounts that
are members of the Administrators group in the domain and not for Domain
Admins). At that time, I found the behavior I've listed, which I attributed
to my misremembering the functionality of that setting. I tried it over and
over again in various permutations because I could have sworn that it didn't
work that way before. Over and over I got the results I mentioned below,
which is why I kept pushing for somebody to test it. 
 
Now, however, Jorge got me thinking again, and I started testing this yet
again (I swear, this is about the twentieth time I've done this in two or
three days). Ready for the fluke in my results? If I create the test object
on the PDC emulator, the owner shows as the creator. If I create it on other
DCs, the owner shows as Domain Admins- even though the account isn't even a
member of that group. I'm going to test this further to see if I can figure
out what's going on here and get a final answer on this. Stay tuned.. ;-)
 
Thanks,
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Tuesday, December 05, 2006 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Just to make sure everybody understands what I am saying, I'm going to
summarize this one last time.
 
If I create an object in AD while I am logged on with an account that is a
member of Domain Admins, Domain Admins becomes the owner of the object. NOT
the Administrators group. NOT the object creator. DOMAIN ADMINS.
 
If I create an obect in AD while I am logged in with an account that is NOT
a member of Domain Admins and IS a member of the built-in Administrators
group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the
object. NOT Administrators, and NOT the object creator.
 
Period. End of story. The group policy setting System objects: Default
owner for objects created by members of the Administrators group DOES NOT
AFFECT DIRECTORY OBJECTS.
 
Test. It. Yourself. :-)
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Test what I wrote in my other response.


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not
mistaken) AND you have 

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Laura A. Robinson
See my most recent post. Are you performing your testing on the PDC
emulator? I'm really a bit baffled as to what's going on at this point and
am curious if you've been testing on multiple DCs so I can see if you get
the same results I do.
 
Thanks,
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 5:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
oh, and yes I did test it and got the results I mentioned earlier...when not
a member of DA but a member of Adms it lists the object creator after
changing the policy
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 22:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



BTW, speaking strictly about directory objects, if you use an account that
is NOT a member of Domain Admins but IS a member of Administrators (DLG),
the ownership of the object works exactly the same way as it does if the
account is a member of Domain Admins and not a direct member of
Administrators.

File system objects are still a bit different. :-)

Laura

 -Original Message-
 From: [EMAIL PROTECTED]
 [HYPERLINK
mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
edir.org] On Behalf Of Tony Murray
 Sent: Tuesday, December 05, 2006 3:12 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?


 I did Laura's test (the thread was wearing me down ;-)).

 Even with the policy set to Object Creator it still shows
 Domain Admins as the owner if I create an object with an
 account that is member of Domain Admins.  In my case the
 Domain Admins group is a member of the built-in
 Administrators group.  This means that I saw the option in
 the security tab to change the ownership from Domain Admins
 to either Administrators or the account I was logged in with.

 The conclusion is that you can't use this policy to change
 the behaviour for AD accounts.  Might be different for local
 accounts on member servers and workstations - but I haven't
 tested this.

 Tony
 -- Original Message --
 From: Laura A. Robinson [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 Date:  Tue, 05 Dec 2006 13:44:47 -0500

 Have you tested this?


_ 

 From: [EMAIL PROTECTED]
 [HYPERLINK
mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
edir.org] On Behalf Of
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 12:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?



 If you are member of ADMINISTRATORS directly or indirectly
 through a CUSTOM group it will by default list
 ADMINISTRATORS. Changing the policy lists the object creator.

 If you are member of DOMAIN ADMINS also, it will list DOMAIN
 ADMINS�. Is this what you mean?

 

 If the latter is the case check with REPADMIN /SHOWOBJMETA on
 which DC the object was created (also note the date and
 time). On the DC that is listed as the originating DC for the
 account creation check the security log. If it concerns
 SECURITY PRINICIPAL objects you might be lucky if you have
 configured Account Management for SUCCESS (also the default
 if I�m not mistaken). If it concerns OTHER objects you are
 lucky if you have configured directory service access for
 SUCCESS (also the default if I�m not mistaken) AND you have
 configured one or more SACLs on objects or Ous with objects
 that should be audited

 

 jorge

 


_ 


 From: [EMAIL PROTECTED]
 [HYPERLINK
mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
edir.org] On Behalf Of
 Laura A. Robinson
 Sent: dinsdag 5 december 2006 18:20
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?

 

 I'd say that you should test it. Create and link a policy
 where you've set system objects: default owner for objects
 created by members of the administrators group to Object
 creator. Then create a user in AD and check the ownership.

 

 Laura

 


_ 


 From: [EMAIL PROTECTED]
 [HYPERLINK
mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
edir.org] On Behalf Of
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 2:25 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?

 ?

 can you explain?

 

 Met vriendelijke groeten / Kind regards,

 Ing. Jorge de Almeida Pinto

 Senior Infrastructure Consultant

 MVP Windows Server - Directory Services


RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-05 Thread Tony Murray
Well, I've done some more testing and the results are interesting. 
 
In both instances I have the policy in place and set to Object Creator.
 

1.  

If the account used for AD object creation is a member of Domain
Admins the owner is shown as Domain Admins.
2.  

If the account used for AD object creation is a member of
Administrators the owner is shown as the account used to create the object.

 
Tony
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, 6 December 2006 12:00 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
sorry to say, but I have different results...mailed them offline to Laura
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 23:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Just to make sure everybody understands what I am saying, I'm going to
summarize this one last time.
 
If I create an object in AD while I am logged on with an account that is a
member of Domain Admins, Domain Admins becomes the owner of the object. NOT
the Administrators group. NOT the object creator. DOMAIN ADMINS.
 
If I create an obect in AD while I am logged in with an account that is NOT
a member of Domain Admins and IS a member of the built-in Administrators
group in Active Directory, DOMAIN ADMINS STILL becomes the owner of the
object. NOT Administrators, and NOT the object creator.
 
Period. End of story. The group policy setting System objects: Default
owner for objects created by members of the Administrators group DOES NOT
AFFECT DIRECTORY OBJECTS.
 
Test. It. Yourself. :-)
 
Laura


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Test what I wrote in my other response.


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

  _  

From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


Have you tested this?


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?



If you are member of ADMINISTRATORS directly or indirectly through a CUSTOM
group it will by default list ADMINISTRATORS. Changing the policy lists the
object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS…. Is
this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC the
object was created (also note the date and time). On the DC that is listed
as the originating DC for the account creation check the security log. If it
concerns SECURITY PRINICIPAL objects you might be lucky if you have
configured Account Management for SUCCESS (also the default if I’m not
mistaken). If it concerns OTHER objects you are lucky if you have configured
directory service access for SUCCESS (also the default if I’m not
mistaken) AND you have configured one or more SACLs on objects or Ous with
objects that should be audited

 

jorge

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-04 Thread Almeida Pinto, Jorge de
look at the owner
 
if it lists ADMINISTRATORS, you might wanna change the security option in the 
default DCs GPO which is called: system objects: default owner for objects 
created by members of the administrators group
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD object?


? 
We had a few user accounts that were deleted and then recreated and nobody will 
take responsibility.
I used ADSIedit to verify the creation date/time.
 
While auditing is enabled, the Security log rolled and we missed the event (yes 
I know it's an issue).
 
Is there a way to see who created the the user object?
 
 
Thanks, Mitch.


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

Re: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-04 Thread Tony Murray
You might be able to find out who created it by looking at the Owner in the 
Security tab.  However if the account used to create the object is a member of 
Domain Admins it will show this as owner instead of the specific user's name.

There was a discussion thread on this a couple of days ago.

http://www.activedir.org/ma/default.aspx?msg=16424

Tony
-- Original Message --
From: Mitch Reid [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 4 Dec 2006 15:14:50 -0500

We had a few user accounts that were deleted and then recreated and nobody
will take responsibility.
I used ADSIedit to verify the creation date/time.

While auditing is enabled, the Security log rolled and we missed the event
(yes I know it's an issue).

Is there a way to see who created the the user object?


Thanks, Mitch.


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-04 Thread Laura A. Robinson
Which will have no effect on the ownership of the directory objects.
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?


look at the owner
 
if it lists ADMINISTRATORS, you might wanna change the security option in
the default DCs GPO which is called: system objects: default owner for
objects created by members of the administrators group
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

   _  

From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD object?


? 
We had a few user accounts that were deleted and then recreated and nobody
will take responsibility.
I used ADSIedit to verify the creation date/time.
 
While auditing is enabled, the Security log rolled and we missed the event
(yes I know it's an issue).
 
Is there a way to see who created the the user object?
 
 
Thanks, Mitch.

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM
 
attachment: winmail.dat

RE: [ActiveDir] Is it possible to determine who created an AD object?

2006-12-04 Thread Almeida Pinto, Jorge de
?
can you explain?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?


Which will have no effect on the ownership of the directory objects.
 
Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


look at the owner
 
if it lists ADMINISTRATORS, you might wanna change the security option 
in the default DCs GPO which is called: system objects: default owner for 
objects created by members of the administrators group
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD 
object?


? 
We had a few user accounts that were deleted and then recreated and 
nobody will take responsibility.
I used ADSIedit to verify the creation date/time.
 
While auditing is enabled, the Security log rolled and we missed the 
event (yes I know it's an issue).
 
Is there a way to see who created the the user object?
 
 
Thanks, Mitch.

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 
12/4/2006 7:18 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 
AM


winmail.dat