RE: [ActiveDir] dynamic variables within an event log entry?

2006-12-01 Thread Thommes, Michael M.
Hi Laura,

(Brian's answer came in after I sent my email out.)  The problem
with using adfind (in my experience) is that the creator (Caller User
Name) is not part of the AD object's attributes, only the owner, which
will be Domain Admins for accounts created by members of Domain Admins
(as you pointed out).  I would like my daily report to contain the
actual name (samaccountname) that created the account.  Maybe the only
way I can create the report I am looking for (account name, DN, when
created, and creator name) is to collect eventid 624 records and filter
them on creation date.  However, I am still looking for suggestions.
Thanks.

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 11:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

Okay, the below totally cracked me up. :-) Brian gave you the ADFind
answer, but I guess I would also ask in what format you need to retrieve
this information and whether or not you're plugging it into something.
I'm not sure that last sentence even made sense, sorry. I'm sleep
deprived. 

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 10:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?

Tony and Laura,

   Thanks for the replies!  Actually, I am already trapping
eventid 624 and I see the Caller User Name: entry with the right
value.  Where I got confused was when I built a daily job using adfind
(with the -owner switch) to produce a list of users created during the
previous 24 hours.  Laura's #2 answer explains why I see what I do for
accounts created by members of the Domain Admins.  Her #1 answer is
going to make me rethink how we do some of the account creations.  Her
#3 answer begs the question of how would I construct a query to produce
new accounts created over a 24 hour period?  Adfind was the first (and
maybe only) tool that popped into my head to do this.  Other
suggestions?  Thanks!

 

Mike Thommes





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?

 

1. This is one of the eight gazillion reasons to discourage the
use of accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.

2. By default, when a member of the Domain Admins group creates
an object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 

3. When I create an object with an account that is a member of
Domain Admins, the creator of the object shows as that account, not as
Domain Admins. Why aren't you just looking at that value in the event
logs, rather than looking at the ownership of the object? That's why
auditing allows tracking of who creates/modifies/deletes directory
objects.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event
log entry?

I wonder if someone could explain to me (or point me at
some reference) about what mechanism is used to populate the information
in a Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this
design on purpose or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 -
Release Date: 11/30/2006 5:07 AM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM

 

--
No virus found in this incoming message

RE: [ActiveDir] dynamic variables within an event log entry?

2006-12-01 Thread David Cliffe
Yep, you're right...I didn't distinguish the difference the first time
around.  Good info as always.
 
Thanks!




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?


Nope, it's not a typo- note the difference between *owner* and
*creator*. When a user who is a member of the Domain Admins group, by
default, the DA group is the *owner* of the object. However, what is
logged in the audit (security event) log does list the specific account
that was used to *create* the object. 
 
As far as changing the behavior for #2, there is a group policy
setting System Objects: Default owner for objects created by members of
the Administrators group  in the Computer Configuration\Windows
Settings\Local Policies\Security Options section of group policy. That
setting can be set to Administrators group or to Object creator.
That may be what you're thinking of. That setting, however, refers to
system objects (thus the system objects predicate. :-) ) You may also
be thinking of the ability in the property sheets for any object to set
the owner of DA-owned objects to either a specific DA account or to the
group. 
 
I don't remember you misreading one of my posts; you must have a
much better memory than I do. Then again, I usually can't remember what
I ate for breakfast. :-)
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, November 30, 2006 10:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an
event log entry?


Hi Laura,
 
I know I misread one of your posts once before, so
I'm sorry in advance if I'm doing it again (!), but aren't you making a
conflicting statement in nos. 2  3 below?  Or is #3 supposed to say
that is NOT a member of Domain Admins... ?
 
Also, is there a mechanism of some sort which
changes the behavior in #2 such that the actual account used would
become the object's owner (rather than DAs group)?  I remember reading
something like this once, but I could be thinking of something else way
off base :-(
 
In any case, I completely agree that delegating the
creation right is the [way!] better option here!
 
Thanks as always,
DaveC




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables
within an event log entry?


1. This is one of the eight gazillion reasons to
discourage the use of accounts that are Domain Admins for routine
purposes that can be achieved without that level of rights.
2. By default, when a member of the Domain
Admins group creates an object in the directory, the Domain Admins group
becomes the owner of the object. That is by design. 
3. When I create an object with an account that
is a member of Domain Admins, the creator of the object shows as that
account, not as Domain Admins. Why aren't you just looking at that value
in the event logs, rather than looking at the ownership of the object?
That's why auditing allows tracking of who creates/modifies/deletes
directory objects.
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables
within an event log entry?



I wonder if someone could explain to me
(or point me at some reference) about what mechanism is used to populate
the information in a Windows event log entry.  The reason why I ask is
that I see in the Security log when a new user account is created by an
account which is a member of the Domain Admins group, the
_OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 .  If it is created
by an account that is a member of the Account Operators group, then
_OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators

RE: [ActiveDir] dynamic variables within an event log entry?

2006-12-01 Thread Laura A. Robinson
Actually, I'm thinking that extracting the information from the event log is
the best approach to take, so you're thinking along the same lines as I am.
The information is there, it's organized, it's filterable, it's exportable,
and that's why it's there. :-)
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Friday, December 01, 2006 7:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?



Hi Laura,

(Brian’s answer came in after I sent my email out.)  The problem with
using adfind (in my experience) is that the creator (Caller User Name) is
not part of the AD object’s attributes, only the owner, which will be
“Domain Admins” for accounts created by members of Domain Admins (as you
pointed out).  I would like my daily report to contain the actual name
(samaccountname) that created the account.  Maybe the only way I can create
the report I am looking for (account name, DN, when created, and creator
name) is to collect eventid 624 records and filter them on creation date.
However, I am still looking for suggestions.  Thanks.

 

Mike Thommes

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, November 30, 2006 11:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

Okay, the below totally cracked me up. :-) Brian gave you the ADFind answer,
but I guess I would also ask in what format you need to retrieve this
information and whether or not you're plugging it into something. I'm not
sure that last sentence even made sense, sorry. I'm sleep deprived. 

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, November 30, 2006 10:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

Tony and Laura,

   Thanks for the replies!  Actually, I am already trapping eventid 624 and
I see the “Caller User Name:” entry with the right value.  Where I got
confused was when I built a daily job using adfind (with the –owner switch)
to produce a list of users created during the previous 24 hours.  Laura’s #2
answer explains why I see what I do for accounts created by members of the
“Domain Admins”.  Her #1 answer is going to make me rethink how we do some
of the account creations.  Her #3 answer begs the question of how would I
construct a query to produce new accounts created over a 24 hour period?
Adfind was the first (and maybe only) tool that popped into my head to do
this.  Other suggestions?  Thanks!

 

Mike Thommes


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, November 30, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be achieved
without that level of rights.

2. By default, when a member of the Domain Admins group creates an object in
the directory, the Domain Admins group becomes the owner of the object. That
is by design. 

3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs, rather
than looking at the ownership of the object? That's why auditing allows
tracking of who creates/modifies/deletes directory objects.

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log entry?

I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows event
log entry.  The reason why I ask is that I see in the Security log when a
new user account is created by an account which is a member of the Domain
Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 .  If
it is created by an account that is a member of the Account Operators group,
then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose or
a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database

RE: [ActiveDir] dynamic variables within an event log entry?

2006-12-01 Thread Laura A. Robinson
Too bad I didn't actually put a verb in that second sentence. :-)
 
That SHOULD have read, When a user who is a member of the Domain Admins
group CREATES AN OBJECT, by default, the DA group is the *owner* of the
object.
 
No wonder you have a hard time following my posts. ;-)
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Friday, December 01, 2006 11:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?


Yep, you're right...I didn't distinguish the difference the first time
around.  Good info as always.
 
Thanks!


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, December 01, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?


Nope, it's not a typo- note the difference between *owner* and *creator*.
When a user who is a member of the Domain Admins group, by default, the DA
group is the *owner* of the object. However, what is logged in the audit
(security event) log does list the specific account that was used to
*create* the object. 
 
As far as changing the behavior for #2, there is a group policy setting
System Objects: Default owner for objects created by members of the
Administrators group  in the Computer Configuration\Windows Settings\Local
Policies\Security Options section of group policy. That setting can be set
to Administrators group or to Object creator. That may be what you're
thinking of. That setting, however, refers to system objects (thus the
system objects predicate. :-) ) You may also be thinking of the ability in
the property sheets for any object to set the owner of DA-owned objects to
either a specific DA account or to the group. 
 
I don't remember you misreading one of my posts; you must have a much better
memory than I do. Then again, I usually can't remember what I ate for
breakfast. :-)
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, November 30, 2006 10:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?


Hi Laura,
 
I know I misread one of your posts once before, so I'm sorry in advance
if I'm doing it again (!), but aren't you making a conflicting statement in
nos. 2  3 below?  Or is #3 supposed to say that is NOT a member of Domain
Admins... ?
 
Also, is there a mechanism of some sort which changes the behavior in #2
such that the actual account used would become the object's owner (rather
than DAs group)?  I remember reading something like this once, but I could
be thinking of something else way off base :-(
 
In any case, I completely agree that delegating the creation right is
the [way!] better option here!
 
Thanks as always,
DaveC


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, November 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?


1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be achieved
without that level of rights.
2. By default, when a member of the Domain Admins group creates an object in
the directory, the Domain Admins group becomes the owner of the object. That
is by design. 
3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs, rather
than looking at the ownership of the object? That's why auditing allows
tracking of who creates/modifies/deletes directory objects.
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log entry?



I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows event
log entry.  The reason why I ask is that I see in the Security log when a
new user account is created by an account which is a member of the Domain
Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 .  If
it is created by an account that is a member of the Account Operators group,
then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose or
a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database

RE: [ActiveDir] dynamic variables within an event log entry?

2006-12-01 Thread David Cliffe
I'm glad you said that and not me!  So much great content here - one of
the last things I'd want to do is pick on grammar, as it would seem rude
and unappreciative.  Especially since never confident 100% in my own am
I.   : - )




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 1:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?


Too bad I didn't actually put a verb in that second sentence.
:-)
 
That SHOULD have read, When a user who is a member of the
Domain Admins group CREATES AN OBJECT, by default, the DA group is the
*owner* of the object.
 
No wonder you have a hard time following my posts. ;-)
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Friday, December 01, 2006 11:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an
event log entry?


Yep, you're right...I didn't distinguish the difference
the first time around.  Good info as always.
 
Thanks!




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Friday, December 01, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables
within an event log entry?


Nope, it's not a typo- note the difference
between *owner* and *creator*. When a user who is a member of the Domain
Admins group, by default, the DA group is the *owner* of the object.
However, what is logged in the audit (security event) log does list the
specific account that was used to *create* the object. 
 
As far as changing the behavior for #2, there is
a group policy setting System Objects: Default owner for objects
created by members of the Administrators group  in the Computer
Configuration\Windows Settings\Local Policies\Security Options section
of group policy. That setting can be set to Administrators group or to
Object creator. That may be what you're thinking of. That setting,
however, refers to system objects (thus the system objects predicate.
:-) ) You may also be thinking of the ability in the property sheets for
any object to set the owner of DA-owned objects to either a specific DA
account or to the group. 
 
I don't remember you misreading one of my posts;
you must have a much better memory than I do. Then again, I usually
can't remember what I ate for breakfast. :-)
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, November 30, 2006 10:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic
variables within an event log entry?


Hi Laura,
 
I know I misread one of your posts
once before, so I'm sorry in advance if I'm doing it again (!), but
aren't you making a conflicting statement in nos. 2  3 below?  Or is #3
supposed to say that is NOT a member of Domain Admins... ?
 
Also, is there a mechanism of some
sort which changes the behavior in #2 such that the actual account used
would become the object's owner (rather than DAs group)?  I remember
reading something like this once, but I could be thinking of something
else way off base :-(
 
In any case, I completely agree that
delegating the creation right is the [way!] better option here!
 
Thanks as always,
DaveC




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic
variables within an event log entry

Re: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread Tony Murray
Hi Michael

If you have Account Management auditing enabled you should see 624 events that 
show the account used to create new accounts.  Here's an example.

***
Event Type: Success Audit
Event Source:   Security
Event Category: Account Management 
Event ID:   624
Date:   1/12/2006
Time:   2:48:41 p.m.
User:   DEV\su-141820
Computer:   ADC01
Description:
User Account Created:
New Account Name:   jamesb
New Domain: DEV
New Account ID: DEV\jamesb
Caller User Name:   su-141820
Caller Domain:  DEV
Caller Logon ID:(0x0,0x72DE0)
Privileges  -
 Attributes:
Sam Account Name:   jamesb
Display Name:   James Blench
User Principal Name:[EMAIL PROTECTED]
Home Directory: -
Home Drive: -
Script Path:-
Profile Path:   -
User Workstations:  -
Password Last Set:  never 
Account Expires:never 
Primary Group ID:   513
AllowedToDelegateTo:-
Old UAC Value:  0x0
New UAC Value:  0x15
User Account Control:   
Account Disabled 
'Password Not Required' - Enabled 
'Normal Account' - Enabled 
User Parameters:-
Sid History:-
Logon Hours:value not set 


For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.
***

The name of the account used to create the new user is shown in the Caller User 
Name field (in this case su-141820, which is a member of Domain Admins).

Tony

-- Original Message --
From: Thommes, Michael M. [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 30 Nov 2006 18:33:22 -0600

I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows
event log entry.  The reason why I ask is that I see in the Security log
when a new user account is created by an account which is a member of
the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not
XYZ\adminacct1 .  If it is created by an account that is a member of the
Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose
or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


RE: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread Laura A. Robinson
1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be achieved
without that level of rights.
2. By default, when a member of the Domain Admins group creates an object in
the directory, the Domain Admins group becomes the owner of the object. That
is by design. 
3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs, rather
than looking at the ownership of the object? That's why auditing allows
tracking of who creates/modifies/deletes directory objects.
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log entry?



I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows event
log entry.  The reason why I ask is that I see in the Security log when a
new user account is created by an account which is a member of the Domain
Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 .  If
it is created by an account that is a member of the Account Operators group,
then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose or
a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM
 


RE: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread David Cliffe
Hi Laura,
 
I know I misread one of your posts once before, so I'm sorry in
advance if I'm doing it again (!), but aren't you making a conflicting
statement in nos. 2  3 below?  Or is #3 supposed to say that is NOT a
member of Domain Admins... ?
 
Also, is there a mechanism of some sort which changes the behavior
in #2 such that the actual account used would become the object's owner
(rather than DAs group)?  I remember reading something like this once,
but I could be thinking of something else way off base :-(
 
In any case, I completely agree that delegating the creation right
is the [way!] better option here!
 
Thanks as always,
DaveC




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?


1. This is one of the eight gazillion reasons to discourage the
use of accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.
2. By default, when a member of the Domain Admins group creates
an object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 
3. When I create an object with an account that is a member of
Domain Admins, the creator of the object shows as that account, not as
Domain Admins. Why aren't you just looking at that value in the event
logs, rather than looking at the ownership of the object? That's why
auditing allows tracking of who creates/modifies/deletes directory
objects.
 
Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event
log entry?



I wonder if someone could explain to me (or point me at
some reference) about what mechanism is used to populate the information
in a Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this
design on purpose or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 -
Release Date: 11/30/2006 5:07 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM




This email was sent to you by Reuters, the global news and information company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except 
where the sender specifically states them to be the views of Reuters Ltd.



RE: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread Thommes, Michael M.
Tony and Laura,

   Thanks for the replies!  Actually, I am already trapping eventid 624
and I see the Caller User Name: entry with the right value.  Where I
got confused was when I built a daily job using adfind (with the -owner
switch) to produce a list of users created during the previous 24 hours.
Laura's #2 answer explains why I see what I do for accounts created by
members of the Domain Admins.  Her #1 answer is going to make me
rethink how we do some of the account creations.  Her #3 answer begs the
question of how would I construct a query to produce new accounts
created over a 24 hour period?  Adfind was the first (and maybe only)
tool that popped into my head to do this.  Other suggestions?  Thanks!

 

Mike Thommes



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.

2. By default, when a member of the Domain Admins group creates an
object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 

3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs,
rather than looking at the ownership of the object? That's why auditing
allows tracking of who creates/modifies/deletes directory objects.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log
entry?

I wonder if someone could explain to me (or point me at some
reference) about what mechanism is used to populate the information in a
Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on
purpose or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM




RE: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread Brian Desmond
Michael-

 

I don't have an AD install or ADFind in front of me, but
whencreated=Now-24hr gives you everything in the past 24 hours.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 9:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

Tony and Laura,

   Thanks for the replies!  Actually, I am already trapping eventid 624
and I see the Caller User Name: entry with the right value.  Where I
got confused was when I built a daily job using adfind (with the -owner
switch) to produce a list of users created during the previous 24 hours.
Laura's #2 answer explains why I see what I do for accounts created by
members of the Domain Admins.  Her #1 answer is going to make me
rethink how we do some of the account creations.  Her #3 answer begs the
question of how would I construct a query to produce new accounts
created over a 24 hour period?  Adfind was the first (and maybe only)
tool that popped into my head to do this.  Other suggestions?  Thanks!

 

Mike Thommes



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.

2. By default, when a member of the Domain Admins group creates an
object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 

3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs,
rather than looking at the ownership of the object? That's why auditing
allows tracking of who creates/modifies/deletes directory objects.

 

Laura

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log
entry?

I wonder if someone could explain to me (or point me at some
reference) about what mechanism is used to populate the information in a
Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on
purpose or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM



RE: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread Laura A. Robinson
Nope, it's not a typo- note the difference between *owner* and *creator*.
When a user who is a member of the Domain Admins group, by default, the DA
group is the *owner* of the object. However, what is logged in the audit
(security event) log does list the specific account that was used to
*create* the object. 
 
As far as changing the behavior for #2, there is a group policy setting
System Objects: Default owner for objects created by members of the
Administrators group  in the Computer Configuration\Windows Settings\Local
Policies\Security Options section of group policy. That setting can be set
to Administrators group or to Object creator. That may be what you're
thinking of. That setting, however, refers to system objects (thus the
system objects predicate. :-) ) You may also be thinking of the ability in
the property sheets for any object to set the owner of DA-owned objects to
either a specific DA account or to the group. 
 
I don't remember you misreading one of my posts; you must have a much better
memory than I do. Then again, I usually can't remember what I ate for
breakfast. :-)
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, November 30, 2006 10:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?


Hi Laura,
 
I know I misread one of your posts once before, so I'm sorry in advance
if I'm doing it again (!), but aren't you making a conflicting statement in
nos. 2  3 below?  Or is #3 supposed to say that is NOT a member of Domain
Admins... ?
 
Also, is there a mechanism of some sort which changes the behavior in #2
such that the actual account used would become the object's owner (rather
than DAs group)?  I remember reading something like this once, but I could
be thinking of something else way off base :-(
 
In any case, I completely agree that delegating the creation right is
the [way!] better option here!
 
Thanks as always,
DaveC


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, November 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?


1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be achieved
without that level of rights.
2. By default, when a member of the Domain Admins group creates an object in
the directory, the Domain Admins group becomes the owner of the object. That
is by design. 
3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs, rather
than looking at the ownership of the object? That's why auditing allows
tracking of who creates/modifies/deletes directory objects.
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log entry?



I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows event
log entry.  The reason why I ask is that I see in the Security log when a
new user account is created by an account which is a member of the Domain
Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 .  If
it is created by an account that is a member of the Account Operators group,
then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose or
a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM




This email was sent to you by Reuters, the global news and information
company. 
To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender,
except where the sender specifically states them to be the views of Reuters
Ltd.



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM
 


RE: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread Laura A. Robinson
Okay, the below totally cracked me up. :-) Brian gave you the ADFind answer,
but I guess I would also ask in what format you need to retrieve this
information and whether or not you're plugging it into something. I'm not
sure that last sentence even made sense, sorry. I'm sleep deprived. 
 
Laura


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, November 30, 2006 10:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?



Tony and Laura,

   Thanks for the replies!  Actually, I am already trapping eventid 624 and
I see the “Caller User Name:” entry with the right value.  Where I got
confused was when I built a daily job using adfind (with the –owner switch)
to produce a list of users created during the previous 24 hours.  Laura’s #2
answer explains why I see what I do for accounts created by members of the
“Domain Admins”.  Her #1 answer is going to make me rethink how we do some
of the account creations.  Her #3 answer begs the question of how would I
construct a query to produce new accounts created over a 24 hour period?
Adfind was the first (and maybe only) tool that popped into my head to do
this.  Other suggestions?  Thanks!

 

Mike Thommes


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, November 30, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be achieved
without that level of rights.

2. By default, when a member of the Domain Admins group creates an object in
the directory, the Domain Admins group becomes the owner of the object. That
is by design. 

3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs, rather
than looking at the ownership of the object? That's why auditing allows
tracking of who creates/modifies/deletes directory objects.

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log entry?

I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows event
log entry.  The reason why I ask is that I see in the Security log when a
new user account is created by an account which is a member of the Domain
Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 .  If
it is created by an account that is a member of the Account Operators group,
then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose or
a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006
5:07 AM