Creating users via Exchange 2010 Mgmt... Expand / Collapse
Author
Message
Posted 8/5/2010 4:24:24 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/5/2010 4:18:05 AM
Posts: 6, Visits: 0
If I create any user using Exchange 2010 Mgmt console, the 4720 event appears like this,

A user account was created.

Subject:
Security ID: DDAP\WIN-SPHMGBD83J0$
Account Name: WIN-SPHMGBD83J0$
Account Domain: DDAP
Logon ID: 0xbab029c

The "Subject Account Name" is the computer where my Exchange 2010 is running. Can you please explain this behavior?
Post #424
Posted 9/3/2010 11:21:18 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
That's because the Exchange service is running as LocalSystem or Network Service which when it connects to other servers like Active Directory it authenticates as that computer's domain account.

Also, Exchange is evidently not impersonating you prior to creating the account in AD, instead it is just performing the user creation as itself.

Post #456
Posted 9/9/2010 3:41:39 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/5/2010 4:18:05 AM
Posts: 6, Visits: 0
Thanks for the explanation, Randy.

So if users are created using Exchange Management Console 2010, is there a different way of identifying the "Subject Account Name".
Post #468
Posted 9/9/2010 11:00:51 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Apparently, not - at least not from the Windows security log because of the indirection involved.  However you might be able to find it with the new Exchange 2010 audit capability http://www.howexchangeworks.com/2010/02/administrator-audit-logging-in-exchange.html 
Post #470
Posted 9/14/2010 4:06:23 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/5/2010 4:18:05 AM
Posts: 6, Visits: 0
Thank you very much for the link and the details.

~Bala
Post #471
Posted 3/30/2014 11:09:54 PM
Junior Member

Junior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior Member

Group: Forum Members
Last Login: 10/17/2013 10:38:49 AM
Posts: 16, Visits: 3
I've got a quick question. will 4720 be logged when users created through any applications like MS Forefront Identity Manager ? Because it looks like Windows logs 4720 only when users get created through ADUC or Exchange console ....
Post #1333
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 7:35am