How to tell who made this change?

Question

How do I tell who made the change in the following event log entry?

enter image description here

What/who is Caller User Name?

XXXXTE-MAIL (without the $) is the computer name of the domain controller. This entry is from the event log of this domain controller.

score 3 · Accepted Answer · answered Apr 17 '15 at 10:25

The domain controller performed the action. This is part of the SDProp process, which resets the security descriptors of accounts that are members of protected groups.

http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

http://windowsitpro.com/security/demystifying-adminsdholder-object

How to tell who made this change?

1 Answers1