![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 46%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,022 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 55.00000000000001%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Hello,
You can check for the following event IDs:
Event ID 3260: Indicates a computer has joined a domain.
Event ID 3261: Indicates a computer has left a domain to join a workgroup.
Additionally, for domain controllers (DC), you can look for:
Event ID 4741: Shows details about new computer accounts created, including who created it.
Event ID 4740: Indicates the source of account lockouts in Active Directory.
Best Regards,
Hania Lian
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.