Event ID for Machine went out of domain

Question

Have more than 4000 Desktop PCs in our environment. There are some machines going out of domain by automatically. Would like to get to know the Event ID when machine going out by automatically. It will be helpful to trace the machines through Splunk( Event Log)

Answer 1

Possibly netlogon source events in the System event log of IDs 5719, 5722 or 5723
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/secure-channel-problems-detected

You could do nltest /sc_query:domainname to check

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Hi,

It is suggested to enable the audit policies on DCs.
The policy: Audit computer account management is under Computer Configuration\Windows Settings\Security Settings\Advanced audit policy\ Account management\Audit Computer account management

This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.

Best Regards,

Answer 3

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 4

we had similar scenarios, mostly it happens when staff reset passwords remotely using MFA via laptops and then they logon to the office with their old passwords

the only way out is to have local admin account to reset their machine passwords

it is a challenge if you have encrypted drives