This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 5%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Have more than 4000 Desktop PCs in our environment. There are some machines going out of domain by automatically. Would like to get to know the Event ID when machine going out by automatically. It will be helpful to trace the machines through Splunk( Event Log)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
If there are any updates, welcome to share here!
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 20%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESI%3C/text%3E%3C/svg%3E)
we had similar scenarios, mostly it happens when staff reset passwords remotely using MFA via laptops and then they logon to the office with their old passwords
the only way out is to have local admin account to reset their machine passwords
it is a challenge if you have encrypted drives
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi,
It is suggested to enable the audit policies on DCs.
The policy: Audit computer account management is under Computer Configuration\Windows Settings\Security Settings\Advanced audit policy\ Account management\Audit Computer account management
This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
Best Regards,
Possibly netlogon source events in the System event log of IDs 5719, 5722 or 5723
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/secure-channel-problems-detected
You could do nltest /sc_query:domainname to check
--please don't forget to Accept as answer if the reply is helpful--
