For some reason I get an awful lot of ChangeDomainMember events stating: Computer account "DOMAIN\PCNAME$" changed "-".
The insertion IP is from one or the other of our DCs.
Any ideas what causes this? Is it something I can just eliminate out in the filter?
I have been having this same issue and believe I have found the reason.
According to the LEM user guide, "A ChangeDomainMember alert occurs when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeDomainMember alert will also happen when local system maintenance activity takes place."
So if you aren't changing any of the PC attributes it appears that it's just local system maintenance that is taking place.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.