cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

ChangeDomainMember; what is going on?

For some reason I get an awful lot of ChangeDomainMember events stating: Computer account "DOMAIN\PCNAME$" changed "-".

The insertion IP is from one or the other of our DCs.

Any ideas what causes this? Is it something I can just eliminate out in the filter?

5 Replies
Level 8

I have been having this same issue and believe I have found the reason.

According to the LEM user guide, "A ChangeDomainMember alert occurs when an account or account container within a domain is modified. Usually, these changes are made by a user account with administrative privileges, but occasionally a ChangeDomainMember alert will also happen when local system maintenance activity takes place."

So if you aren't changing any of the PC attributes it appears that it's just local system maintenance that is taking place.

0 Kudos
Product Manager
Product Manager

What's the EventID/ProviderSID?

0 Kudos

Hi Nicole

The ProviderSID is Microsoft-Security-Auditing 4742

Thanks

Jack

0 Kudos

I know this is a really old post, but I'm not seeing a resolution or recommendation about what to do about these events. Is there any??

Tags (2)
0 Kudos

Hello,

please contact our Support team. They should help you with this one. 

 

Thank you

0 Kudos