Define ?disconnected?? The PCs grew legs - more like stolen... Machine shutdown, Machine restart, last refresh of the secure channel, etc.? No, they were stolen By default, the related DC security event logs contain machine as well as user logon/logoff events. The Machines that disappeared are not listed on the event log I wanted to grab the event logs and give it to the investigating officer. I am busy analayzing canonical name of object in AD- checking the last Update Sequence Numbers (USNs). I also, went thru Symantec CC to check when lastly did the missing box successful pulled definition files. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gene Sibbs Sent: Friday, February 09, 2007 2:47 AM To: Active Directory; ISA Community Subject: [isalist] OT: AD Sync to help investigations Hi all How can I reveal through Active Directory when lastly the member of domain computer was disconnected from the domain. I need this information to help with investigations, surely they should be some log file I can drill down to. Thank you, ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com