I am seeing a fair number of entries marked as "ANONYMOUS LOGON" under "Computer Account Modified" on the "Caller User Name" field. These appear to come from a number of machines that I recognise and some that I don't - they seem to be linked to built in accounts, for example COMPUTER1$.
Why is anonymous access most likely to be getting reported so frequently when linked to built in accounts?