How to enable auditing for logon failure?
- Logon to your domain controller with administrative privileges and launch the Group Policy Management console.
- Right-click the appropriate Group Policy Object linked to the Domain Controllers container and select Edit.
- Expand the Computer Configuration → Windows Setting → Security Settings → Local Policies → Audit Policy node.
- Configure audit policies as follows:
- Account Management: Success
- Audit account logon events: Failure
- Audit logon events: Failure
It will take a few minutes for the changes to take effect, and other domain controllers will receive the change at the next regular replication interval.