EventViewer missing logs about Login Failed

Federico Coppola 1,181 Reputation points
2021-07-12T09:02:43.71+00:00

Hi all,
user complain that a day ago, he turned on his computer (this computer is member of a company Active Directory domain),
he typed his user password and the account was locked.
In Domain Controller EventViewer there were not Login Failed, but only Locked Out event.

Is it normal?

Thanks

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,508 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,838 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Fan Fan 15,336 Reputation points Microsoft Vendor
    2021-07-13T02:36:51.28+00:00

    Hi,
    Yes, it is the expected behavior.
    Lockout event will be logged on the Domain Controller.
    Login failed event will logged on the workstation where the user logon to if the Audit Logon Events – Failure was enabled on the clients.

    113928-71134.jpg
    Then we can audit Process Tracking for this client, then analyze the event log to find out which process or apps send the BAD password.

    Best Regards,

    0 comments No comments

  2. Federico Coppola 1,181 Reputation points
    2021-07-14T20:33:39.327+00:00

    Dear @Fan Fan
    Thanks for your suggestion.
    I will verify it!

    I think that I can configure a domain GPO that set Domain Controller to log Failed Login.

    Best regards


  3. Federico Coppola 1,181 Reputation points
    2021-07-20T15:57:26.887+00:00

    Dear @Fan Fan
    Thanks!

    I will follow your suggestion
    I will keep you updated

    Regards


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.