This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 92%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
Hello Experts, I think I can use a hand getting out Windows AD audit logging in order. For some reason I am not seeing any event ID 529/wrong password/failed logon events in our logs. I checked all three of our domain controllers. I also tested a bad password attempt with my domain user account and cannot find it in the DC's windows security logs anywhere. In active directory users and computers, it does show the time of 10:10 in the badPasswordTime attribute for my account. I do see an event 4740 for my account getting locked out in the DC event logs. As far as group policy, we have account management success/fail enabled, logon events success/fail enabled and account logon events success/fail enabled. Under advanced audit policy, we have most of those relevant audit polices enabled as well for both success/failure.
Any idea what I may be missing here?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
You may need to configure the auditing.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi Patrick, thanks for the link. We have these policies enabled and I can see for example event ID 4625 and some users failing to login so I think that is part of my problem. I was not searching for the correct event ID so thank you for that info. However I still cannot find my bad password event at 10:10 am eastern. I also just tried another bad password logging into Windows 10 on a different computer and cannot find that attempt at 10:52am either. It's like I'm not seeing everything.
Event ID 4625 is generated on the computer where access was attempted. If a domain account then you should see an authentication failure event such as 4771 or 4776 on your domain controller.
--please don't forget to upvote and Accept as answer if the reply is helpful--
If you have multiple domain controllers this might explain why you are not seeing the event entry. Check the event log on the PDC, as all password failures are confirmed on the pdc. Have a look at this article which explains how to troubleshoot account lockout and will searches the event log automatically to find the failed logon events
https://nettools.net/troubleshoot-account-lockouts/
Gary.
Thanks for the suggestions, I have been querying the logs in our PDC and I think I am getting closer. I can now see events 4776 and 4740 but the trouble is that they all say the caller computer name is empty/null. There is no record. For event 4776s it says "source workstation" and then there is nothing.
