If a user locks him or herself out of his domain account does the Event ID 539 appear on the Domain controller or the computer which was used to attempt to login.
I have a situation in which a user locked himself out but there were no Event ID 539 generated in the security log on the DC. However they appeared on the computer on which the user attempted to login.
Therefore I was under the impression that the Event ID 539 and any associated ID would appear in the security log.
can someone please explain how the process of generating the Event id 539 should work and in which security log (DC or workstation?)