Event Log on Domain Controller-- How to identify successful and failed user logins on domain pcs

We have a Windows domain with two domain controllers (server 2008 R2).  I'd like to search the event log of the DCs for failed user logins (bad password or bad user name, for example)

I thought that event 4625 would be the correct event number.  The Audit logon events policy is set to failure for the domain controllers.

I just attempted a logon to a member PC using a bad password-- nothing showed up in either domain controller event list.

I also attempted to remote desktop to the domain controller itself with a bad password.  Again, I can't find the error in the security log.

Where would these failed attempts appear in the event list of the domain controller?

Thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Liam SomervilleSenior Security ConsultantCommented:
You're auditing in the wrong place!

Audit ACCOUNT logon Events: http://technet.microsoft.com/en-us/library/cc787176(v=ws.10).aspx
dakota5Author Commented:
According to that link, the events will post in the domain controller's security log.  That's where I'm looking.
What is the correct location?
dakota5Author Commented:
Apparently the Audit Failure (keyword) Event ID=4776 appears on only ONE domain controller, the one that processed the authentication.  This is generally the domain controller with the FSMO PDC Emulator Role.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Liam SomervilleSenior Security ConsultantCommented:
You are correct; it would only appear on the DC that authenticated it. Sorry for the late response - I just saw your replies.
dakota5Author Commented:
This is the answer.  I discovered this through trial and error, then confirmed with information on the internet.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.