We have a Windows domain with two domain controllers (server 2008 R2). I'd like to search the event log of the DCs for failed user logins (bad password or bad user name, for example)
I thought that event 4625 would be the correct event number. The Audit logon events policy is set to failure for the domain controllers.
I just attempted a logon to a member PC using a bad password-- nothing showed up in either domain controller event list.
I also attempted to remote desktop to the domain controller itself with a bad password. Again, I can't find the error in the security log.
Where would these failed attempts appear in the event list of the domain controller?
Thanks in advance.