Here is what I would like to do...
I would like any unsuccessful password attempts logged on my domain servers event viewer. So... for example... if someone was trying to guess a users domain logon password from a terminal, server or from webmail, those unsuccessful attempts would be listed in the event viewer.
Here is what my network looks like
Windows 2008 R2 servers, 2 domain controllers, windows 7 PC's.
Here is what I have configured so far...
I have configured an "account lockout" group policy under the domain policy to lock users out after 3 attempts (for 10 minutes). I have configured auditing in the "default domain controller policy" under the domain controller organisational unit. I have configured the following policy settings... (the default domain controller policy has link enabled DISABLED and enforce DISABLED, although from what I have read this isn't impacting the outcomes)
Audit account logon events Failure
Audit directory service access No auditing
Audit logon events Failure
Audit policy change No auditing
Audit privilege use No auditing
Audit process tracking No auditing
Audit system events No auditing
I believe this should achieve my goal from what I have read.
So far... if an account is locked out (3 incorrect attempts), IT DOES appear in the domain controllers event viewer. But when I attempt to guess a users password from a terminal, the failure IS NOT logged in the event viewer, only the account lockout after 3 attempts! But when I try to guess a users password from the server... that failure IS logged in the event viewer.
Can anyone shed light on this? what am i doing wrong?