I am tasked to setup an alert for unsuccessful admin login attempts at our company to satisfy cyber security controls. We have 2 offices and 4 home offices - the main office logs into our Windows 2012 server and then everyone logs into our Windows 2012 RDS server for all network resources.
How can I set some sort of alert for unsuccessful admin login attempts? I understand that event ID 4625 is the main unsuccessful login attempt identifier, and I'm ok with using that even though it is not strictly for admin logins, but where would I create this (I assume a group policy)? On the Domain Controller (AD Server), RDS server, workstation (for all local domain logins in the main office), or all 3. I was hoping only one server (AD server?) could do this.