I want to get information about all failed login attempts on Active directory server.
I already changed these policies on AD controller:
And disabled Audit: Force Audit policy subcategory settings (Windows Vista or Later) on client and controller machines.
After these actions I can see only success attempts login to Domain in Event Viewer(in Security page) from client machines on domain controller(failed attempts I can see only in Security log of client machine).
What am I doing wrong? How can I see these attempts in security log of Active Directory controller as well?
Best Answer
I would use the subcategories - they're more advanced, flexible, configurable, and appropriate.
Here are the settings that you would be looking to enable (in addition to "enabling" the forcing of the subcategory use). Though, you really only need the credential validation entry.