Tracking down Failed Login Attempts in Active Directory

I had a recent experience with a client where a user account was getting locked out but the but the logs on the domain controller weren’t very helpful. Basically besides telling us the account was locked out they did nothing, no location, nothing.

After quite a bit of research on google I found this blog post http://jackstromberg.com/tag/microsoft_authentication_package_v1_0/ . While Jack didn’t have the same issue his solution was exactly what I needed which was to turn on verbose logging of Netlogon,

From a command prompt run the following command nltest /dbflag:0x2080ffff

Review the log file generated at %windir%\debug\netlogon.log

When you are finished run the following command to disable verbose logging nltest /dbflag:0x0

More info can be found at this Microsoft Support Article http://support.microsoft.com/kb/109626/en-us

The verbose logging led me to the exact reason of the the lockouts. Which turned out to be a computer the user had forgot they had logged into.