I can't seem to make this work on Windows Server 2008 SP2. When our environment was still on Windows 2003 account (user) lockout events showed up in security event log on the 2003 DCs that authenticated the account. The same audit policy is being applied to the new Windows 2008 DC but the account lockout events wont show up at all. I know the event ID changed and I have read about audit subcategories and used auditpol /set commands and options to play with auditing but still won't work. Has anybody experienced this?
Cheers
Cheers