Let’s face it, Microsoft Active Directory account lockouts happen. Whether the lockout is a result of a bungled password change, runaway user device, or is malicious, IT departments should keep an eye on where failed login requests are coming from. When accounts continually lock out despite all credentials being changed, it is useful to view NetLogon logs to see where failed request details.
To enable NetLogon Logging, use the following command on a domain controller:
When finished, disable NetLogon Logging with this command:
The netlogon.log file is located in the %SystemRoot%Debug directory of a Microsoft Windows Domain Controller. 0x2080ffff is the most verbose setting and shows detailed timestamps, the domain controller clients authenticate against, client site, information related to the DC Locator process, and account password expiration information. Be careful when enabling NetLogon logging. the netlogon.log file can quickly grow in the system drive.
For additional information, see MS KB 109626 (Enabling Debug Logging for the Netlogon Service)