I have the following GP/Advanced Audit:
Logon/Logoff
Logon Success and Failure
Account Lockout Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Detailed Tracking
Process Creation Success
Account Management
User Account Management Success
Computer Account Management Success
Security Group Management Success
Application Group Management Success
Other Account Management Events Success
DS Access
Directory Service Changes Success
Directory Service Access Success and Failure
Account Logon
Other Account Logon Events Success and Failure
Credential Validation Success and Failure
Recently, some users are complaining about accounts being locked several times a day
But despite the proper configurations, searching at the Event Viewer logs, i can find the 4740 event, showing exactly when the account has been locked but i can´t find any evidence on ANY of the 5 times required to lock an account at ANY DC available. No events 4625 were found
If i create a test user, force the user to fail several times, all proper events 4625&4740 show up in the logs wuth no problem, so auditing is ok.
At office365, there are no login failure , only success login events, so, the lockout is not coming from O365 back to my on-premisse AD/DC
What else can I do?
In the AzureADSync, nothing usefull (an the Log capabilities are terrible) and my PDC emulator shows the lockout with the ALTools/Account lockou Tool as the lockout propagate through the replication proccess, nothing wrong
The local user´s machine has some events, but again, only successfull events, including the .EXE name responsible for the login, but no failure events are shown
What else can I do? What am i missing here?