I am having a real problem getting EventID 4670 to show up in the Security log when an account is locked out. My DCs are 2012 (not R2), domain and forest level are at 2012. I received these events without issue when the DCs were 2008 R2. The upgrade of the DCs consisted of demoting the DC, removing from domain, clean install 2012, and promote.
I have modified the Default Domain Controller Policy GPO to have "Computer/Windows Settings/Security Settings/Local Policies/Audit Policy" Audit account logon events, Audit account management, Audit directory service access, and Audit logon events are all set to "Success, Failure". Still no 4670 events.
I also set "Computer/Windows Settings/Advanced Audit Policy Configuration/Logon/Logoff" Audit Account Lockout to "Success and Failure". Still no 4670 events.
I also performed using ADUC, Domain, Properties, Security, Advanced, Auditing, and adding "Everyone", type "All", applies to "This object and all descendant objects", and gave essentially all except for full control. Still no 4670 events.
Am I missing something, or have I gone about this all wrong?
-Richard
