[Edit Feb 14/2012] Full list of audit events in windows 2008 can be downloaded here, also KB947226
Please read the differences between "Account Logon/logoff" event and "Logon/Logoff" event first.
- First, using lockoutstatus to find out initial authenticating DC (more than often PDC is not the initial authenticating DC. It has same event IDs mentioned below merely because other DCs check with PDC for latest password.) and time of logon attempt
- Then go to authenticating DC, check security log. Pin-point the log entry using time identified by lockoutstatus
- We are looking for: event ID 675 (4771 in w2k8?), the client IP is the offending machine that sent bad pwds
- Failure code in event ID 675(This is corresponding kerberos error code, full list here) - 0x18: original wrong password
- 0x12: this will be logged after the fact that account has already been locked
- 2 being interactive
- 3 network
- 5 service
- 10 Remote interactive