I am trying to verify that failed access (via Remote Desktop) from a Windows 7 WYSE thin client (on the domain) to other machines on the domain are being logged. The domain controller is Server 2012 and I am using the advanced auditing settings offered in GPMC at the domain level.
When I open up the Remote Desktop Connection from the Thin Client to either a workstation on the domain or even the domain controller (as admin) and try to purposely enter a bad password for the domain user I can not seem to find any Failed Security event in the log on the DC or the workstation. I would expect this to be at least be shown on the DC.
However, when I do the same process as above and enter a username that I know to be incorrect and not a domain user with a random password, that failed event DOES get logged in the Security log on the DC as both a failed 4325 and 4776.
Any reason as to why only non-domain or non-accounts failed Remote Desktop login events are being generated on the DC security logs?
Also it appears that failed authentications for domain accounts at the actual physical thin client get logged just fine, just not when using Remote Desktop.
My Advanced Audit Settings for Authentication are as follows:
ACCOUNT LOGON: Audit Credential Validation - Success & Failure
LOGON/LOGOFF: Audit Logon - Success & Failure
Audit Other Logon/Logoff Events - Success & Failure
Thanks