If you have multiple BDCs and/or trust relationships, the logon event may be in any %LogonServer%. Instead of checking all the Security event logs, use the DUMPEL.EXE from the
with a batch file to filter for logon failures:
@echo off
Dumpel.exe -s pdcname -l security -m security -e 529 539 >Drive:\Directory\failure.log.txt
Dumpel.exe -s bdc1name -l security -m security -e 529 539 >>Drive:\Directory\failure.log
Dumpel.exe -s bdc2name -l security -m security -e 529 539 >>Drive:\Directory\failure.log
Dumpel.exe -s bdc3name -l security -m security -e 529 539 >>Drive:\Directory\failure.log
This will append all Event 529s and Event 539s to the <Drive:>\Directory\failure.log file which you can then examine for problems.
Event ID 529
Logon Failure
Reason: Unknown user name or bad password
Event ID 539
Logon Failure
Reason: Account locked out
Common causes for invalid logon events are:
Someone is entering the wrong password.
An unauthorized individual is trying to gain access
There is a persistent network connection with an invalid password.
There is a service using a user account with an invalid password.
A Trust relationship has been broken.