For an end user's account is lock out, I utilize EvemtcombMT to search the Security Logs for the event. I only need the event from the logs, so I can report the origin of the lockout (Workstation Name). Lately I have noticed many users' accounts locking out, but nothing is reported in the Security Logs. The tool we use to administer the domain shows the account locked out, I can also use the LockOutStatus.exe tool tosee that it is locked out across the Domain Controllers. However when I run a check on the DC Security Logs, nothing is reported. The check isrun well before the logs would have over-written. And it only happens once in a while, most of the time the lockout is reported in the logs. Why is the user's account lockout not being reported into the DC security logs? Am I searching with the wrong Event IDs? I use the parameters below to find the lockout with EventCombMT: Security Logs Event Types: Error, Success Audit and Failure Audit Event IDs: 539 and 644 Text: (account username)

The eventlog viewer (eventvwr.msc) is not a networking application and therefore will not work with a Domain Controller.

The event ids in Windows 2008 have been completely changed. You can visit this link to get new eventids http://www.ultimatewindowssecurity.com/wiki/WindowsServer2008VistaSecurityLog.ashx