Hi,
Thanks for your post.
Have you tried to run gpupdate /force before doing the test?
Do this on the "Default Domain Controller" Policy to apply to the DC's? You need to edit on Default Domain Controller policy, otherwise you need to create new GPO and link it to the Domain Controllers OU.
And for event 4768, when a user logs on at a workstation with their domain account, the workstation contacts domain controller via Kerberos and requests a ticket granting ticket. If the user fails authentication, the domain controllers logs event ID
4771 or an audit failure instance 4768.
If the users credentials authentication checks out, the domain controller creates a TGT, sends that ticket back to the workstation, and logs event ID 4768.
If authentication succeeds and the domain controller sends back a TGT, the workstation creates a logon session and logs event ID 4624 to the local security log
Please check the following articles:
Audit Kerberos Authentication Service
https://technet.microsoft.com/en-us/library/Dd772702%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396
Following a Users Logon Tracks throughout the Windows Domain
http://www.eventtracker.com/newsletters/following-a-users-logon-tracks-throughout-the-windows-domain/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best Regards,
Mary Dong