Occasionally, you may encounter AD account lockouts and the reason for the lockout is not always apparent. Enabling NETLOGON logging on your domain controllers may help in this regard. The NETLOGON log file will provide a detailed logging of all NETLOGON events and helps you to trace the originating device on which the logon attempts (and subsequent lockout) occurs.

To enable NETLOGON logging, run the following command (from an elevated command prompt):

nltest /dbflag:0x2080ffff

The parameter is a integer value of flags, and 0x2080ffff is the highest level, showing detailed timestamps, the domain controller clients authenticate against, client site, account password expiration, and much more. More information about enabling NETLOGON logging can be found in MS KB 109626.

The logging is written to a single file: %SYSTEMROOT%\debug\Netlogon.log

Be careful with NETLOGON logging as it can consume a lot of disk space. It can quickly fill up the system drive. If you no longer need the logging, be sure to turn it back off.

To turn off NETLOGON logging, set the debug flags back to zero:

nltest /dbflag:0x0

You can limit the maximum log file size through the registry: the DWORD value MaximumLogFileSize (location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters) specifies the maximum log file size in bytes. Do note that the actual disk space needed is two times that value: when the Netlogon.log reached the maximum size, it is rotated to Netlogon.bak.