So to find any failed logon requests for a user you can use one of the two following XML queries, the first just shows all successes and failures for that user. The second shows just the failures only for that user.
1. Open the event viewer, and click on the “Security” log on the left hand pane.
2. Once you can see the list of all the events, click on the “Filter Current Log..” button on the right hand pane.
3. Click on the “XML” tab and enter one of the following XML sections, and click “OK”, anything matching these XML query will then be shown.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name="TargetUserName"] and (Data="Bert.Smith")]]</Select>
</Query>
</QueryList><QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4625)]]
and
*[EventData[Data[@Name="TargetUserName"] and (Data="Bert.Smith ")]]</Select>
</Query>
</QueryList>Where 4625 is the event ID of a failure audit, and “Bert.Smith” is the username of the person trying to logon and failing.
So if you find a user is persistently locking their account out, you might try this to find out if someone else is trying to logon from somewhere else, because within the event log is the originating IP address of the logon attempt. So if a user was using the IP address 192.168.1.10, but you are seeing logon attempts from the IP address 192.168.1.20, then you might assume there is someone trying to hack into the account.