We have 2012 r2 functional domain with audit/failure logging set up. These logs are read by our siem. We recently noticed no failures for some accounts. Upon further testing there are no Audit Failures logged in the DC event viewer for any Domain Admin accounts but thousands for other accounts. This leads me to think this is an exception or filtering on a GPO somewhere and haven’t been able to track anything down yet. Our audit settings are done via GPO on the default domain and default domain controller policies.
It did seem to just be logon failures not logging. We tested locking an account with bad passwords and that worked and logged successfully.
Has anyone come across this before? How would you make an unaudited group if you wanted?