I've setup lockout examiner.
logon event auditing is enabled on my 3 DCs.
logon event auditing is enabled on the client PC i'm working with.
In settings>managed objects it's set to All DCs, I have an enabled status and an ok connection in the monitored DCs list, all green.
When I intentionally lock an account from the client and run a report I see a list of invalid logons for the relevant PC but there's no triangular click down arrow giving more details.
If i run rsop.msc on the client loggin is def enabled.
if I check the security log on the DC the logs show event 675 0x18 which is correct for a bad password.
I don't know why these details aren't appearing on the examiner report. It wa working yesterday but suddenly seems to have stopped.