My ALE (v4.1.417.0 running on Server 2012 R2) does not send email alerts for lockouts that happen on Windows machines. In the 'ALEService' log file, it generates "Failed to resolve sid by dc SERVERNAME".
Four internal DCs are monitored (3 are 2012 R2, 1 is 2008 R2), and they all show Connection as 'OK'. Also, ALE detects the lockouts, and processes unlocks. It just doesn't email the notifications for Windows-based lockouts.
It does send notifications when a user locks out on a non-domain device via RADIUS.
The timing of this coincided with my Netwrix service account being put into a 'Deny Local Logon' policy, while still retaining domain admin permissions.
I had since reverted that change, but still no notifications.
SMTP is fine; ALE is running on the SMTP server itself, and uses the same SMTP settings as Auditor, installed on same machine.
Thanks for any assistance in getting my helpful notifications back.