I just recently ran into an issue attempting to diagnose an account lockout for some of my users and I found ADAudit Plus registered no bad passwords for them.  When manually scouring the AD security logs with EventCombMT.exe from the MS Account Lockout tools, I did find many events for these failures.

The failures were NTLM authentication failures which are tracked in Windows via Event ID 4776.

After a support call to ManageEngine, I was informed NTLM based events have been removed from auditing because they are too chatty.  ManageEngine deems them "noise" events. 

Not all systems rely on Kerberos authentication.  NTLM is still widely used.  This decision is simply irresponsible for a tool designed to audit AD security. 

Perhaps tracking authentication failures is not meant to be a selling feature of this tool, but it's one of the major reasons we purchased it.  Unfortunately we will be looking for a replacement if these features are not added back into the tool.

I wanted to create this post for others who wonder why they can't accurately track account lockouts in their environment or to save them the headache from purchasing a tool that is not sufficiently tracking all avenues of authentication.

I mean no disrespect to ManageEngine, as I've grown to like several of their products over the past few years, but this is simply unacceptable.