First of all, check your auditing settings:

In the Group Policy Management Editor, choose

Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy

Set the following audit policies:

• Audit account management: “Success”
• Audit directory service access: “Success”
• Audit logon events: “Success” and “Failure”

Alternatively, you can set Advanced audit policies: In the Group Policy Management Editor, expand

Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies

Set the following audit policies:

Account Logon

• Audit Kerberos Authentication Service: “Success, Failure”
• Audit Kerberos Service Ticket Operations: “Success, Failure”
• Audit Other Account Logon Events : “Success, Failure”

Account Management

• Audit Computer Account Management: “Success”
• Audit Distribution Group Management: “Success”
• Audit Security Group Management: “Success”
• Audit User Account Management: “Success”

DS Access

• Audit Directory Service Access: “Success”

Logon/Logoff

• Audit Logoff: “Success”
• Audit Logon: “Success”
• Audit Other Logon/Logoff Events: “Success”
• Audit Special Logon: “Success”