Ok so after enabling the lockout policies for TMG (see below) I’ve had a few issues where I’m not 100% sure if a users account is locked out in TMG or their phone is just being daft or if their AD account is locked out…
So my first thought was to monitor the traffic coming through the TMG to see if a user account is receiving blocked connections, well nothing was coming through at all (I should note when I’m not having this issue, theres loads of lovely green connections coming through this filter)!!
So after some head scratching I realised TMG logs its lockouts to the event view under Application:
There’s also evidence of failed password attempts in the security section of the event viewer: