One of the ways a computer can be infected with ransomware is hacking into an RDP-enabled workstation using brute force/password guessing. However, it can be difficult identifying which workstation is the target and you find various user accounts being locked due to excessive wrong passwords.

On the AD machine, open a command prompt and enter:

Nltest /DBFlag:2080FFFF

Now, all logon attempts will be logged in %windir%\debug\netlogon.log as [LOGON]
Successful logons show return code 0, hacking has non-zero return codes.

To turn off logging, open a command prompt and enter:

Nltest /DBFlag:0×0