Steps to Enable Audit logging for NTLM Windows 2008 Domain Controller:

1. Login to he Domain Controller box.
2. Open a Command line prompt and type in:
   
   gpmc.msc
   
   
   
    
3. Now you should see the Group Policy Management screen open up.  See Screen shot.  Expand the Forest>Domains until you get to the "Default Domain Policy".
   
   
   
    
4. Highlight the "Default Domain Policy" and right click on the mouse button. Then click on "Edit".  See Screen Shot.
   
   
    
   
    
5. Now you should have the Group Policy Management Editor screen open for the Default Domain Policy.  Now drill down to the Security Options (See screen shot) and then on the right scroll to what is highlighted in red with red arrows. 
   
   
   
    
6. Now change the Policy Setting for the three that are highlighted in red in the above screen shot to look like this.
   
   Network security: Restrict NTLM: Audit Incoming Traffic = Enable auditing for all accounts
   Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
   Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit All
   
    

Steps to collect the NTLM audit logs:

1. Open the Event Viewer.
2. Expand the Application and Services Logs>Microsoft>Windows>NTLM>Operational
3. Now off to the right you will see logging. 
   
   Note: If this is first time setting up the NTLM Audit Logging use F5 to refresh the screen.
    
4. Click on Action and scroll down to "Save All Events As..."
5. Have customer send a copy of that log.