hello,
I Have a machine Windows server 2012 r2, I configure as Active directory, and I create a user (user_1, user_2) and I add a list of computers (Client_1, Client_2,...) under the domain
what I want is if a user_1 is fail to log in, the client_1, then it sends the event code 4625 to the AD machine
This does not appear to be a Splunk question and we're unlikely to be able to help you in any great detail on this problem.
A hint though -
Your answer will be found most likely in some Microsoft docs or forums involving Active Directory. From what I know, if you are trying to log into a domain account on a domain joined PC, it's very difficult to make the failed logins not show up. So something's either seriously wrong, or you are just "doing the wrong thing" like not using a domain joined pc and using a domain account.