If everyone is using Active Directory, all of the authentication activity should also be logged in AD. You'll need to monitor the Windows Security Logs on all Domain Controllers in your Active Directory domain. There's no guarantee which one will service the logon, so you have to audit all of them.
By default, when you install the LEM agent, it will enable connectors for the traditional Windows Application, Security, and System Logs. You also need to make sure you have an audit policy set up to audit logon activity, and the event logs are set to overwrite as needed so they don't fill and stop logging.