Okay, so in an effort to not put the answer on a platter...
I have a test domain and I have some disabled accounts. I tried to mstsc from one server to another with a disabled account, and in LEM I see this:
Now, I have to admit that I'm not super familiar with this particular event, so I went to Randy Smith and asked what it meant. I got this page:
Windows Security Log Event ID 4768 - A Kerberos authentication ticket (TGT) was requested
Now, if you look at the sample event, in the Extraneous Info field you can see a status code, "0x12" which I highlighted. According to Randy, that means that the client account is:
| 0x12 | Clients credentials have been revoked | Account disabled, expired, locked out, logon hours. |
So, good news! You don't need a special AD group, because you can run the correlation off any account that is disabled, regardless of group membership!
Therefore, I'd say you'd want to start with a correlation for UserAuthTicket events (that's the event type that I got) and look in the ExtraneousInfo field for that 0x12 string, and maybe look for a ProviderSID of Microsoft-Windows-Security 4768.
Let me know if you want more than that to help you on your way!