How to Exclude a User from Auditpol - Discovered a possible bug with auditpol.exe

Question

Hello all,

I am trying to exclude a user from being audited on a Server 2019 Domain Controller.

Using the following:

Auditpol /set /user:adm.svc.acc /subcategory:"Logon" /Success:disable

Reason for doing so, it's a service account that is calling my API which logins in every time it sends an http request. There is no real way around (that I could think of) as it is logging into the domain to retrieve updated email addresses via a Windows Service.

However, it does not seem appear to stop the Logon from showing up in the Event Viewer on my single domain controller. Strange part is, when I run the following:

Auditpol /set /subcategory:"Logon" /Success:disable

Auditpol /set /subcategory:"Special Logon" /Success:disable

to disable ALL auditing for logons, I verify that I am no longer seeing any logons in the Event Viewer, then turn on the following:

Auditpol /set /user:adm.svc.acc /subcategory:"Special Logon" /Success:enable

Auditpol /set /user:adm.svc.acc /subcategory:"Logon" /Success:enable

and I run my Windows Service talking to the API, I see the logon and special logons for user "adm.svc.acc". I even checked the Event Viewer and could see confirmation for "Audit Policy Change" that it is "Success include removed" for that user

Policy For Account:
	Security ID:		TEST\adm.svc.acc

Policy Change Details:
	Category:	Logon/Logoff
	Subcategory:	User / Device Claims
	Subcategory GUID:	{0cce9247-69ae-11d9-bed3-505054503030}
	Changes:	Success include removed

Am I going wrong about this? Or is it a potential bug in auditpol.exe ?

I just really want to exclude the user from showing up in Event Viewer just for Logons and Special Logons as it really floods the Event Viewer. Also, bad, because another piece of my app is also collecting logons and logoffs for all other users and the DB it's going to is filling up fast :/

Thanks

.