How to Exclude a User from Auditpol - Discovered a possible bug with auditpol.exe
Hello all,
I am trying to exclude a user from being audited on a Server 2019 Domain Controller.
Using the following:
Auditpol /set /user:adm.svc.acc /subcategory:"Logon" /Success:disable
Reason for doing so, it's a service account that is calling my API which logins in every time it sends an http request. There is no real way around (that I could think of) as it is logging into the domain to retrieve updated email addresses via a Windows Service.
However, it does not seem appear to stop the Logon from showing up in the Event Viewer on my single domain controller. Strange part is, when I run the following:
Auditpol /set /subcategory:"Logon" /Success:disable
Auditpol /set /subcategory:"Special Logon" /Success:disable
to disable ALL auditing for logons, I verify that I am no longer seeing any logons in the Event Viewer, then turn on the following:
Auditpol /set /user:adm.svc.acc /subcategory:"Special Logon" /Success:enable
Auditpol /set /user:adm.svc.acc /subcategory:"Logon" /Success:enable
and I run my Windows Service talking to the API, I see the logon and special logons for user "adm.svc.acc". I even checked the Event Viewer and could see confirmation for "Audit Policy Change" that it is "Success include removed" for that user
Policy For Account:
Security ID: TEST\adm.svc.acc
Policy Change Details:
Category: Logon/Logoff
Subcategory: User / Device Claims
Subcategory GUID: {0cce9247-69ae-11d9-bed3-505054503030}
Changes: Success include removed
Am I going wrong about this? Or is it a potential bug in auditpol.exe ?
I just really want to exclude the user from showing up in Event Viewer just for Logons and Special Logons as it really floods the Event Viewer. Also, bad, because another piece of my app is also collecting logons and logoffs for all other users and the DB it's going to is filling up fast :/
Thanks