How to Exclude a User from Auditpol - Discovered a possible bug with auditpol.exe

muttBunch 100 Reputation points
2024-10-01T03:22:54.2133333+00:00

Hello all,

I am trying to exclude a user from being audited on a Server 2019 Domain Controller.

Using the following:

Auditpol /set /user:adm.svc.acc /subcategory:"Logon" /Success:disable

Reason for doing so, it's a service account that is calling my API which logins in every time it sends an http request. There is no real way around (that I could think of) as it is logging into the domain to retrieve updated email addresses via a Windows Service.

However, it does not seem appear to stop the Logon from showing up in the Event Viewer on my single domain controller. Strange part is, when I run the following:

Auditpol /set /subcategory:"Logon" /Success:disable

Auditpol /set /subcategory:"Special Logon" /Success:disable

to disable ALL auditing for logons, I verify that I am no longer seeing any logons in the Event Viewer, then turn on the following:

Auditpol /set /user:adm.svc.acc /subcategory:"Special Logon" /Success:enable

Auditpol /set /user:adm.svc.acc /subcategory:"Logon" /Success:enable

and I run my Windows Service talking to the API, I see the logon and special logons for user "adm.svc.acc". I even checked the Event Viewer and could see confirmation for "Audit Policy Change" that it is "Success include removed" for that user

Policy For Account:
	Security ID:		TEST\adm.svc.acc

Policy Change Details:
	Category:	Logon/Logoff
	Subcategory:	User / Device Claims
	Subcategory GUID:	{0cce9247-69ae-11d9-bed3-505054503030}
	Changes:	Success include removed

Am I going wrong about this? Or is it a potential bug in auditpol.exe ?

I just really want to exclude the user from showing up in Event Viewer just for Logons and Special Logons as it really floods the Event Viewer. Also, bad, because another piece of my app is also collecting logons and logoffs for all other users and the DB it's going to is filling up fast :/

Thanks

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,753 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,403 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,549 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,526 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.