Disable event ID 4627

Chau Le 101 Reputation points
2021-04-27T16:45:14.33+00:00

Our splunk logs are getting maxed out because of event ID 4627. We have AD migrated users with sidhistory and their group membership is large.

Any case, how can we simply disabling auditing of this event ID from the DC's?

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2021-05-06T20:57:27.997+00:00

    This appears to be more of a local AD question than an Azure AD question, but if you are referring to local event logs you can disable logon/logoff events by going to Security Settings >Advanced Audit Policy Configuration > System Audit Policies >Logon/Logoff:

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.