Disable event ID 4627

asked 2021-04-27T16:45:14.33+00:00
Chau Le 86 Reputation points

Our splunk logs are getting maxed out because of event ID 4627. We have AD migrated users with sidhistory and their group membership is large.

Any case, how can we simply disabling auditing of this event ID from the DC's?

Thanks

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,570 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2021-05-06T20:57:27.997+00:00
    Marilee Turscak-MSFT 20,406 Reputation points Microsoft Employee

    This appears to be more of a local AD question than an Azure AD question, but if you are referring to local event logs you can disable logon/logoff events by going to Security Settings >Advanced Audit Policy Configuration > System Audit Policies >Logon/Logoff:

    No comments