Disable event ID 4627

Chau Le 86 Reputation points
2021-04-27T16:45:14.33+00:00

Our splunk logs are getting maxed out because of event ID 4627. We have AD migrated users with sidhistory and their group membership is large.

Any case, how can we simply disabling auditing of this event ID from the DC's?

Thanks

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,609 questions

1 answer

Sort by: Oldest
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 22,311 Reputation points Microsoft Employee
    2021-05-06T20:57:27.997+00:00

    This appears to be more of a local AD question than an Azure AD question, but if you are referring to local event logs you can disable logon/logoff events by going to Security Settings >Advanced Audit Policy Configuration > System Audit Policies >Logon/Logoff: