Disable audit of Logon Logoff
Solution 1
I believe I stopped logging logon/logoff events by: Opening local security policy Security Settings->Advanced Audit Policy Configuration-> System Audit Policies->Logon/Logoff:
By default both Audit Logoff and Audit Logon are not configured. Right click each-Properties. Check Configure the following audit events. Do not check Success or Failure.
After I applied this these events stopped getting logged.
Solution 2
If everything is greyed out here: start > run > gpedit.msc Local Computer Policy
Windows Settings
Security Settings
Local Policies
Audit Policy
Properties of Audit Logon Events
Then you dont have permission to update group policy on the domain / server. Once you have secured the ability to edit gpol, then you will be able to disable successful audits. Once you have disabled them, run 'gpupdate /force' to force an update of gpol on the server.
Solution 3
Look for an HP printer that loads up an apache web service.
I had 50,000 Kerb errors on my DC with that funky printer client on one of my workstations.
Like others have said, find the underlying cause, don't mask what's going on.
Related videos on Youtube
Bastien974
Updated on September 17, 2022Comments
-
Bastien974 almost 2 years
I have a SBS 08 with 50 users on my domain. In Event Viewer : Windows Logs > Security, I've got nearly 300,000 events about EventID 4624 Logon, 4634 Logoff, 4776 Credential Validation, 4769 Kerberos Service Ticket Operations in only... 2 days !!!
I want to simply disable it. I tried disabling the audit in the Local Policy or Group Policy but everything is greyed: Security Settings > Local Policies > Audit Policy > Audit logon events : No Auditing
-
Rob Moir over 13 yearsI know this isn't what you asked for but you really need to find out what is causing this, as it is not normal behaviour, and fix it. What you're asking for is akin to just wrapping more bandages around a wound without stopping to ask "Hold on a moment, why am I actually bleeding like this anyway".
-
John Gardeniers over 13 yearsRobert is right. You're looking at hiding the problem instead of making it go away.
-
Bastien974 over 13 yearsI found that most of these events, have : Logon Type : 3 which mean that it's a network access like Shared folder. I have lots of them, and every users have automatic mounted shared folders. This may be an explanation why there's so much event.
-
-
SpacemanSpiff over 13 yearsAlso, lookup the difference between logon events and account logon events!
-
Bastien974 over 13 yearsI looked for a Policy where the Audit was configured, but nothing except mine : Audit account logon events -> No auditing / Audit logon events -> No auditing I try to configure a simple audit for Successful deletion of file, nothing show up in the EventViewer, something is overriding the config.
-
SpacemanSpiff over 13 yearsUse the resultant set of policy MMC snap-in (gpresult.msc) to determine where the setting is coming from.
-
Bastien974 over 13 yearsI runned a gpresult /R and checked every Applied group policy Objects. I didn't find anything asking to audit logon/logoff.
-
SpacemanSpiff over 13 yearsThe MMC snap-in should let you go down the policy from the GUI and navigate to the set attribute and it will tell you what policy is governing in, be it local, GPO, etc., EDIT: sorry, its rsop.msc
-
Bastien974 over 13 yearsyfrog.com/64rsopj I manually disabled the audit, confirmed in RSOP, but i'm still having huge amount of events.
-
Bastien974 over 13 yearsI have a network HP printer with apache, but nothing in my Audit about it.
-
Mikkail Montgomery over 9 yearsThis was on server 2012.
-
ggb667 about 3 yearsI don't want to disable all only certain ones that match certain parameters.