Disable audit of Logon Logoff

windows-sbs-2008 audit security login
9,803

Solution 1

I believe I stopped logging logon/logoff events by: Opening local security policy Security Settings->Advanced Audit Policy Configuration-> System Audit Policies->Logon/Logoff:

By default both Audit Logoff and Audit Logon are not configured. Right click each-Properties. Check Configure the following audit events. Do not check Success or Failure.

After I applied this these events stopped getting logged.

Solution 2

If everything is greyed out here: start > run > gpedit.msc Local Computer Policy

Windows Settings

Security Settings

Local Policies

Audit Policy

Properties of Audit Logon Events

Then you dont have permission to update group policy on the domain / server. Once you have secured the ability to edit gpol, then you will be able to disable successful audits. Once you have disabled them, run 'gpupdate /force' to force an update of gpol on the server.

Solution 3

Look for an HP printer that loads up an apache web service.

I had 50,000 Kerb errors on my DC with that funky printer client on one of my workstations.

Like others have said, find the underlying cause, don't mask what's going on.

Share:
9,803

Related videos on Youtube

Bastien974
Author by

Bastien974

Updated on September 17, 2022

Comments

  • Bastien974
    Bastien974 almost 2 years

    I have a SBS 08 with 50 users on my domain. In Event Viewer : Windows Logs > Security, I've got nearly 300,000 events about EventID 4624 Logon, 4634 Logoff, 4776 Credential Validation, 4769 Kerberos Service Ticket Operations in only... 2 days !!!

    I want to simply disable it. I tried disabling the audit in the Local Policy or Group Policy but everything is greyed: Security Settings > Local Policies > Audit Policy > Audit logon events : No Auditing

    • Rob Moir
      Rob Moir over 13 years
      I know this isn't what you asked for but you really need to find out what is causing this, as it is not normal behaviour, and fix it. What you're asking for is akin to just wrapping more bandages around a wound without stopping to ask "Hold on a moment, why am I actually bleeding like this anyway".
    • John Gardeniers
      John Gardeniers over 13 years
      Robert is right. You're looking at hiding the problem instead of making it go away.
    • Bastien974
      Bastien974 over 13 years
      I found that most of these events, have : Logon Type : 3 which mean that it's a network access like Shared folder. I have lots of them, and every users have automatic mounted shared folders. This may be an explanation why there's so much event.
  • SpacemanSpiff
    SpacemanSpiff over 13 years
    Also, lookup the difference between logon events and account logon events!
  • Bastien974
    Bastien974 over 13 years
    I looked for a Policy where the Audit was configured, but nothing except mine : Audit account logon events -> No auditing / Audit logon events -> No auditing I try to configure a simple audit for Successful deletion of file, nothing show up in the EventViewer, something is overriding the config.
  • SpacemanSpiff
    SpacemanSpiff over 13 years
    Use the resultant set of policy MMC snap-in (gpresult.msc) to determine where the setting is coming from.
  • Bastien974
    Bastien974 over 13 years
    I runned a gpresult /R and checked every Applied group policy Objects. I didn't find anything asking to audit logon/logoff.
  • SpacemanSpiff
    SpacemanSpiff over 13 years
    The MMC snap-in should let you go down the policy from the GUI and navigate to the set attribute and it will tell you what policy is governing in, be it local, GPO, etc., EDIT: sorry, its rsop.msc
  • Bastien974
    Bastien974 over 13 years
    yfrog.com/64rsopj I manually disabled the audit, confirmed in RSOP, but i'm still having huge amount of events.
  • Bastien974
    Bastien974 over 13 years
    I have a network HP printer with apache, but nothing in my Audit about it.
  • Mikkail Montgomery
    Mikkail Montgomery over 9 years
    This was on server 2012.
  • ggb667
    ggb667 about 3 years
    I don't want to disable all only certain ones that match certain parameters.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to run specific program with root privileges (Ubuntu OS) when no sudo user log into system?
Rewrite login_check functionality in Symfony
Effect of entries in /etc/securetty
How to configure a U2F key(such as a YubiKey) for system wide 2-Factor Authentication?
Where is the username and password stored?
Sudo is also user login password - why? how to change?
18.04: Bionic Beaver: Login Screen: Modify: remove all options for better security
Google Authenticator for Desktop (lightdm or gdm plugin)
Driver for Validity Sensors Fingerprint scanner
How do I write a test for system login?