DC Event logs auditing cannot be set by GPO

[andyferris]

I need to retrieve weekly reports of failed user logins from our Win2016 Domain Controllers.

The problem is that the event logs are filling up within minutes with Directory Service Access entries.

I have checked the Default Domain Controllers GPO and Auditing of Directory Service Access was not configured. I disabled it and also disabled "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" on the advice from here:

https://docs.microsoft.com/en-us/tr...s-not-applied-when-deploy-domain-based-policy

, then did a gpresult /force.

I then did a Group Policy Result and it shows that the setting is being applied, but the logs still fill up within seconds. They are set at about 128mb. I increased to 1Gb but it still fills up within minutes.

Now here is the thing: All the Directory Service entries are for accessing our Exchange server. I have looked at the logs there and there are corresponding entries.

My questions are: How to do I break the link between the two event logs? or Can I safely switch of this logging on the Exchange server?

Thanks

Andy

 

[RRankin355]

Microsoft has been trying to secure the event logs for a little while now. While it's true that GPO can force settings on local machine, that's not something Microsoft will allow their users to do. The settings can only be enforced by Group Policy. We have in the past seen GPO's that were designed to allow trusts to do this. You can get write my assignment help to manage your education. Therefore it's safe to say that it's quite impossible to set a local checkbox on a GPO that you want to enforce in your organization