How can I decrease number of events being generated for Directory Service Access auditing?

Email It to Me Print this Page
Question I enabled Directory Service Access auditing and configured auditing categories in accordance with the Installation and Configuration Guide,but this configuration generates a lot of events and Security event log keeps being overwritten (even after increasing its size to 4GB).  How can I decrease the number of events being generated for Directory Service Access auditing?
Answer Despite the fact that the Installation and Configuration Guide  recommends to enable almost all categories while configuring object-level auditing, not all of them are being used by Netwrix Auditor.
So, to decrease the event generation you can uncheck the unnecessary categories in default domain container auditing settings.  The following steps outline how to modify domain container auditing settings and prevent the generation of unnecessary events (decrease the Security event log usage):
  1. Log on to any Domain Controller in the monitored domain.
  2. Open Active Directory Users and Computers.
  3. Right-click on domain node and select Properties.
  4. Navigate to Security tab -->  Advanced --> Audit tab.
  5. Select Everyone and click Edit.
  6. And uncheck following check boxes (you need to have only SUCCESSFUL checkboxes checked):
    • Full Control
    • List Contents
    • Read all properties
    • Read permissions
    • All extended rights
    • Add GUID
    • And all after "Add GUID" except "Reanimate tombstones"
Was this information helpful?