[Editor’s note] I have received several private responses on this post, many saying that deleting successful events may not be a good thing. Here’s one of the best examples why:
Let’s say you saw 10 unsuccessful events of someone trying to logon as Administrator, followed by a successful event of an Administraot logging on. What’s your conclusion? You would conclude that someone just hacked in on the 11th attempt.
However, if you were filtering out or deleting all of the successful events, you would miss the fact that this hacker was eventually successful.
Nonetheless, many people continually ask how to eliminate the successful events. I will leave this post up, if for no other reason than to encourage people to become familiar with using the Group Policy Editor for tweaking and customizing your SBS server]
Come on — raise your hand if you really enjoy opening up the event viewer on your SBS server and seeing 18,000 success audit entries! No hands? I didn’t think so.
Kudos to Super Gumby who pointed me toward the true path (the light at the end of tunnel) on how to properly disable those success audits. (As an aside, I’m not recommending that you do this. But if you want to learn … keep reading).
1. Open up your Server Mgmt Console, and drill down as follows:
-Group Policy Management
-Forest (your server)
2. Right click on ‘Small Business Server Auditing Policy’ and then click Edit.
3. The Group Policy Editor displays. Drill down as follows:
4. On the right panel you will see that ‘Audit logon events’ is set to record both Success & Failure events.
5. Double click on ‘Audit logon events’ and uncheck ‘Success’. Click Apply > OK, close the GP Editor and you’re done!