Tired of all those "Success Audit" event entries?

[Editor’s note] I have received several private responses on this post, many saying that deleting successful events may not be a good thing. Here’s one of the best examples why: 

Let’s say you saw 10 unsuccessful events of someone trying to logon as Administrator, followed by a successful event of an Administraot logging on. What’s your conclusion? You would conclude that someone just hacked in on the 11th attempt.

However, if you were filtering out or deleting all of the successful events, you would miss the fact that this hacker was eventually successful.

Nonetheless, many people continually ask how to eliminate the successful events. I will leave this post up, if for no other reason than to encourage people to become familiar with using the Group Policy Editor for tweaking and customizing your SBS server]

Come on — raise your hand if you really enjoy opening up the event viewer on your SBS server and seeing 18,000 success audit entries!  No hands? I didn’t think so.

Kudos to Super Gumby who pointed me toward the true path (the light at the end of tunnel) on how to properly disable those success audits. (As an aside, I’m not recommending that you do this. But if you want to learn … keep reading).

1. Open up your Server Mgmt Console, and drill down as follows:
-Advanced Management
   -Group Policy Management
      -Forest (your server)
            -(Your Server)
               -Domain Controllers

2. Right click on ‘Small Business Server Auditing Policy’ and then click Edit.

3. The Group Policy Editor displays. Drill down as follows:
-Computer Configuration
   -Windows Settings
      -Security Settings
         -Local Policies
            -Audit Policy

4. On the right panel you will see that ‘Audit logon events’ is set to record both Success & Failure events.

5. Double click on ‘Audit logon events’ and uncheck ‘Success’. Click Apply > OK, close the GP Editor and you’re done!

Good luck!

One thought on “Tired of all those "Success Audit" event entries?

  1. Susan, you are NOT countering my post. I clearly stated “I’m not recommending that you do this”. It always helps to confirm “why” it’s not recommended.

Leave a Reply

Your email address will not be published. Required fields are marked *