none
How to exclude a user /group from auditing

    Question

  • Hi,

    I am enabling auditing on windows file system by enabling SACL on the file folder to everyone.It logs events for every user in the security log.

    Is there any way to exclude a user /group from auditing.


    Thursday, August 14, 2014 10:59 AM

Answers

All replies

  • Hey Azariah 

    Thanks for posting ,

    Follow the linke Below:

    http://technet.microsoft.com/en-us/library/cc755264.aspx


    I'd be glad to answer any question


    Thursday, August 14, 2014 1:15 PM
  • Hi,

    I suggest you use Auditpol tool, which sets per user audit policy.

    With the /exclude option, the user's per-user policy will cause an audit to be suppressed regardless of the system audit policy. In addition, this setting is ignored for users who are members of the local Administrators group.

    Auditpol /set /user:someone /exclude /category:* /success:enable/failure:enable

    More information for you:

    Auditpol set

    http://technet.microsoft.com/en-us/library/cc755264.aspx

    Exclude 1 user or group of users from audit logging Server 2008 R2

    http://social.technet.microsoft.com/forums/windowsserver/en-US/5c1705a7-2c72-489e-9eb6-bc89c37d1ddb/exclude-1-user-or-group-of-users-from-audit-logging-server-2008-r2

    Best Regards,

    Amy

    Friday, August 15, 2014 7:03 AM
    Moderator
  • Hi,

    Thanks for the answers.

    1.is there any way to exclude even local administrators group members.

    2.Is there any way to exclude users using dynamic access control which is introduced in windows server 2012

    Wednesday, August 20, 2014 5:10 AM
  • Hey

    1. The set the audit on local user is not different from the domain:

    Auditpol /set /user:mikedan /category:"Detailed Tracking" /include /success:enable

     


    I'd be glad to answer any question

    Wednesday, August 20, 2014 8:14 AM
  • Hi,

    1.Is there any way to exclude users ,even though he is a member of local administrators group

    2.Is there any way to exclude users using dynamic access control which is introduced in windows server 2012

    Thursday, August 21, 2014 4:02 AM
  • Hi Azariah,

    >1.Is there any way to exclude users ,even though he is a member of local administrators group

    Please replace the “someone” section with the administrator’s name: Auditpol /set /user:someone /exclude /category:* /success:enable/failure:enable.

    >2.Is there any way to exclude users using dynamic access control which is introduced in windows server 2012

    Dynamic Access Control enables you to create targeted audit policies by using expressions based on user, computer, and resource claims. For example, you could create an audit policy to track all Read and Write operations on files classified as high-business impact by employees who do not have a high-security clearance. If you have configured auditing policy on Everyone, you may still need to use the Auditpol tool.

    Best Regards,

    Amy

    Thursday, August 21, 2014 9:51 AM
    Moderator
  • Hi Amy,

    Thanks for the answers.

     >Please replace the “someone” section with the administrator’s name: Auditpol /set /user:someone/exclude /category:* /success:enable/failure:enable

    Is it possible to exclude administrator?you said earlier member of local administrators group will be excluded

    Thursday, August 21, 2014 11:49 AM
  • Hi,

    Yes, it is possible.

    Regards,

    Amy

    Monday, August 25, 2014 1:43 AM
    Moderator
  • We are auditing file server for who is deleting, reading files.

    My problem is while we start back up the server windows is start auditing user of we are using for backup.

    I'm used Auditpol /set /user:domain\user /exclude /subcategory:"File System" /success:enable /Failure:Enable but no luck.

    That user is in local administrator group.


    Thanks & Regards Amaraa

    Friday, September 05, 2014 1:10 AM
  • Hi

    Any one have answer for the above question.

    9 hours 25 minutes ago