Advanced auditing is in place in my environment (W2K8 R2). Advanced Auditing > Object Access > Audit File System is configured for Success and Failures. Advanced Auditing > Global Object Access Auditing is enabled for a group of domain users and all options are selected (Full Control).
The Security log on the servers shows many Event ID4663 (Attempt to access an object) so I know my File auditing policy is working. The problem is that is is not auditing only my selected group of domain users as I chose in the Global Object Access Auditing section. It is logging the S-1-5-18 (Local System) account excessively when my Backup Exec process backs up files (beremote.exe). This causes excessively logging to occur and eats in my retention policy of security logs.
I only want a selected group of users audited, not the Local System Account.
What am I missing?