I work in a large hospital environment, and I'm fine tuning the logging to put into splunk - and everything is working quite well EXCEPT DS access logging. Before I enabled it - I removed all entries from the domain object's audit ACL tab (because I didn't want to flood the sec logs). I ensured that the change was pushed down to each child/subtree object, as well, so that no domain object has anything defined in its audit tab.
Upon enabling DS access auditing, my four exchange servers are spamming the sec log on the DCs with READ_CONTROL accesses to all user objects tied to mailboxes.
Problem: The security logs for my three DCs goes up to 11GB a night, and gave me a permanent overage mark on my splunk account, and even with NOBODY defined in the auditing tabs on a single AD Object, I'm still getting these messages.
*note*
I do have "Audit Directory Service objects" applied to the whole domain... maybe I should just restrict this back to DCs? I really only want to audit AD object changes, not READS.