Hi, you may consider to change your policy to no longer audit the success of privilege use. See http://support.microsoft.com/kb/264769 .
576 event log exercise of rights, being nice to have to track some Administrative logons. The event is the same no matter the object is (user or computer accounts). You may keep your policy and : - filter out the event 576 when the user last caracter is $ (SeSecurityPrivilege) - filter out Computer's event related: filter the event 576 when the user is SYSTEM. (all others Se....Privilege) christophe
