I'm working on some auditing for PCI-DSS, notably "Audit Directory Service Access". This creates a huge volume of logs, mostly based on a couple specific recurring properties being accessed in the same fashion.
I've been able to identify these attributes via TechNet. None of the ones I'm having issues with are visible in the auditing UI in AD Users and Computers.
I'm thinking I can edit the schema settings in adsiedit and disable the inheritance? It seems counterintuitive but it should work.
What you want is to modify the searchFlags attribute of the schema attribute that needs to have auditing suppressed.
AD DS Auditing Step-by-Step Guide
https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
"Schema
"To avoid the possibility of an excessive number of events being generated, there is an additional control in the schema that you can use to create exceptions to what is audited.
"For example, if you want to see what values have changed as a result of all but a few attribute modifications on a user object, you can set a flag in the schema for the attributes that you do not want audited. The searchFlags property of each attribute defines behavior such as whether the attribute is indexed or replicated to the global catalog. The searchFlags property has seven currently-defined bits.
"If bit 8 (zero-based indexing, value 256) is set for an attribute, AD DS will not log change events when modifications are made to the attribute. This applies to all objects that contain that attribute."