Certain operational portions of an AD domain are considered to be off-limits for event monitoring activities. These portions of an AD domain will always be excluded from consideration for event monitoring purposes regardless of the scope.
Only a subset of object classes are permitted for container include/exclude elements, as follows:
container
groupPolicyContainer [exclude only]
configuration [exclude only]
builtinDomain [exclude only]
organization
organizationalUnit
country
locality
msExchSystemObjectsContainer [exclude only]
msDS-QuotaContainer [exclude only]