can I track what user reboots the server?

  • Thread starter Thread starter Jon Skelley
  • Start date Start date
J

Jon Skelley

I have 2 servers in the domain that are rebooting for some unknown reason.
I need to find a way to track what user is rebooting the server. It does
not reboot over the weekend so I am assuming that there is a user
maliciously rebooting the server. Can it be tracked?

Jon Skelley
 
Jon Skelley said:
I have 2 servers in the domain that are rebooting for some unknown reason.
I need to find a way to track what user is rebooting the server. It does
not reboot over the weekend so I am assuming that there is a user
maliciously rebooting the server. Can it be tracked?

Jon Skelley
Click to expand...

Users cannot reboot the server unless you allow
them to. Fix up your policy to prevent them from
logging on and from shutting down the server.
On the other hand, if your users pull the plug on
the server then you need to install a security camera.
 
Hello,

It should be logged in Event Log which user requested the reboot. But your
users should not even have permissions to reboot the server, so as Pegasus
says, you should check the security policy.

It could also be a blue screen, and your server is configured to reboot when
that happens. If this is the case, you should see this in the Event Log.
 
If it is blue screening shouldnt I see an event talking about recovering
from a bug check or something? That is not showing in the event log. I am
just seeing the event that the previous shutdown was unexpected. This is
happening on 2 servers now that are in different locations and behind locked
doors. My concern is that some user has found a password to an account with
privileges and is doing something to crash the server.

Jon Skelley
 
Crashing a server is not easy at all - it's much easier to
pull the plug! Furthermore, if you suspect that the wrong
people log on to your machine then you should enable
"Audit logon events". This allows you to identify the last
person logging on before an unexpected shutdown
 
Do you have good UPSes on these servers w/management cables & software to
control shutdown in the event of power failure?
 
If you are getting "previous system shutdown messages was unexpected
in your event log" then your problem is almost certainly either

1) Power related, check all the connections, does the machine have
dual power supplies if not suspect the one itdoes have.

2) Virus related, Viruses such as SASSER and BLASTER will cause random
reboots, is your machine patched and virus scanned?

Brett...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

hanging shutdown/reboot 1
Networking Does Not Start After Reboot 3
VBA Excel - Select a value from one cell in Excel to update a SQL table 1
Reboot server script file 2
Server not responding 1
Cant install SP4 to 2000 server 1
Windows 2000 Server Event Viewer 1
Reboot from a Bugcheck 2

Back
Top