How to determine WHO shut down the server

[Milan]

I need to know what user account shut down a production windows 2000 server
today. I am sure it was in error and the person meant to logoff instead,
but no one is owning up to it. The Security log is less than helpful in
that it shows several people logging into the box before the shutdown
occured, but nothing I can attach a name to the offense itself... just basic
auditing that is depoyed in the default domain GPO.

I was looking through some of the local policy options in the GPO for
options to enable moving forward, but didn't know if there was a trick to
determining "whodunnit" now.

Thanks for reading,
-M

 

[Milan]

Just with further testing, I enabled the Privilege Auditing and was able to
get a Event 578 related to SeShutdownPrivilege for my user account. This
was the only thing I could connect a user to a shutdown process. This may
help moving forward, but not for the past issue.

Thanks,
-M

 

[karl levinson, mvp]

Just with further testing, I enabled the Privilege Auditing and was able
to get a Event 578 related to SeShutdownPrivilege for my user account.
This was the only thing I could connect a user to a shutdown process.
This may help moving forward, but not for the past issue.

Well, the Windows Security Event Log is the right place to look, assuming
auditing was enabled at the right level. I assume you already looked
through there and found nothing.

The only other thing I might try, and this may finger the wrong person,
might be to look at the time stamps on the various files in the c:\documents
and settings\ folder, especially the various registry and temp files,
assuming that the logon was local.

Other than that, you're lost.

 

[Milan]

Thanks Karl, unfortunately this is a terminal services server so there are a
lot of active users on the server at the time of restart. Are you familiar
with the SeShutdownPrivilege? It appears to the most concrete thing I can
find... it just sucks enabling Privilege auditing on a terminal server
because you get a TON of other data.... especially with SMS installed.

 

[Steven L Umbach]

Also check the user right for shut down the system on that server [look at
effective setting] to make sure that only administrators and other
users/groups that you want are able to shut the server down.

Steve

Thanks Karl, unfortunately this is a terminal services server so there are
a lot of active users on the server at the time of restart. Are you
familiar with the SeShutdownPrivilege? It appears to the most concrete
thing I can find... it just sucks enabling Privilege auditing on a
terminal server because you get a TON of other data.... especially with
SMS installed.

 

[karl levinson, mvp]

Thanks Karl, unfortunately this is a terminal services server so there are
a lot of active users on the server at the time of restart. Are you
familiar with the SeShutdownPrivilege? It appears to the most concrete
thing I can find... it just sucks enabling Privilege auditing on a
terminal server because you get a TON of other data.... especially with
SMS installed.

Well, would it help if you used something to filter out just the events
you're looking for? One way to do this is to use batch files with tools
such as dumpel from www.sysinternals.com
or from the Windows Resource Kit [some of which is available for free
download from www.microsoft.com] to automate monitoring, filtering and
reporting on the event logs.

Or, there are a number of free Windows event log to syslog agents that can
allow you to filter out just what you want to see, such as NTSYSLOG.
www.kiwisyslog.com is one free syslog server to collect such events. Or
there's a free product called SNARE. Snare is basically an agent that sends
event log data to a syslog server.