arshaadyar03
asked on
Logging Server Shutdown
There is a user on the network that has been shutting down the server. I have been asked to find out who that user is. Users access the server via PCAnywhere and Terminal Services. How can I log the server activity so that I can report as to which users is initiating the server shutdown.
After this is determined I will define security policy to disable remote shutdown etc.. but for now the admin requires that we report as to whom is shutting down server.
Thanks,
AY
After this is determined I will define security policy to disable remote shutdown etc.. but for now the admin requires that we report as to whom is shutting down server.
Thanks,
AY
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the Feedback JP I will try this in the morning and advise on the outcome.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
we have w2k servers running with pcAnywhere on them and everything is logged in the event viewer. To see who is shutting down the server, look at the security log... this is taking into account, however, that you dont have pcAnywhere open to access by all users without entering in any authentication information. Usually, most people will have it set to use NT Authentication and grant access to the users/groups that need access to the machine...
also, on another note, to verify when the server was shutdown, you should see events in the event viewer for the shutdown.. usually there is an event id of 6006 with the description of "The Eventlog service was stopped" just before the system shuts down or restarts....
(I apologize for the double post there, IE seemed to have gone bizerk on me :) )
ASKER
Thanks to you all. I have set up the approprate auditing paramaters and have tested. Now I just need to wait for the user to attempt a shutdown.
Thanks Again,
Arsshaad
Thanks Again,
Arsshaad
GL! Hopefully the links/instructions I send last night did the job. -JP
my recommendation would be a split of the points....
ASKER
P.S. I also need to log their remote access via PCAnywhere and Terminal Services.