Link to home
Start Free TrialLog in
Avatar of arshaadyar03
arshaadyar03

asked on

Logging Server Shutdown

There is a user on the network that has been shutting down the server. I have been asked to find out who that user is. Users access the server via PCAnywhere and Terminal Services. How can I log the server activity so that I can report as to which users is initiating the server shutdown.

After this is determined I will define security policy to disable remote shutdown etc.. but for now the admin requires that we report as to whom is shutting down server.

Thanks,
AY
ASKER CERTIFIED SOLUTION
Avatar of blurterboy
blurterboy
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of arshaadyar03
arshaadyar03

ASKER

Yes I have tried that but there is no way to specify logging of server shutdown. You can audit server logon and can set permissions for what groups/users have the right to shutdown.

P.S. I also need to log their remote access via PCAnywhere and Terminal Services.
SOLUTION
Avatar of jonpaulr
jonpaulr
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of arshaadyar03
arshaadyar03

ASKER

Thanks for the Feedback JP I will try this in the morning and advise on the outcome.

SOLUTION
Avatar of JamesDS
JamesDS
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of oBdA
oBdA
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of RevelationCS
RevelationCS
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of RevelationCS
RevelationCS
Flag of United States of America image
we have w2k servers running with pcAnywhere on them and everything is logged in the event viewer. To see who is shutting down the server, look at the security log... this is taking into account, however, that you dont have pcAnywhere open to access by all users without entering in any authentication information. Usually, most people will have it set to use NT Authentication and grant access to the users/groups that need access to the machine...
Avatar of RevelationCS
RevelationCS
Flag of United States of America image
also, on another note, to verify when the server was shutdown, you should see events in the event viewer for the shutdown.. usually there is an event id of 6006 with the description of "The Eventlog service was stopped" just before the system shuts down or restarts....
Avatar of RevelationCS
RevelationCS
Flag of United States of America image
(I apologize for the double post there, IE seemed to have gone bizerk on me :) )
Avatar of arshaadyar03
arshaadyar03

ASKER

Thanks to you all. I have set up the approprate auditing paramaters and have tested. Now I just need to wait for the user to attempt a shutdown.

Thanks Again,
Arsshaad
Avatar of jonpaulr
jonpaulr
GL! Hopefully the links/instructions I send last night did the job. -JP
Avatar of RevelationCS
RevelationCS
Flag of United States of America image
my recommendation would be a split of the points....