Windows Server 2008 Shutting Down

Is there a scheduled task set to do so?

I would remove the permission to shutdown the server from SYSTEM, in the local security policy.

Please check the required link

http://social.msdn.microsoft.com/Forums/en-US/etw/thread/ca79615b-a76e-4e42-acfb-608057651981

Seems like a script is shutting it down.

http://support.microsoft.com/kb/2001061

No, there's no scheduled task for it. As I said the server is about 6 months old but it's only the second day (02/05/2012 and then 04/04/2012) when it has happened several times during these 2 days.
How can I remove the permissions to shutdown the server for SYSTEM?

@dariusg and @nsonbaty - you are both pointing to the same article what describes an error message when a system has been shut down manually. I have said though that in my case the server shuts down on its own...

@Firebar

Which one should I remove then to avoid the server shutting down on its own?

Who is supposed to turn-off the server. This should be only a handful of people. Remove everyone just to test it, add yourself as the only one who can turn it off. Make a note of the default membership.

I know that no one else is turning it off. It's a dentist practice and the server is in a separate room, everyone else are in surgeries or at the reception. And, as I said before, I was logged in remotely (RDP) when I got the message that it's logging off.
I'm the only one who is supposed to restart/turn off/install updates etc and I'm 99.9% certain that none of the staff knows the password and how to turn it off. So it's the system itself as described in my initial system. Which one of them 4 is the System account I should remove from there to avoid the shut down process triggered by the server itself?

I would remove them all and add you and one other person who can shut the machine off. Just to test it out. SYSTEM's membership cannot be manually controlled. It is implicitly added by the OS itself.

Well, can't remove/add anyone remotely, options are grayed out. So will have to ask someone to do it locally.
Additionally, last time when we had the same problem (4/4/2012) it happened 4 times in 2-3 hours and then stopped. Today it has happened 3 times and it's been almost an hour now since the last shut down so I wouldn't be surprised if it won't happen again, maybe for another 30 days or so, in case if there's a pattern developing...
Also, is it not worth finding out what's triggering it (the cause) instead of patching the problem with changing permissions?

Look in the Event Logs, around the times the shutdowns occur. System Log, App Log, Security Log.

System log:
3.14.44pm The Application Experience service entered the stopped state.
3.19.33pm The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
3.20.21pm The process C:\Windows\system32\winlogon.exe (SERVER) has initiated the power off of computer SERVER on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found (thats the main message)
3.20.22pm User Logoff Notification for Customer Experience Improvement Program
And loads of other services shutting down as expected.

Application log has these:
3.20.22pm The Desktop Window Manager has exited with code (0x40010004)
3.20.25pm SQL Server is terminating because of a system shutdown. This is an informational message only. No user action is required.
Prior to the shut down nothing for 15 minutes. Both of these messages are well expected as the system is shutting down.

Security Log:
3.19.41pm An account was successfully logged on. Security ID: NULL SID
3.20.21pm An account was logged off. Security ID: Computer12-PC$
3.20.22pm User initiated logoff: Security ID: Myusername


As I said it has happened 3 times today. I noticed that in every instance when the server has shut down there's an entry in Security log like this one:
An account was logged off. Security ID: Computer12-PC$
Sometimes it's Computer 12, sometimes it's Computer 13. And it happened up to 25 seconds before the server was shut down in all 3 occasions.
Maybe there's something there?

Thanks

That may narrow the scope a bit. Run all sorts of A/V software against 12 and 13.

Thanks for your reply sapird.
There's no tool installed from Dell, I did install Speedfan though yesterday to monitor the overheating possibility. Fortunately/unfortunately all cores are staying around 30 degrees Celsius...
Is there anything else I could install on it what monitors the server hardware?

What is striking though is that it happened yesterday, that’s Wednesday, and 4th of April was Wednesday as well. Additionally, both happened between 1pm and 4pm. So if there’s a pattern establishing then it should happen again in 4 weeks’ time, on Wednesday the 30th of May...

is the computer joined to domain?
if there is no critical services on it you can tray and move the date/time to see:):)

It is a DC yes. Will look into the Dell doc you provided later.

Could this be licensing? It seems to happen once a month, which would jive with an activation error. Is Windows properly licensed and activated?

Yea, Windows is activated it says. And there are 5 PCs connected to it so I doubt it will be a licensing issue...

5 CALS are a default for Windows Server, though I am not 100% on that for Windows Foundation.

There's no need for CAL with Foundation Server...
http://www.techrepublic.com/blog/datacenter/windows-server-2008-r2-foundation-gives-small-networks-more-options/1600

There shouldn't be any, but that is my opinion.

@ rejoinder
I'm not sure it's a hardware problem. If it was it would just go off without logging off and without showing the  messages in the log file that's it's about to log off. Unless of course servers as so well built and so clever that they can still turn off properly when a capacitor goes. Additionally, it might be a coincidence, but as I mentioned it happened exactly 4 weeks apart, same day, same time...
But thanks for your input

Yeah, a hardware issue like the one I mentioned would likely just stop the server dead in its tracks and not gracefully shutdown - good point.
If the server has a fancy powerbar/UPS hooked up, could some equipment in the office be browning out the power enough that the computer gets a signal to shutdown?

So just an update as I don't want to close the topic yet.
The server hasn't experienced the same issu, yet. But as I said in an earlier comment it, if there's a pattern developing then it might happen again on the 30thof May, 4 weeks after the last occurance.
So will wait and see.

Had to choose my comment as an answer cause noone offered that advice. Thanks