Solved

Windows Event Log Entry for removal of hardware

Posted on 2015-01-28
4
62 Views
Last Modified: 2015-06-30
We had an issue where someone used "Safely Remove Hardware" on a VMWare terminal server, and removed/uninstalled the Network Adapter.
Fixed the problem of Safely Remove Hardware to prevent it from happening again, but I'd like to try to identify who was the initiator of the action.
Is there any way to identify this? It's a cloud/hosted server, so I don't have access to the VMWare logs directly (could probably get to them with the hosting company's assistance), but it's my understanding that the VMWare logs won't have user-specific information, just that the action occurred.
Again, looking for something in Windows, that will tie to a user account.

Windows Server 2008 R2, Active Directory Domain.
0
Comment
Question by:LingerLonger
4 Comments
 
LVL 119

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 40575825
The VMware Logs will not help you, if it was done within the OS.

You will need to look at the Windows OS Event Logs, at login and logout times, at the time of the operation, but difficult if there were many concurrent users logged on.

Do you have Auditing Enabled on the Windows OS Server ?
0
 
LVL 12

Author Comment

by:LingerLonger
ID: 40575837
Some auditing. If there is a specific audit config that would pick up on this item, I would like to know it, so I can see if it was enabled, and if not, enable it.
There were about 20 people logged onto the server a the time, so I'm not expecting to get a straight answer from a user. Not to mention that they probably had no awareness that what they did cause the result it did.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40859140
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question