Solved

Windows Event Log Entry for removal of hardware

Posted on 2015-01-28
4
75 Views
Last Modified: 2015-06-30
We had an issue where someone used "Safely Remove Hardware" on a VMWare terminal server, and removed/uninstalled the Network Adapter.
Fixed the problem of Safely Remove Hardware to prevent it from happening again, but I'd like to try to identify who was the initiator of the action.
Is there any way to identify this? It's a cloud/hosted server, so I don't have access to the VMWare logs directly (could probably get to them with the hosting company's assistance), but it's my understanding that the VMWare logs won't have user-specific information, just that the action occurred.
Again, looking for something in Windows, that will tie to a user account.

Windows Server 2008 R2, Active Directory Domain.
0
Comment
Question by:LingerLonger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 121

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 500 total points
ID: 40575825
The VMware Logs will not help you, if it was done within the OS.

You will need to look at the Windows OS Event Logs, at login and logout times, at the time of the operation, but difficult if there were many concurrent users logged on.

Do you have Auditing Enabled on the Windows OS Server ?
0
 
LVL 12

Author Comment

by:LingerLonger
ID: 40575837
Some auditing. If there is a specific audit config that would pick up on this item, I would like to know it, so I can see if it was enabled, and if not, enable it.
There were about 20 people logged onto the server a the time, so I'm not expecting to get a straight answer from a user. Not to mention that they probably had no awareness that what they did cause the result it did.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40859140
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question