Windows Event Log Entry for removal of hardware

We had an issue where someone used "Safely Remove Hardware" on a VMWare terminal server, and removed/uninstalled the Network Adapter.
Fixed the problem of Safely Remove Hardware to prevent it from happening again, but I'd like to try to identify who was the initiator of the action.
Is there any way to identify this? It's a cloud/hosted server, so I don't have access to the VMWare logs directly (could probably get to them with the hosting company's assistance), but it's my understanding that the VMWare logs won't have user-specific information, just that the action occurred.
Again, looking for something in Windows, that will tie to a user account.

Windows Server 2008 R2, Active Directory Domain.
LVL 12
LingerLongerAsked:
Who is Participating?
 
Andrew Hancock (VMware vExpert / EE MVE^2)Connect With a Mentor VMware and Virtualization ConsultantCommented:
The VMware Logs will not help you, if it was done within the OS.

You will need to look at the Windows OS Event Logs, at login and logout times, at the time of the operation, but difficult if there were many concurrent users logged on.

Do you have Auditing Enabled on the Windows OS Server ?
0
 
LingerLongerAuthor Commented:
Some auditing. If there is a specific audit config that would pick up on this item, I would like to know it, so I can see if it was enabled, and if not, enable it.
There were about 20 people logged onto the server a the time, so I'm not expecting to get a straight answer from a user. Not to mention that they probably had no awareness that what they did cause the result it did.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.