We had an issue where someone used "Safely Remove Hardware" on a VMWare terminal server, and removed/uninstalled the Network Adapter.
Fixed the problem of Safely Remove Hardware to prevent it from happening again, but I'd like to try to identify who was the initiator of the action.
Is there any way to identify this? It's a cloud/hosted server, so I don't have access to the VMWare logs directly (could probably get to them with the hosting company's assistance), but it's my understanding that the VMWare logs won't have user-specific information, just that the action occurred.
Again, looking for something in Windows, that will tie to a user account.
Windows Server 2008 R2, Active Directory Domain.