[THIN] Re: Logging which user shut server down
- From: "Callahan, Michael" <MichaelCallahan@xxxxxxxxxxxxxxxx>
- To: "thin@xxxxxxxxxxxxx" <thin@xxxxxxxxxxxxx>
- Date: Sat, 26 Mar 2005 08:20:06 -0600
You can on 2003, but not on 2000. Only way on 2000 that I'm aware of is to
audit privilege access and correlate that to the time that services like
event viewer were shut down prior to reboot. Joe's suggestion is a good
one, and one that you can implement in group policy. I do this in my
environment, and it has drastically cut down on the number of inadvertent
reboots.
If you can, you should work on a comprehensive role based access policy that
drastically reduces the number of people who have admin access. My problems
went away after I did this. As a wise man on the Exchange list once said,
there are seldom good technical solutions to behavioral problems.
Michael
-----Original Message-----
From: Andrew M Stemen [mailto:lists@xxxxxxxxxxxxxxxxx]
Sent: Saturday, March 26, 2005 12:06 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Logging which user shut server down
I would have *sworn* that you could tell who initiated shutdown by the event
viewer... I know that I was able to tell one time, but I can't remember the
circumstances around it.
Aren't the users also able to go to Start --> Settings --> Windows Security,
and then click on Shut Down? I managed a server in which I know that was
done a few times... we had more problems with people using programs that
required reboots (and unfortunately, we weren't able to do anything about
that software).
Andrew
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Joe Shonk
Sent: Saturday, March 26, 2005 12:03 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Logging which user shut server down
That's why I like to take the shutdown command off of the start menu and
leave only the Logoff button. If an administrator really wants to
shutdown/restart a computer, he or she will have to select Start->Run and
type in Shutdown /r (or something similar)
Joe
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of PETERSON, DAVID
Sent: Friday, March 25, 2005 4:55 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Logging which user shut server down
My Citrix server went down today, and when I got there it was powered off.
It looks like a graceful shutdown. My security logs show a few admins logged
in that have shutdown rights, but can't tell if any of them did it. Is there
a way to determine which user initiated the shutdown? If not for this
instance to catch the info if it ever happens again?
NOTICE: This electronic mail transmission from the law firm of Dinsmore &
Shohl may constitute an attorney-client communication that is privileged at
law. It is not intended for transmission to, or receipt by, any unauthorized
persons. If you have received this electronic mail transmission in error,
please delete it from your system without copying it, and notify the sender
by reply e-mail, so that our address record can be corrected.
********** Confidentiality Notice **********
This electronic transmission and any attached documents or other
writings are confidential and are for the sole use of the intended
recipient(s) identified above. This message may contain information
that is privileged, confidential or otherwise protected from disclosure
under applicable law. If the receiver of this information is not the
intended recipient, or the employee, or agent responsible for delivering
the information to the intended recipient, you are hereby notified that
any use, reading, dissemination, distribution, copying or storage of this
information is strictly prohibited. If you have received this information in
error, please notify the sender by return email and delete the electronic
transmission, including all attachments from your system.
Other related posts:
