You can on 2003, but not on 2000. Only way on 2000 that I'm aware of is to audit privilege access and correlate that to the time that services like event viewer were shut down prior to reboot. Joe's suggestion is a good one, and one that you can implement in group policy. I do this in my environment, and it has drastically cut down on the number of inadvertent reboots. If you can, you should work on a comprehensive role based access policy that drastically reduces the number of people who have admin access. My problems went away after I did this. As a wise man on the Exchange list once said, there are seldom good technical solutions to behavioral problems. Michael -----Original Message----- From: Andrew M Stemen [mailto:lists@xxxxxxxxxxxxxxxxx] Sent: Saturday, March 26, 2005 12:06 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Logging which user shut server down I would have *sworn* that you could tell who initiated shutdown by the event viewer... I know that I was able to tell one time, but I can't remember the circumstances around it. Aren't the users also able to go to Start --> Settings --> Windows Security, and then click on Shut Down? I managed a server in which I know that was done a few times... we had more problems with people using programs that required reboots (and unfortunately, we weren't able to do anything about that software). Andrew _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Shonk Sent: Saturday, March 26, 2005 12:03 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Logging which user shut server down That's why I like to take the shutdown command off of the start menu and leave only the Logoff button. If an administrator really wants to shutdown/restart a computer, he or she will have to select Start->Run and type in Shutdown /r (or something similar) Joe _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of PETERSON, DAVID Sent: Friday, March 25, 2005 4:55 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Logging which user shut server down My Citrix server went down today, and when I got there it was powered off. It looks like a graceful shutdown. My security logs show a few admins logged in that have shutdown rights, but can't tell if any of them did it. Is there a way to determine which user initiated the shutdown? If not for this instance to catch the info if it ever happens again? NOTICE: This electronic mail transmission from the law firm of Dinsmore & Shohl may constitute an attorney-client communication that is privileged at law. It is not intended for transmission to, or receipt by, any unauthorized persons. If you have received this electronic mail transmission in error, please delete it from your system without copying it, and notify the sender by reply e-mail, so that our address record can be corrected. ********** Confidentiality Notice ********** This electronic transmission and any attached documents or other writings are confidential and are for the sole use of the intended recipient(s) identified above. This message may contain information that is privileged, confidential or otherwise protected from disclosure under applicable law. If the receiver of this information is not the intended recipient, or the employee, or agent responsible for delivering the information to the intended recipient, you are hereby notified that any use, reading, dissemination, distribution, copying or storage of this information is strictly prohibited. If you have received this information in error, please notify the sender by return email and delete the electronic transmission, including all attachments from your system.