I need to know what user account shut down a production windows 2000 server
today. I am sure it was in error and the person meant to logoff instead,
but no one is owning up to it. The Security log is less than helpful in
that it shows several people logging into the box before the shutdown
occured, but nothing I can attach a name to the offense itself... just basic
auditing that is depoyed in the default domain GPO.

I was looking through some of the local policy options in the GPO for
options to enable moving forward, but didn't know if there was a trick to
determining "whodunnit" now.

Thanks for reading,
-M

Just with further testing, I enabled the Privilege Auditing and was able to
get a Event 578 related to SeShutdownPrivilege for my user account. This
was the only thing I could connect a user to a shutdown process. This may
help moving forward, but not for the past issue.

Thanks,
-M

"Milan" <pass, sporting question please.> wrote in message
news:%234dZCto0GHA.720@TK2MSFTNGP02.phx.gbl...
> Just with further testing, I enabled the Privilege Auditing and was able
> to get a Event 578 related to SeShutdownPrivilege for my user account.
> This was the only thing I could connect a user to a shutdown process.
> This may help moving forward, but not for the past issue.

Well, the Windows Security Event Log is the right place to look, assuming
auditing was enabled at the right level. I assume you already looked
through there and found nothing.

The only other thing I might try, and this may finger the wrong person,
might be to look at the time stamps on the various files in the c:\documents
and settings\ folder, especially the various registry and temp files,
assuming that the logon was local.

Other than that, you're lost.

--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info

Thanks Karl, unfortunately this is a terminal services server so there are a
lot of active users on the server at the time of restart. Are you familiar
with the SeShutdownPrivilege? It appears to the most concrete thing I can
find... it just sucks enabling Privilege auditing on a terminal server
because you get a TON of other data.... especially with SMS installed.


"karl levinson, mvp" <levinson_k@securityadmin.info> wrote in message
news:e6J35e70GHA.1548@TK2MSFTNGP02.phx.gbl...
>
> "Milan" <pass, sporting question please.> wrote in message
> news:%234dZCto0GHA.720@TK2MSFTNGP02.phx.gbl...
>> Just with further testing, I enabled the Privilege Auditing and was able
>> to get a Event 578 related to SeShutdownPrivilege for my user account.
>> This was the only thing I could connect a user to a shutdown process.
>> This may help moving forward, but not for the past issue.
>
> Well, the Windows Security Event Log is the right place to look, assuming
> auditing was enabled at the right level. I assume you already looked
> through there and found nothing.
>
> The only other thing I might try, and this may finger the wrong person,
> might be to look at the time stamps on the various files in the
> c:\documents and settings\ folder, especially the various registry and
> temp files, assuming that the logon was local.
>
> Other than that, you're lost.
>
> --
> kind regards,
> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
> --------------------------------
> Microsoft Security FAQ:
> http://securityadmin.info
>

Also check the user right for shut down the system on that server [look at
effective setting] to make sure that only administrators and other
users/groups that you want are able to shut the server down.

Steve


"Milan" <pass, sporting question please.> wrote in message
news:eCkIvBa1GHA.4452@TK2MSFTNGP02.phx.gbl...
> Thanks Karl, unfortunately this is a terminal services server so there are
> a lot of active users on the server at the time of restart. Are you
> familiar with the SeShutdownPrivilege? It appears to the most concrete
> thing I can find... it just sucks enabling Privilege auditing on a
> terminal server because you get a TON of other data.... especially with
> SMS installed.
>
>
> "karl levinson, mvp" <levinson_k@securityadmin.info> wrote in message
> news:e6J35e70GHA.1548@TK2MSFTNGP02.phx.gbl...
>>
>> "Milan" <pass, sporting question please.> wrote in message
>> news:%234dZCto0GHA.720@TK2MSFTNGP02.phx.gbl...
>>> Just with further testing, I enabled the Privilege Auditing and was able
>>> to get a Event 578 related to SeShutdownPrivilege for my user account.
>>> This was the only thing I could connect a user to a shutdown process.
>>> This may help moving forward, but not for the past issue.
>>
>> Well, the Windows Security Event Log is the right place to look, assuming
>> auditing was enabled at the right level. I assume you already looked
>> through there and found nothing.
>>
>> The only other thing I might try, and this may finger the wrong person,
>> might be to look at the time stamps on the various files in the
>> c:\documents and settings\ folder, especially the various registry and
>> temp files, assuming that the logon was local.
>>
>> Other than that, you're lost.
>>
>> --
>> kind regards,
>> Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
>> --------------------------------
>> Microsoft Security FAQ:
>> http://securityadmin.info
>>
>
>

"Milan" <pass, sporting question please.> wrote in message
news:eCkIvBa1GHA.4452@TK2MSFTNGP02.phx.gbl...
> Thanks Karl, unfortunately this is a terminal services server so there are
> a lot of active users on the server at the time of restart. Are you
> familiar with the SeShutdownPrivilege? It appears to the most concrete
> thing I can find... it just sucks enabling Privilege auditing on a
> terminal server because you get a TON of other data.... especially with
> SMS installed.

Well, would it help if you used something to filter out just the events
you're looking for? One way to do this is to use batch files with tools
such as dumpel from www.sysinternals.com
or from the Windows Resource Kit [some of which is available for free
download from www.microsoft.com] to automate monitoring, filtering and
reporting on the event logs.

Or, there are a number of free Windows event log to syslog agents that can
allow you to filter out just what you want to see, such as NTSYSLOG.
www.kiwisyslog.com is one free syslog server to collect such events. Or
there's a free product called SNARE. Snare is basically an agent that sends
event log data to a syslog server.


--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
--------------------------------
Microsoft Security FAQ:
http://securityadmin.info