Simple question, I think....

[Random]

For the past few weeks, one of my reps have been rebooting the 2k
terminal server "Accidentally" from a thinclient. Is there a way to
audit for the user who requested the server to reboot?

Any help is greatly appreciated.

Random

 

[Vera Noest [MVP]]

First of all, the right to reboot the server is limited to
administrators. I hope that you have not made all of your users
member of the administrator group!

I don't think that it is explicitly logged somewhere who initiated
the reboot,
If you enable security auditing, you will get a log of both logon and
logoff times, use of priviledges and exact time of reboot. Those
combined should give you a fairly good indication who did it.
But then again, this shouldn't be neccessary if it is one of your
administrators who did this by mistake. Education would be more
effective.