I'm hoping somebody can help me out here. I have a server that has been shutdown on 3 separate occassions but I cannot definitively determine who. I'm hoping somebody can help me figure out the mysteries of the Windows Event Logs.
This is a Windows Server 2003 64 buit server without Shutdown Tracker turned on.
I have the following events:
Day 1.
17:34:23 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7 - they are on via RDP session)
17:34:44 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....
17:34:46 - ID 551 - User1 initiates logoff
17:34:49 - ID 551 - User2 initiates logoff
17:34:53 - ID 538 - User1 logged off
17:34:53 - ID 1517 - Cannot unload User2 profile
17:34:53 - ID 1516 - Profile for User2 unloaded
17:35:10 - ID 513 - Shutting Down
Day 2.
16:25:32 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7 - they are on via RDP session)
16:25:54 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....
16:25:56 - ID 551 - User1 initiates logoff
16:25:58 - ID 551 - User2 initiates logoff
Day 3.
10:45:29 - ID - User1 logon via RDP (logon type 10)
11:09:47 - ID 523, 576, 538 - User1 unlocks workstation (logon type 7)
11:38:11 - ID 26 - Application popup - Other people are logged onto this system. Shutting down this computer .....
11:38:17 - ID 551 - User1 initiates logoff
11:38:17 - ID 538 - User1 logoff
11:38:32 - ID 513 - Shutting down
To me this looks like generally the user unlocking their workstation, shutting down, saying yes to the piopup and then it logging him off and shutting the server down.
I know this isn't a lot to go on, but it's all I've got.
So what I'm asking is this looking like what I think it is and do I need more information or could this be anything and I definitely need more information.
