The Shutdown Event Tracker is a feature within Windows Server 2003 and Windows Server 2008 that reports on events that impact the availability of the server. I prefer more centralized solutions (e.g., log forwarding and centralized logging) for such events, so I sometimes remove the Shutdown Event Tracker via a Group Policy Object (GPO). You can do this to an entire domain or to a collection of computer accounts.
To disable the Shutdown Event Tracker, the Display Shutdown Event Tracker value needs to be set to disabled. The Display Shutdown Event Tracker value is located in Group Policy in the Computer Configuration | Policies | System section (Figure A).
Click the image to enlarge.
It may be best to apply this setting to a specific zone of servers, such as development or low-priority production servers. As a blanket rule, this may not be the best setting for the default domain policy.
The easy choice is to apply it to selected organizational units (OUs) within Active Directory. If OUs are not the best way to specify which computer accounts have this Group Policy configuration applied, the next logical solution would be to filter by security group. This way, if filtering is enabled, a single high-level GPO can be configured with filtering by computer account membership to a security group. This way, filtering on factors such as critical application, development compared to production, or possibly specified security zones; such as a system subject to one or more compliance requirements.
If Shutdown Event Tracker is disabled, the critical information of unexpected system reboots are logged; this includes the Blue Screen of Death (BSOD). If an administrator interactively selects to reboot a server, it sends the shutdown command or requests a reboot (or shutdown) of the server. The main thing missing is the “previous shutdown was unexpected” popup for certain events, though it is logged.
Do you use the Shutdown Event Tracker, or does it get in the way? Share your comments in the discussion.