I am running three Windows Server OS’s: Windows NT Server 4.0, Windows Server 2000, and Windows Server 2003.
I have a remote machine that shuts down on occasion without a system event ID of 6008 (Unexpected Shutdown). This makes me believe that a user is shutting down the machine without authorization.
Is there a way to determine when that shutdown command was given and which user shutdown the PC?
Any advice will be much appreciated. Thank You!