Terminal Server restarted by a user

Have you ever had your Windows Terminal Server restarted by a user? That’s kind of annoying wouldn’t you say? You slave and work all your career to keep your server fleet up-time at a consistent 99.9% only to have one of your users accidentally reboot your server during the most inopportune time. If this has ever happened to you, don’t blame the user! It’s up to all network admins everywhere to lock down servers, especially terminal servers where there can be the potential of hundreds of users connecting to it. One of the reasons they could reboot the server may be because Domain Users is part of the Backup Operators group.

Backup Operators can do the following:
Access the computer from the network Allow logon locally Back up files and directories Bypass traverse checking Log on as a batch job Restore files and directories Shut down the system

If you want to find out WHO rebooted your server, just look for Event ID 1074 in the event log of the terminal server. The detail will state something similar to the following: “The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.” Indicates that an application or a user initiated a restart or shutdown. Bingo! Find user Y and tell them to stop doing that! Just kidding. 

If you find that your terminal servers are magically rebooting and you or the other server administrators had nothing to do with it, then take a look at the local Backup Operators security group members on the Terminal Server. If you see members or groups that shouldn’t be in there, for God’s sake, remove them! 

George Almeida

Welcome to my little corner of the blogosphere. I'm an Information Technology Director. I specialize in Windows operating systems, applications, servers, storage, networks and also have a technical background on the IBM iSeries platform. My only purpose for this blog is the hope that it helps someone, someday, somewhere. Any meager proceeds derived from our sponsors will be donated to charity.

You may also like...

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x