Terminal Server restarted by a user

Have you ever had your Windows Terminal Server restarted by a user? That’s kind of annoying wouldn’t you say? You slave and work all your career to keep your server fleet up-time at a consistent 99.9% only to have one of your users accidentally reboot your server during the most inopportune time. If this has ever happened to you, don’t blame the user! It’s up to all network admins everywhere to lock down servers, especially terminal servers where there can be the potential of hundreds of users connecting to it. One of the reasons they could reboot the server may be because Domain Users is part of the Backup Operators group.

Backup Operators can do the following:
Access the computer from the network Allow logon locally Back up files and directories Bypass traverse checking Log on as a batch job Restore files and directories Shut down the system

If you want to find out WHO rebooted your server, just look for Event ID 1074 in the event log of the terminal server. The detail will state something similar to the following: “The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.” Indicates that an application or a user initiated a restart or shutdown. Bingo! Find user Y and tell them to stop doing that! Just kidding. 

If you find that your terminal servers are magically rebooting and you or the other server administrators had nothing to do with it, then take a look at the local Backup Operators security group members on the Terminal Server. If you see members or groups that shouldn’t be in there, for God’s sake, remove them!