08-20-2018 06:11 PM - edited 08-20-2018 06:12 PM
08-21-2018 01:00 AM
Hi, I'm not 100% sure if I understood you correctly but you are refering to the Event ID 1074 , which is in the SYSTEM Event Log when a shutdown was initiated.
Something like that :
Event Type: Information
Event Source: USER32
Event Category: None
Event ID: 1074
Time: 7:00:00 AM
The process winlogon.exe has initiated the restart of computer EXCHHTCA on behalf of user NTDOMAIN\Administrator for the following reason: No title for this reason could be found
Reason Code: 0x840000ff
Shutdown Type: restart
Well. How do you stop these?
Fact #1 the user Domain\Administrator was initiating the shutdown.
and as you may know you cannot stop and admin.
Fact #2 if this is unintentional then someone who knows the password of the user domain\administrator (actually the domain admin password!) is shuting down your computer.
Fact #3 if you have so many people in that group that you no longer have control over it it's probably a good time to do some housekeeping and shrink it to a minimum.
Fact #4 Maybe you have a visitor from the outside and now is really a good time to reset the Administrator password. You may want to consider resetting the KerbTGT Account's password as well. (twice actually!).
If you have time and if this happens so regularly you may want to enable netlogon logging (nltest /dbflag:0x2080ffff ) and well make sure you have security Auditing enabled and then look at logon occurences shortly before the shutdown was triggert. You can at least find the workstation name / Ip-address from which this was triggert. Of course a local logon may also have happend via RDP from someone with the name "Administrator" but still you would get the client from which he or she did initially connect.
08-21-2018 01:12 AM