need to audit server



Master of my Domain
one of my employees changed the DATE/TIME on my server (remotely via terminal server)... how do I detected who did it???

i checked the event viewer, but no indicator as too the person accessing control panel to change the time/date.

how do i prevent this from happening again :confused: :eek:


New Member
Normally Administrative tools, Event Viewer, Security would post a success audit event as follows, which should give you a clue.

Process ID: 1256
Process Name: C:\WINDOWS\system32\rundll32.exe
Primary User Name: W&P
Primary Domain: WS2
Primary Logon ID: (0x0,0x104D8)
Client User Name: W&P
Client Domain: WS2
Client Logon ID: (0x0,0x104D8)
Previous Time: 17:15:17 13/04/2010
New Time: 17:15:17 13/04/2010

For more information, see Help and Support Center at



Master of my Domain
it was one of 2 people and they fessed up after i asked... said they were trying to pre-date an entry into the system.... hmmmmm

how do i prevent terminal server individuals from accessing the control panel and start button on the [email protected]!!!!


Caffeine Fiend
Did you give them remote administration rights? If that's the case, then they'll have free range over the system. Unless you purchased a TS license on the server, remote admin is the only built-in RDP available.


Will moderate for food
You shouldn't need to prevent access to things like the Start button or Control Panel (after all, there are plenty of ways around that restriction).

By default, only Admins can change system time. The setting is in Group Policy in User Rights Assignment. I don't have Terminal Server, so I can't give you the exact details.


Master of my Domain
"By default, only Admins can change system time. "

yeah... that's what i though, I'm the only admin on the system... they are listed as power users, but shouldn't be able to do anything that destructive, like changing the clock or screwing with file names/types!!!