I'm doing some forensics to try to figure out which noob updated and rebooted a critical server at the most inopportune moment. Is there any way to determine the user account that launched Windows Update? Specifically on Windows Server 2003.
Windows – Any way to identify what user account launched Windows Update
windowswindows-server-2003windows-update
Best Answer
In my opinion it's more important to make sure that the appropriate controls, understanding, and policies are in place to prevent this from happening again. Make it known to the entire admin group about what happened, why it was the wrong thing to do at the wrong time, why it can't ever happen again, etc., etc.
Too often, companies are focused on spilling blood when mistakes are made (you may be under pressure from the higher-ups to find the culprit) instead of focusing on correcting and preventing the mistakes. Too much finger pointing creates a toxic work environment and leads to poor work, low morale and productivity, and high turnover.