A computer in domain is randomly shut down by someone (he was caught once)!
He uses shutdown /s /f /t 0 /m \\computername
in windows command line to accomplish this.
After the incident some computers randomly shut down several times a week, but maybe not by the same person.
Now the question is: Is it possible to detect / monitor if a computer was shut down remotely, and by who? (eg in Event Viewer)