Monitoring remote shutdown

[Vanguard47]

We have a Windows terminal server at work. Some remote users are accidently shutting down the server when they log off (picking shutdown instead of log off). I am wondering if there is a way to track which logon is responsible for the shutdown? I did have a policy that blocked access to the shutdown feature, but it stopped working when we upgraded to Active Directory, but that is a different problem for a different day. Thanks for any suggestions.

[AWS]

A non-admin should not be able to shutdown the box. Check your security settings. Active directory has a habit of messing up local security policies.