The security officer contacted me with was concern about an administrator looking at files in a user’s home directory. I was asked whether I could watch the files being opened without turning on auditing.
OpenFilesUserSessionAuditor.vbs parses session data, and compiles a list of what files are opened by users over time. The data is written to a temporary database file, and then an Excel report is written. Duplicate entries are not recorded, and you can regulate the maximum size of the database.
I did not find any wrongdoing by any administrator.