I'm doing a server migration and this morning I walked into the server room and noticed that a former employee's login, who's user name hasn't been disabled had accessed the server. His name was in the login and I looked at the audit files and found that he logged on at 2am. He is in his 70's and they don't think that it is likely that he broke in remotely or physically but their password requirements suck, hence me being here to change things.
How can I tell what he has accessed? It's been years since I have had to look into this.
Server std 2003
Thanks in advance.