files accessed by user

Open files can be seen in the GUI, start > compmgmt.msc > systemtools > shared folders > open files
Here you can sort on computer name/username/filename

Alternatively, there's the command openfiles, but I like the GUI better. http://technet.microsoft.com/en-us/library/bb490961.aspx

check this
http://www.isdecisions.com/products/fileaudit/file-folder-real-time-access-monitoring.htm

all the best

Open Server Manager-->Click Roles – File Services – Share and storage management.  Choose Action and then manage open files.

"Open files can be seen in the GUI, start > compmgmt.msc > systemtools > shared folders > open files
 Here you can sort on computer name/username/filename
"

Is that only for currently open files? As opposed to a history log of all files opened by a user on a given day?

All of these seem geared towards a list of currently open files, whereas we need a list of all files a user opened at any time during a specific day.

You need to enable Auditing for this requirement.

http://blogs.technet.com/b/mspfe/archive/2013/08/27/auditing-file-access-on-file-servers.aspx

http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

Thanks btan, is there anything in the top 2 tools to determine which user accessed the files or is it just reporting on last access by "someone".

Mostly discussed here is enabling auditing. This means your security log in the eventviewer will show ALL activity, but in order of events. You want a different type of report, probably one that needs to run through the whole security log (which will be big) to generate something you like. This tool i have not seen yet (probably in the paid software area).

Enabling auditing is ok after the event we are seeking if anything can be done without auditing.

for lastActivityView tool, it grabs the activities pertaining to the current user login into the machine. E.g. The files (with this tool executed in the current user login) opened or saved (from the standard Windows Open and Save dialogs, anyway). probably it can be scripted as login script and export csv for each user ... not as clean but it does the grabbing as long as running in that user login context... importantly, LastActivityView doesn’t need to be running to record this information. Rather, it assembles it from Registry keys and their “last modified” times, your event logs, prefetch files, crash dumps and more. One  useful feature of LastActivityView is that you can quickly search for actions by filename, date and file path, allowing you to quickly find what you need.

Worth mentioning is the fact that LastActivityView does come with some limitations related to changes performed to registry keys for example, which could affect the accuracy of the displayed information. Some of these changes can be performed by the user, but even PC maintenance tools could remove records used by the program to display the activity log.

http://www.technibble.com/lastactivityview-create-a-log-of-the-last-actions-made-by-the-user/

for Afind, apparently it does not show the user but is useful for to lists a file's last access time without changing it. SO if there is a file of interest can do the trace back on the access time and correlate with lastViewActivity probably

to add I find Autopsy useful as well as has a "Autopsy Forensic Browser" for  live analysis mode with connection to target system (local or remote)
http://www.sleuthkit.org/autopsy/features.php
http://www.sleuthkit.org/autopsy/man/autopsy.html
esp on its File Analysis feature that display the target file in column headers that include "UID: The User ID of the file owner." and "GID: The Group ID of the file owner."
http://www.sleuthkit.org/autopsy/help/index.html
also its keyword search may come in handy. e.g. autopsy will also prompt you to create a file of unallocated data if one does not exist. This obviously is useful for recovering deleted data. If a string is found in this file, Autopsy will also report the location in the original image.