AD DS: Collect User cmd history
After enabling auditing for event 4688, see post about auditing Microsoft AD DS(TBD). You can collect logs to see cmd activity for a user. I have wrote this powershell function little quick to help me out with this. But I do recommend an greylog for this purpose.