Administrators can use the LastLogonTimeStamp attribute to determine if a user or computer account has recently logged onto the domain. Using this information administrators can then review the accounts identified and determine if they are still needed and take appropriate action.
If you are looking for more "real-time" logon tracking you will need to query the Security Event log on your DC’s for the desired logon events i.e. 528 –Windows XP\2003 and earlier or 4624 Windows Vista\2008 . See this blog post by Eric Fitzgerald for more info. (I think he knows something about auditing)
IMO your best bet for near real-time data is to use an event log collection service to gather all domain controller security event logs to a centralized database. You can then query a single database for the desired logon events. Microsoft’s solution for security event log collection is Audit Collection Services. There are many 3rd party solutions as well.
How it worked before Windows 2003#Prior to Windows Server 2003 administrators had to query the lastLogon attribute to determine the most recent logon of user or computer account. This process was time consuming as the lastLogon attribute is updated only on the DC that validates the logon request. The lastLogon attribute is not replicated. So in the past to determine the most recent logon of a user or computer account the lastLogon attribute had to be queried on all domain controllers (at least in concept) and then the most recent date for lastLogon had to be determined from all the results returned. In Windows 2003 and higher lastLogon still has the same behavior. It is updated only on the validating DC and is never replicated.
Attribute Definition#The LastLogonTimeStamp AttributeTypes is defined as:
- OID of 1.2.840.1135220.127.116.116
- NAME: LastLogonTimeStamp
- DESC: The last time the user logged on
- SYNTAX: 1.2.840.113518.104.22.1686
- USAGE DirectoryOperation
More Information#There might be more information for this subject on one of the following:
- [#1] - The LastLogonTimeStamp Attribute, What it was designed for and how it works - based on 2013-09-25
- [#2] Last-Logon-Timestamp attribute - based on 2013-09-25