how to tell the last time a domain user account has logged in.

The Windows 2003 Server Resource kit has a dll extension for ADU&C that provides more information than you ever thought you would need!

Follow these directions:

To access the custom property page provided by Acctinfo.dll, you must first install and register the file Acctinfo.dll.
To install and register Acctinfo.dll
Copy the file Acctinfo.dll to the %windir%\system32 folder. In Windows Server 2003, this is typically C:\Windows\System32. In Windows 2000, this is typically C:\Winnt\System32.
Open a command window, and type the following (this example assumes that your %windir%\system32 folder is C:\Windows\System32):
regsvr32 c:\windows\system32\acctinfo.dll
If the command is successful, a dialog box appears informing you that Acctinfo.dll has been registered.
More info:
Acctinfo.dll: Additional Account Information Properties Page
Acctinfo.dll is a dynamic link library that, when registered on a computer, adds a new property page (Additional Account Info) to the user object Properties dialog box in Active Directory Users and Computers. This new property page displays information such as the date when a user's password was last set, the date when a user's password will expire, and the dates and times when a user last logged on and logged off. This information is not typically available in Active Directory Users and Computers, for one of two reasons:
In some cases, the information is not actually stored in Active Directory, but instead is calculated only when needed. For example, the date that a user's password will expire is not stored in Active Directory; instead, Active Directory stores the date that the password was last set and the maximum allowed password age (for example, passwords must be set every 60 days). To determine the actual date that a password expires, you typically have to use scripts to retrieve this information and calculate the expiration date. Acctinfo.dll performs these calculations for you.
In some cases, information is stored locally rather than in Active Directory. For example, last logon and last logoff times are stored on each individual domain controller and are not replicated throughout the domain. Acctinfo.dll enables you to determine the last time a user logged on or logged off from a specified domain controller. If users are typically authenticated by the same domain controller, this will tell you when these users last logged on to or logged off from the domain. If users are authenticated by multiple domain controllers, you will need to install Acctinfo.dll on each of these servers and check the account information on each one.
Acctinfo.dll is primarily designed to report information about user passwords, account status, and logons. However, it also includes a mechanism for changing user passwords and for unlocking locked user accounts.
Concepts
Acctinfo.dll adds a custom property page to the user account object Properties dialog box in Active Directory Users and Computers. For more information about Active Directory Users and Computers, see Help and Support Center for Windows Server 2003.
System Requirements
The following are the system requirements for this tool:
Windows Server 2003 or Windows 2000 Server operating system
You must be an Administrator to install Acctinfo.dll.
File Required
Acctinfo.dll
Acctinfo.dll UI
Information retrieved by Acctinfo.dll must be viewed in Active Directory Users and Computers. To view information for a specified account, open Active Directory Users and Computers (either by using the Start menu or by typing dsa.msc in the Run dialog box). Locate and double-click the appropriate user account. In the Properties dialog box, click the Additional Account Info tab.
The Additional Account Info property page displays the following attribute values:
Additional Account Info Property Page
 
Attribute      Description         
Password Last Set      Displays the date and time when the user password was last set.         
Domain Password Policies      Displays password policies for the domain, including the maximum password age and the maximum number of bad passwords allowed before an account is locked out. To view this information, click the Domain PW Info button.         
Password Expires      Displays the date and time when the password will expire. This value is calculated based on the date when the password was last set and the maximum allowed password age. This means that an expiration date will be shown even for accounts for which the password never expires. To verify that an account password will not expire, clicked the Decode button. If the flag UF_DONT_EXPIRE_PASSWD appears, the password will not expire, regardless of the date shown on the Additional Account Info property page.         
User Account Control      Displays values stored in the userAccountControl attribute in Active Directory; these include data such as whether a user's password expires, whether a user requires a smart card to log on, and whether a user account is trusted for delegation. The displayed value (a number such as 512) represents the sum of all the enabled "flags" in the userAccountControl. To view the individual flags that are enabled for an account, click the Decode button to display the userAccountControl Flags dialog box.
In this dialog box, the ADSI constant for each enabled flag is displayed. For example, if a user's password has expired, the value ADS_UF_PASSWORD_EXPIRED is displayed.         
Locked Out      Indicates whether or not a user account is locked out. If an account is locked, you can unlock it by clicking the Set PW On Site DC button.         
Last-Logon-Timestamp      Displays the date and time that a user last logged on to this domain controller.
Note. If you are accessing the Additional Account Info property page from a member server, information will be displayed for the domain controller that authenticated the user logged on to the member server.         
SID and SID History      Displays the security identifier (SID) for the user account. If the user account was migrated from another domain or forest, the SID History button will be available. Clicking this button will display security identifiers that were migrated along with the user account.         
GUID      Displays the globally unique identifier (GUID) for the user account.         
Last Logon      Indicates the date and time that the user last logged on (that is, the date and time that the user was last authenticated by this domain controller).         
Last Logoff      Indicates the date and time that the user last logged off from this domain controller.         
Last Bad Logon Time      Indicates the date and time that the user last failed to log on to this domain controller.         
Logon Count      Indicates the number of times that the user has successfully logged on to this domain controller.         
Bad Password Count      Indicates the number of times that the user has failed to log on to this domain controller because he or she provided an incorrect password.         
User DN, Site, and Domain Controller      Displays the distinguished name for the user account (for example, CN=youngrob,OU=Finance,DC=fabrikam,DC=com), as well as the Active Directory site and the name of the domain controller that last authenticated the user.
To view this information, click the Set PW on Site DC button. To view the site and domain controller information, click the button Just Find Site.
Important. If you click the Set PW On Site DC button, the Change Password on a DC in the Users Site dialog box is displayed. Unless you want to change a user's password, be sure to click Cancel to close this dialog box. Suppose you open this dialog box and then click OK. The user's password will be changed to no password, because the Password and Change Password text boxes are empty. Depending on your domain password policies, this will either result in an error (because blank passwords are not allowed), or will result in the user's password being changed to no password. If you access this dialog box for informational purposes (such as viewing the user's distinguished name), close the dialog box by clicking Cancel.       
Modifying User Account Properties from the Additional Account Info Property Page
Although Acctinfo.dll is primarily designed to display information, it also allows you to perform two commonly required tasks: changing a user's password, and unlocking a locked user account.
Changing a User's Password
On the Additional Account Info property page, click Set PW On Site DC.
In the Change Password on a DC in the Users Site dialog box, type a new password in the Password and Confirm Password text boxes. Optionally, you can also select User Must Change Password At Next Logon. If selected, the user will be able to use their new password to logon to the domain, but will then be prompted to change their password.
Click OK.
You must have the right to reset user passwords for this operation to succeed. If you do not have this right, you will still be able to access the Change Password on a DC in the Users Site dialog box. However, after making the changes and clicking OK, an error message will be displayed, and the password will not be changed.
Unlocking a Locked User Account
On the Additional Account Info property page, click Set PW On Site DC.
In the Change Password on a DC in the Users Site dialog box, type a new password in the Password and Confirm Password text boxes. You cannot unlock a user account in this dialog box without setting a password as well.
Caution
You can select the Unlock Account check box by clicking both the Password and Confirm Password text boxes without typing anything. However, this will result in the user no longer having any password (because the two password boxes will be blank).
Select the Unlock Account check box.
Click OK.