Detect user login in Windows Domain Controller

Solution 1:

As you stated, the DC does not capture logins on a remote computer with cached credentials, as the computer may not always be physically connected to the domain. Instead, you'll have to check his computer directly while his computer is online.

You can use the Event Viewer or the wevtutil command at a command prompt to manage event logs on a remote computer.

  1. Start Event Viewer.
  2. Click the root node, for example Event Viewer (Local), in the console tree.
  3. On the Action menu, click Connect to Another Computer
  4. In the Another computer box, type the name or IP address of the remote computer.
  5. (Optional) Select Connect as another user, click Set User, enter the User name and Password, and then click OK
  6. Click OK

Source: Work with Event Logs on a Remote Computer - Microsoft TechNet

Search for Event 4648 - A logon was attempted using explicit credentials on his computer.

As the description says, it is only when a logon uses explicit credentials. This event is generated on logging in or unlocking even with saved credentials (ie: Remote Desktop).

Note: As with any event, you can do additional filtering to remove any automatically generated events (less common with 4648 and username). The GUI (on the Filter tab) provides filtering on some fields. Using the XML tab, you can filter on any field within the event.