History of logon times in AD?
Solution 1:
You can trawl through all Domain Controller logs looking for EventID 672 (Kerberos Authentication Ticket Granted). If you want to be absolutely sure that the user was subsequently successfully logged in you may want to correlate this with a subsequent event with EventID 673 indicating that there was an actual service ticket granted, not just the ticket-granting ticket that 672 tracks. There is a good write up about these and related EventIDs in this Technet Article.
This is about the only way I know of that can allow you to track historical AD logons after the fact at the domain level if you are not using some third party mechanism or script that is already in place. The content of these Events will contain the user name and the ip-address of the system the logon originated from (the specific details of those fields are in the linked article but are obvious when you look at them). It's important to remember that this will only be of use if you have Domain Controller logs that go back far enough and it can be a lot of work if you have a large number of DC's. There is no way to use these events (or any other kerberos related events) to track logoff times as those are not mediated by domain controllers.
At the workstation level you can dig through the logs looking for Event ID 528 Type 2 to track local interactive logons (even those using Domain Accounts) and EventID 538 type 2 to track logoff events which can give you a better idea of the actual times the user spent logged in. The key problem with these is that they are only useful if you know exactly which systems the user logged in from in the first place. The Type field is critical as there will typically be many more EventID 528\538 events of Type 3 that indicate connection\disconnection from network resources such as file shares etc. You can find more information on these events in this Microsoft KB article.
For Windows 2003 functional level domains the AD keeps a consistent copy of the "LastLogonTimeStamp" attribute replicated across all DC's but that will simply tell you the last successful log on time and wont give you any idea of the history of logons.