Unfortunately, I don't know of one, and neither do my contacts at Microsoft.
The problem is that the domain controller records the last logon time as a property of the user account. This isn't replicated across all the domain controllers, and consequently, you have to get the data from all the controllers and correlate it yourself.
For more information on this topic, visit these other searchSecurity resources:
Best Web Links: Securing Microsoft Products/Applications
This was first published in February 2002