For domain logons enable auditing of account logon events for Domain
Controller Security Policy. Then there will be an event recorded in the
security log viewable through Event Viewer on the domain controller that
authenticated the user which can make it more difficult to track down if you
have multiple domain controllers though a utility like Event Comb allows you
to scan the security logs of multiple computers. If you need to see when
users access another domain computer with their domain accounts , then
enable auditing of logon events [different from account logon events] for
those computers. The link below may be helpful. --- Steve
