Additional Attributes won't work for LastLogontimeStamp. LLTS is not a date field in AD, it is Interger(8) - which means it's a 64-bit number that represents the 100 Nano seconds interval between the last time a user logged in, and January 1, 1601.
I'll wait while you read that again, and I assure you the 1601 is NOT a typo!
According to NIST (National Institute of Standards and Time) - Dec 31, 1600 is Day 0, so Jan 1, 1601 is Day 1. The LLTS shows you how many 100 Nano-Second intervals have transpired between the last login, and Day 1. For instance, my current LLTS is 129565972450818998 - which translates into 7/25/2011 7:12:45 PM (and that is "wrong" as I logged in this morning - more on that later).
It means you can't really retieve it using WF or standard scripting, and in order to get a date from it, you need to perform a calculation against it.
Here is a VB script that does the work so you can see the math it takes to get a usable date (Fill in your full DN):
Set objUser = GetObject("LDAP://YourDistinguishedNamehere")
Set objLastLogon = objUser.Get("lastLogonTimestamp")
intLastLogonTime = objLastLogon.HighPart * (2^32) + objLastLogon.LowPart
intLastLogonTime = intLastLogonTime / (60 * 10000000)
intLastLogonTime = intLastLogonTime / 1440
Wscript.Echo "Last logon time: " & intLastLogonTime + #1/1/1601#
Another thing to note, LastLogon and LastLogonTimeStamp are 2 seperate fields in AD. Last Logon is PER Domain Controller, and is not replicated. LastLogonTimeStamp IS replicated, but not mimmediately. It is replicated every 14 days, so doing a lookup for less than that that will bring back incorrect results. That is why my LLTS is "wrong" - it is reading it from a different DC than the one that processed my logon. If you have a single DC, then no problem, but if you have a large organization with multiple DC's spread around the world, it can be a problem.
You havea few options here. You can adapt this VB script using a script component, then just pass in a DN and you'll get back a date.
Or, you could attach a SQL server to your AD and use a function to get and convert the LLTS. This is what I do, but it does have it's disadvantages.
Powershell is another option, tho I've not tried it.
Lastly, you could use Visual Studio and create a custom DLL that does the reading and conversion, and then create a WF integration components to use it.
Good luck, and let me know if I can help!r
Rob
rob.moore@travelport.com