Also don't forget that the lastlogon flag is not replicated in pre SP1 domain controllers.
I had the same task and wrote a bit of _vbscript_ to query all dc's in each domain for the "real" last logon date then I looked up the exchange last logon date and the ad creation date compared the lot and disabled any account that haven't logged in.
Don't forget to exclude the service accounts and such. Also remember that the last logon only refuses to "interactive logons".
Anyway my £0.02 worth.
