As a matter of fact, they are tracked in the logon_info table when used to log in via policy manager.
create an AD provider, mark it to 'allow assignment to administrative roles', allocate an AD account for access to a gateway role, login with that AD account, then run the following query in mysql:
select p.name, u.login, u.fail_count, u.last_attempted, u.last_activity, u.state from logon_info u, identity_provider p where u.provider_goid=p.goid;