Are you truly getting random numbers back, or are you getting back SID strings (“S-1-5-####”)?
It’s an interesting problem…I’d expect a DC’s LocalSystem account to resolve domain accounts but can’t say I’ve actually tried.
And I’m not sure whether the ‘last logon’ property will work as expected. In my days as a Windows admin, a common issue was that each DC kept a separate ‘login time’ for each account, when it authenticated to this domain controller - the value was not replicated. So they added a new attribute, (I think it was lastLoginTimeStamp) that gets replicate, I’m not sure which attribute BigFix queries but I’d expect it to be the “local” version.
Maybe better to run an action to run dsquery to get the list, save output to a file, and pull back the results in an analysis.