I'm considering using honeytoken accounts with high privileges (in order to prevent the obvious lure), however how can you prevent abuse as soon as an authentication is made with the account? What's the best practice here?

Ideally I would like the account to be disabled within seconds on all domain controllers.