I had the need a few weeks ago to determine the logon and logoff times of users of our system. Fortunately we have the Windows server event logs captured. They are sent to a syslog server using NTsyslog and we created a basic search capability enabling us to search for all events for a given user between a a date range.
The Windows Security Logging and Other Esoterica blog was very helpful. Specifically the articles Deciphering Account Logon Events, and The Trouble With Logoff Events were very helpful. Randy Franklin Smith’s Windows Security Log Encyclopedia was, as always, an invaluable tool.
I used events 672/673 to identify logon times. In this particular case the user apparently never logged off so determining the actual logoff time was difficult and was an educated guess. We have implemented password protected screen saver via Group Policy. It turns out a 672 event is raised each time a user authenticates to unlock the computer.