In order to "log" the events, you have to turn on certain audit settings on the DCs. Easy to do in a GPO. Use the same GPO to set your security event log appropriately. (2K3 DCs log a LOT of stuff!)
Forcing logoffs is an option on a per-user basis. In my experience, it doesn't work all that well (2K domain, XP clients). YMMV.
Locking the screen is a different GPO setting: It's under the User-Windows side, and should be configured. You may want to enforce this setting in your domain.
IIRC, screen unlocks do appear in the DC logs, and bad password guesses will go to the DC and lock the account. Normally, you can tell from the DC log if a user was left logged in overnight, because you'll contine to see 538/540 events about every two hours, as their kerberos tickets get refreshed. (That's also what you see during the day.) If you look at the detail codes in a 538/540, you can tell whether the logon is a client logon, a TS logon, and I *think* a screen unlock.