I have admin rights to the box but not to the domain. The machine is turned off on the weekends but that is not a problem for the unauthorized user; they have physical access to the box. All they need do is turn it on if it is off or cold boot it if an account is locked.
This is a large university and the sysadmin stuff is decentralized so the help is little and far between. The users probably have accounts but successful logins are not recorded in the Event Viewer so not much info can be gained there. And since this is a semi public machine (in the main suite of a department office) there is all manner of profiles listed in C:\Documents and Settings\
According to this ARTICLE LINK Windows pulls the time from the BIOS first. I can more easily set up a BIOS password on that box but as a system wide solution perhaps I can get the date from the time server in the script and check against that...
UPDATE: after checking a bit and changing the date on my test machine I have found that Windows does not like it when the BIOS date and the date from the last known sync with an authoritative time server are drastically different. It does not allow the user to log in and suggests to see the sysadmin.