If you ever need to log on to the local account you can use the AdmPwd app to show the password. This app is loaded onto DC1 and DC2
Run the app as administrator and type in the computer name of the machine you need to access. It will display the password, the expiry date and also allows you to set a new expiry time (This will generate a new random password the next time it receives the group policy).
If for whatever reason this does not work and you need to login with a local account, follow the workaround below to gain access to the laptop. You will need the encryption key from sophos to run the cmds
To login when local user account password doesnt work
Boot into recovery options with USB or from Automatic repair screen. Choose CMD Prompt - enter encryption key
ren c:\windows\system32\utilman.exe utilman.exe.bak - may have to change letter depending on where windows is installed
copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe
Exit and reboot as normal
Now the ease of access button acts as a cmd prompt - You can enable and set the password for the local admin account
net user administrator * - sets the password
net user administrator /active:yes - enables the account
Log in with the local admin account
To revert
del c:\windows\system32\utilman.exe
ren c:\windows\system32\utilman.exe.bak utilman.exe
Remember to then disable the local admin account through windows on normal login