>AD will let you see where a user is logged in...
After I posted I remembered one company where the laptop had to be periodically connected to the corporate domain (not sure if it was tied to password expiry or not). Obviously if this happened when working offsite, it meant connecting the laptop to a network (LAN or modem), establishing a VPN and allowing AD to do it's stuff. However, for this to happen you had to be in possession of your company issued security access pin generator... I think also I had to visit an office 1~2 times a year and connect the laptop to the wired LAN and reboot, so that various other AD controlled stuff got updated.
I assume therefore that at some time someone in Harrods IT knew a thing or two about security to set this up and to implement HDD encryption (and BIOS password). Obviously, once such an offline system has decided a user password has expired and the user no longer has access to the corporate network and AD, it is effectively a brick - unless the user performs a motherboard jumper reset, HDD reformat etc.
Otherwise, I suspect the guy simply got the password wrong too many times and Windows barred access. Requiring the laptop to be taken to IT who would use their AD/admin access permissions to re-enable the account...
Either way, it would be interesting to know, just what security measures were in place to brick the laptop.