They usually connect to our network by a VPN. Right now there is just the (password protected) Administrator account and their domain user account on the laptop. Windows 7 and Server 2008R2 in use here.
I want to change their password or disable/lock their account and have it take immediate effect so that they cannot get to our domain at all, or get to any files on the laptop.
If they're logged in already, do they have to log out first? If they're not logged into the VPN, won't the computer just save their previous password/credentials if they log on when not connected to any network?
Is there another way to do what I want to do?
If they're not connected via VPN, there's nothing you can do. The machine is offline from your perspective, and cached credentials will still work for them. You can disable their account to prevent a VPN connection, but then you will never get control of the machine.
One option would be to let them connect, or instruct them to connect if you have that option from a legal perspective, then lock them out. But they could still remove the disk and get at data unless you are using something like BitLocker.
But your best option is probably to have HR/legal call them and remind them of their obligations with regards to corporate data and assets, and sick law enforcement on them for theft if they don't comply immediately. Provide them a means to send the laptop back to you without them having to pay for postage or packaging (such as FedEx pickup).
There are a few ways to force logoff mentioned in the SuperUser question about a force user logoff script for Windows 7.
There's also
shutdown /l /fand the fantastic SysInternals suite has PsShutdown.It will be important to remove the cached credentials from the machine. There are many questions about this, but I don't have a definitive answer or a lab to test this in just yet. Look for https://serverfault.com/search?q=cached+credentials
Alternately, and I'd consider this a better solution but it needs pre-planning, you can obliterate the hard drive's crypto key and then force shutdown the machine. Writing over the encrypted key section with gibberish will prevent the user from every booting the machine up to read anything again. Further, if you keep a copy of the key on your end, you can still access whatever was on the drive unless they overwrite it by bootdisking.