Turns out this is actually fairly simple.
On the change password screen, accessed by hitting ctrl+alt-delete at the computer (or remotely*) you can actually edit the user name to something else, such as adding a domain specifier in front of the user name. Yes this works even if the computer is not in the domain but is on the network.
So there are a few ways to go about it.
So what I actually just tested was to connect the the machine remotely. Sent ctrl+alt+del through the remote desktop program. Picked change password. Changed the username, in my case my username with the "mydomain\" prefixed (in front) of it. Change it to your actual domain of course and the exact user name if it differs on the domain. Hit enter. Voila! Done.
So you can do this on any computer you have access to in the domain with any other user, physically/locally or remotely. Open the change user name screen and change the user name to the fully qualified/specified user name, meaning with the domain name in front of it followed by "\", such as: domainname\yourusername.
*= remotely accessing your computer with software such as Microsoft Windows Remote Desktop, Chrome remote desktop, Team viewer etc, and making the equivalent of a ctrl+alt+del. In microsoft Remote desktop by hitting ctrl+alt+end. In Chrome remote desktop, https://remotedesktop.google.com, you do this in a menu.
Of course accessing a machine remotely might or might not meen you need vpn access with the same login that is expired... However hopefully those are two different logins if so.
Cloud services for remote access, such as Chrome remote desktop, team viewer, ssh tunnels, etc are potentially unauthorized/dangerous and most likely prohibited backdoors that could in some cases circumvent this catch-22 situation with an expired vpn access. Make sure you are allowed the make use of those if tempted, they are most likely not, for good reasons.
Best Answer
As from the question-comments you have access to the Active Directory. Go to Active Directory Management Console and right-click -> Find. Do a "Customer Search" and enter in the "Advanced Tab"
This will give you all Accounts from the whole Directory that never changed their initaial set passwords.i