Create a new account in the domain and add it to the Domain Administrators group (gives a clean account to use). Now try it on the system. If the end user is an administrator on their box and removed Domain Administrators from the local administrators group, you have an issue and a rogue user.
You can create a GPO to enforce the Domain Administrators group is a member of the local administrators group. Create and apply the GPO so that the computer’s object has the policy applied. Either reboot the system or wait for the GPO refresh. Then log into the system using your Domain Administrator’s ID.
See what your company’s policies are on modification of systems and determine if policy enforcement action is required. You may need to work with leadership to create policies if they do not exist.
NOTE: There are other tricks to prevent you from logging into the system. You may have to reload the system and work on policy enforcement.
You need to know the local administrator password to login to the machine. If you are on a domain, you can use the domain administrator account to login as well.