Re: Two questions...
Because of a script! ;)
So if a user is ABC, then his laptop will be called LAPTOP-ABC. The GPO script linked to the Staff Laptops OU parses the computer name, finds the bit after the hyphen and then:
1) Creates a local user with the same username and makes them a local admin;
2) Queries AD for that username to get their forename and surname and adds those to the new local account;
3) Calls PSExec to run "cmd /c" as that user and then terminate, causing their local profile to be created for the first time;
4) Calls PowerShell to use the [ADSI] WinNT:// namespace to expire their local password;
5) Shares their local profile folder with Full Access permissions for that AD user only - then there's a GP Drive Map for when they're logged on with their AD account that maps a drive pointing to that share on \\127.0.0.1, so they can access their local documents when logged on to the network (there are heavy GP restrictions and they can't otherwise access the local hard drive);
6) Copies our Remote Access .wcx file to their local desktop so they can set up their RemoteApp access.
For those commenting about scripting: this whole system is held together with my own (documented) scripts, all of which work perfectly fine as long as there is complete consistency across the board with principles like "profile folder name matches AD username" etc.