When a laptop/pc joined/registered under domain, typically any user accounts (created in AD) can login into that machine (regardless any access method, i.e 802.1x for ACS & AD combination).
Looks like you need local control instead of centralized via AD. Create a local shared account in the machine or few laptops, and make sure the intended persons know about it.
HTH
AK