We are completing the VPN migration to anyconnect and our security team noticed that the local "ciscovpnuser" Windows user is acting suspiciously, running commands and scripts with policy bypass, 

I understand  that this user is associated with the Management Tunnel feature, but I  need more information:
1. are there credentials (like passwords) associated with the user?
2. are those creds the same for all PCs?
3. what commands/scripts are being run and what other activities are performed by the user?

I  want to understand the capabilities and expected behavior of this user so we can improve the host-based security event detection.