I strongly recommend a Universal Server.
For one, you won't encounter this problem.
Secondly, you will have 3 distinct administrative backdoors to unlock the laptops for patching, forgotten passwords etc.
If you have an EU who changes the password and forgets it, that's it. No backdoor (apart from the silly recovery questions) With a universal server you have Whole Disk Recovery Tokens, Administrative Bypass, ADKs, all this lovely stuff to make your job a lot easier.
You can even customise the bootguard with your company colour schemes :)