What about a provisioning script run from the windows run key which simply used cached credentials stored on a server somewhere to add the current logged on user to the machine and reset their password by prompting them? Then all the admin would need to do is boot the machine and give it to the user - after they login to Windows the script would prompt them and provision them as long as the machine stayed on the network...
The demo AutoDomain script would do all that for you already - you'd just have to turn off the functionality you didnt need (like user/machine creation etc).
I work for the NHS and we have rolled out this on several laptops which will never connect to the domain. The way we manage this is to have a group within SafeBoot called offline. We then create users and machines based on their asset tag (eg IT123456).
The user will then log on the machine with that asset tag & the departmental owner / line manager will assign & control a password.
The password can never be changed unless group admin decide to do so via reset token.
The department therefore manage there passwords and not us.
The only problem we have found and its down to the department or managers is that the password is poorly managed or forgotten.
New feature in v5.1.7 (Build 5500) should help here
If we go back to the beginning of this thread, one of the first proposed solutions was to simply assign all possible users to the laptop. This solution works well, but causes pain if the laptops are stored in a powered-down or disconnected state. Being stored in this manner results in the local passwords being out of sync, so a loaner laptop user would have to try and guess which of their old passwords was still active on that machine. At that point they'd probably have to call the helpdesk to unlock the machine. This is slow and costly.
The new local self recovery feature solves this problem. If this feature is enabled, the user can fix their password locally. They simply have to answer a set of questions that are stored in the pre-boot environment (like "In what city were you born?"). If they can answer the questions, they can update their password and get into the system. It requires no call to the helpdesk and takes only about a minute to answer the questions.
The only constraint is the total number of users assigned to the machine. The latest versions of EEPC come with a 20MB SafeBoot File System (SBFS). A 20MB SBFS can hold roughly 2,500 users. It is now possible to expand the size of the SBFS up to 512MB to hold more users if necessary. However, deploying large numbers of users (1,000+) to all machines can extend the duration of syncs and more quickly consume the available concurrent connections on the server. This reduces the rate at which you can deploy the product, so it would be best to do this "assign all users approach" to *only* the loaner laptops.