This is slightly off topic, and a fairly advanced topic. Does anyone know how to forcibly change the locally cached credentials for a mobile (Active Directory) account? A little background; I will soon need to build a number of machines that 1) Need to be sent internationally to existing employees, and 2) need to be encrypted with FileVault 2 (FV2) prior to being shipped. I would like to avoid both asking for their current password as well as forcibly changing their domain password.

What I would like to do is 1) Build a machine out and set it up how it should be setup. 2) Create the local account and home directories using the "createmobileaccount" and "createhomedir". 3) Set their locally cached password to "something" 4) Disconnect from the network so it can't contact the domain servers. 5) Setup FileVault 2 with "something". 6) Ship the machine. 7) When the associate receives machine, they connect it to the network. Bypass FV2 login with "something". 9) On the regular (not FV2) login screen, login with their real credentials - at which time their FileVault 2 unlock password is updated to their regular domain credentials.

I have tried using every "passwd"/"dscl" utility I know of and even manually editing the ShadowHash field/encoded plist. No luck. Is this just a pipe dream? I'm not an AD guru, is there anyway to set a temporary AD password that I can use to setup the machine and then revert to their previous password (without ever knowing it) similar to issuing a temporary VPN pin?