As long as the machines aren't already encrypted with FV, you can
alternatively re-initiate the Apple setup, thus creating a new admin
account with a secure token. That account can be used to provide tokens
to the affected accounts and can be deleted...
