I have been able to configure a package using sysinternal's pspassword tool and set up a program called "reset password" that has a command line like "pspasswd /accepteula administrator Password7" and this works when advertised. My question though is is this secure? Can a user with local admin privileges discover what this command line was even if it is hidden / mandatory etc?

No this isn't secure. Yes, a local admin user can see this in the logs or even query WMI to get it.Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

Thanks Jason. Time to look for a better method I guess ;) Someday we will be able to do this with a windows 2008 group policy preference.