Kind of in a holding pattern since we need to make sure that the techs will be able to perform what we come up with. Found out there is another procedure to change expired root passwords, we are...
When they get to the final user, they change the password for root and all canned accounts. We just put a default password on that then is in their instructions so they know what it is.