That’s a tricky question. Every user we create in active Directory require an initial password that user will use to connect for the first time. At this step, user account can (and should be configured) to enforce a password change.
From a security point of view there might have some problems with this initial password. It must be communicated to the end-user. If someone have access to the initial password and user identity, he can perform operation on behalf of someone else. To avoid such a situation, one solution can be to disable this account until user contact the help-desk and required activation. Unfortunately this solution may lead to complex situations (eg, email address is not generated for disabled users, …).
Another approach is to be sure that the newly created user cannot be used because nobody know the password. With a random generated password this should be fine. I found an elegant way to respond to this problem with a single PowerShell command : New-ADUser. The trick is to enforce the Smartcard at logon as illustrated bellow :
--> Please see the rest on the blog : http://danstoncloud.com/blogs/simplebydesign/archive/2012/08/26/creating-a-ad-user-without-knowing-it-s-initial-password.aspx