Unfortunately, I don't think there is a legal way of doing it without having the user's conscent ! Even if you are a Administrator of the domain.

Have u tried to change password on the domain and to see if this could help ? I'd be surprised though since I think that the token having the password and all as to be remake on the next user login or establish a password change by the user itself.

I don't know, but is there a law that could permit you to get your user sign a kind of legal conscent that when this kind of situation happens, they'd let you use a software like @stake LC4 to get their current password and then unlock their station and finaly make sure to inform the user of the changes made to their account ? If so, here's your solution...

Good luck !