Unfortunately, users' login scripts are considered "public" information by NT. Despite the fact that this information is stored with the user's account in the domain SAM, ANYONE could view the password argument.

Check it out from the command line:
net user <username> /domain

This procedure would be useful, say, to provide an admin password to use with su.exe. However, any password made visible to the user's security context would be visible to the user, regardless of whether that password were passed as a command line argument, or if it were contained in a file. Again, strong encryption is the only possible solution. Decryption should be handled inside the script, so that it executes in the client's memory space & not transmitted clear text over the network.