Looking at deploying Full Disk Encryption on our laptops.

Ideally we use the PBA and have UserID / Password prompt at boot and then SSO for Windows Domain login (straight AD, no Novell Network client)

Some laptops have multiple users, which seems to present a challenge. First user is easy - user capture seems to cover that. Some questions on logistics and architecture beyond that...

Q1. Can we provision the "extra" users on a laptop *without* knowing their password ?

Q2. What happens when user changes AD password on a different computer - not this one - or the AD password is changed administratively by IT staff - how does the PBA handle this ?

Q3. As per Q2, but the laptop was off / disconnected / away from the network when the user password was changed on the network - what will the PBA prompt for on next startup ?

Q4. Does the PBA purely using a locally cached (and presumably encrypted) hash of the user password or is it actually query the Domain Controller for the Auth, or is it a combination based on whether the DC is available ?

Q5. Does the Zenworks Agent insert itself as a password filter in Windows so it can grab the password changes ?

Unfortunately our usage model isn't a tidy 1-1 relationship so I am trying to determine the scenarios here. I don't imagine any product will be 100% no touch, and 100% secure. :-)