I do this with a two pronged approach sort of way. I use our domain join account, but I use a password obfuscator script to convert the "real" password into a different encrypted one then use that as new password in the script.