I haven't tried this technique recently, so I'm not sure it still works, but at one time it definitely did, and I'd guess it probably still does.
Call NetUserChangePassword
for that user's account on each of the target computers, but do it from an account that does not have the right to change that users password (e.g., another normal user account). When you call this, you have to pass (among other things) the user's old password. Since you're calling it from an account that isn't allowed to change that user's password, this call will always fail.
What you're interested in is the error code when it fails. If what you passed as the old password is recognized by the system (i.e., is the correct password for the account), the call will fail with ERROR_ACCESS_DENIED
. If the password you pass is incorrect (i.e., not recognized for that account), it'll fail with ERROR_INVALID_PASSWORD
.