It is possible to use the OpenSSL bits that IBM embeds to facilitate Local User Management to transport encrypted passwords and pipe them into an actionscript similar to the way Local User Management works. In this fashion, encrypted passwords can indeed target groups, even dynamic groups of machines not yet created. We use this custom approach successfully with our automated build process. It does require a common key pair for the group being targeted and assumes proper OpenSSL preparation.
An advantage of using OpenSSL directly is that if you are targeting a large amount of endpoints with a single password, it only needs to be encrypted once (assuming you have already distributed the other half of the key pair to your environment). If you did the same thing with Local User Management, it would have to encrypt separately to each endpoint, potentially bogging down your central server if you are sending to a large number of endpoints.
The real fun is combining OpenSSL-encrypted bits with relevance substitution of client-specific bits. You can create a combination of what you have and what you know. Security folks seem to love this approach.