That's not easy.
What you can do is either let the people collect their passwords from a central location (I don't know if they are all on the same location?). Another alternative would be to do it per traditional mail. Or maybe there is another trusted third-party where the user can collect its initial password?
However personally I would go with the URL and Token with timeout solution. You are right, that this information is transfered in cleartext. However if an attacker uses this information, you know that this happened, as the legitimate user is not able to set his/her password, resulting in a help desk call. If you transfer a password in plain text, you don't have this advantage (at least if you don't do it with a one-time password).