At work, I'm faced with an interesting task – we're trying to limit the number of people that know high-powered passwords.
[This is an ongoing goal – and we already have many processes in place that achieve this. You'll hear more about this in future.]
The latest investigation of reducing password knowledge centres around service accounts – particularly, one service account that is widespread, and has local administrative access. Not an account we want to have available to everyone, not even to everyone who manages the service!
The goal is, as with other high-powered accounts, to lock the password away, and only reveal it when it's needed to troubleshoot something. Of course, being a password, once you've revealed it to someone, you can't unreveal it.
So you have to change it. Once in the security database, and once on every service instance, so that the service can continue to log on.
But there are hundreds of instances of this service, so the administrators were baulking at the idea of having to enter the password in hundreds of locations.
I didn't like the idea either, but my suggestion was better than that of "set the password once on installation, and hope that nobody abuses their knowledge of the password". It had to be, because we don't allow that around here.
I'll be exploring what I did over the next few days, but here's my start, which may be adequate for many purposes:
C:\> for /f %a in (servers.txt) do sc \\%a config "service-name" password= "new-password"