Rotating stored passwords
The crotatepasswd command rotates the password for the specified account from Privileged Access Service. The account can be a system, domain, or database account.
If you execute crotatepasswd specifying the -f option, it ignores any password checkouts and force a password rotation.
To run the crotatepasswd command, you must be logged in as root and the computer where you run crotatepasswd must be registered in Privileged Access Service and the Application-to-Application Password Management feature must be enabled.
As a suggestion, during downtime, have a script execute crotatepasswd. If crotatepasswd succeeds, have the script then call cgetaccount to get the freshly-rotated password.
You can force a password rotation for the account "user" on "DOMAIN1" and ignore any password checkouts by running a command such as: crotatepasswd -T domain -f DOMAIN1/user.