Probably worth submitting a feature request to simply expose this in the GUI without an EA. Unfortunately we have an ITSec policy prohibiting us from storing passwords in scripts (yes, I know, I didn't write it). We use Recon to "catch" systems that we've missed, but that enrolls with an existing admin account, while we created a new one to use with Casper. It would be nice to create a policy to re-enroll with the new account, scoped to systems using the old one.