Questions:
1. How is the 'BladeLogicRSCD' Windows user account password created?
2. What encryption method/algorithm is used for BladeLogicRSCD account password?
3. Where is the 'BladeLogicRSCD' or 'BladeLogicRSCDDC' account password stored
4. Will there be there any process running on the target server with the BladeLogicRSCD/BladeLogicRSCDDC credentials?
5. How often does the 'BladeLogicRSCD' or 'BladeLogicRSCDDC' account password get changed/updated?
6. What is the minimum characters that the password supports?
7. Can "AES encryption" (such as "AES 256") be enforced for the password?
8. Does the BladeLogicRSCD user gets installed on Linux system as well ?
9. Does the BladeLogicRSCD user send any requests to the application server ?
10. What are the privileges granted to BladeLogicRSCD user in the local policy?
11. Can the BladeLogicRSCD user password be reset?
12. Is this a local user?
13. Can the password expiration policy be applied for BladeLogicRSCD ?
14. How we can set the BladeLogicRSCD account password for multiple target server simultaneously.?
15. Can user run windows agent without BladeLogicRSCD having privilege 'Log on as a batch job'? 
16. Can user discontinuing the use of the BladeLogicRSCD BladeLogicRSCD having privilege 'Log on as a batch job'?
17. Can users outside of TSSA impersonate as BladelogicRSCD user?
 

Note: Please see the Troubleshooting Guide for BladeLogicRSCD user lockout issues for more details on troubleshooting BladelogicRSCD account lockouts.

ANSWER:

1. The "BladeLogicRSCD" user is created as part of the Windows RSCD Agent install. At install time a random password is generated for this user account.
The default password of BladeLogicRSCD user is random since 8.1.00 (16 alpha-numeric and special characters)

Please refer below for more details related to the TSSA user accounts:
User accounts

2. BladeLogicRSCD account password uses CryptProtectData function

3. The password is stored in the registry under "\HKEY_LOCAL_MACHINE\SAM\SAM\BladeLogic\Operations Manager\RSCD". The password is encrypted and stored in the S and E values.
Refer BladeLogicRSCDDC Password update

4. Yes, the process for the RSCD agent will be running on the domain controller as 'BladeLogicRSCDDC' account.
The process of RSCD agent on non-domain controller will be using 'BladeLogicRSCD' account.

5. The password is randomly generated upon installation of the RSCD agent and it will remain unchanged, unless it is updated manually

6. There is no minimum characters that is required by the password but can be of 60 characters maximum.
By default the password would contain 16 alphanumeric and special characters.

7. No. The password is stored in the registry using the CryptProtectData function.

8. No. BladeLogicRSCD user gets created on Windows Servers only. The BladeLogicRSCD user is created on Windows in order for the agent to obtain local privileges on the target server.  Whenever a connection is made to a target agent, first mapping is done to this user before reading exports, users, users.local. The agent uses a technique called user privilege mapping, which allows the agent to temporarily grant the local user's group privileges to an unprivileged user account called BladeLogicRSCD. This privilege mapping mechanism allows the agent to acquire the mapped local user's group privileges without having to access that user's Windows credentials (user name and password

9. BladeLogic RSCD agents only perform actions when instructed to by an application server. There is no periodic polling and agents do not initiate connections back to the application server

10. When the BladeLogicRSCD user is created, below privileges are granted to it in the local policy:
SeBatchLogonRight
SeDenyInteractiveLogonRight

When BSA tries to impersonate as a user, following privilege is also added to the policy:
SeSecurityPrivilege

11. The password of BladeLogicRSCD can be reset. Use 'chapw -r' command for the password change to use a randomly generated password.
Write 'chapw' and hit enter for the complete usage.

For password change on a domain controller, refer -
BladeLogicRSCDDC Password update

12. The rscd agent runs under the "Local System" account. For the impersonation to occur the rscd agent will "logon" as the BladeLogicRSCD user. Then window api calls are made which apply the appropriate permissions associated with the user it is mapped to. This allows commands to be executed with the permissions and rights 'mapped to' user. However, the underlying running user is still the "Local System" account which doesn't have access to network resources. That "Local System" user cannot connect to remote windows shares.

13. No, the password expiration policy cannot be set for the BladeLogicRSCD user.  When a connection is made to the RSCD agent, if the password is set to expire, the setting is reset back to never expire for the BladeLogicRSCD user.  If the password expires then the RSCD agent would not be useable and require manual interaction to fix.

14. To change the password on multiple target server, create NSH script on BSA/TSSA console to run below command and then execute this script on multiple target servers to update password
chapw -r <Target server name>

15. No, the User can not run Windows RSCD agent without BladeLogicRSCD having the privilege 'Log on as a batch job' .The Windows RSCD agent wouldn't work on the server where it's running without BladeLogicRSCD having the privilege 'Log on as a batch job'.

16. If the user wants to discontinue the use of the BladeLogicRSCD user, they can start using automation principles and Windows user mapping - ONLY for Windows target.
Considerations for automation principals and Windows user mapping

17. No. For the impersonation to occur, the rscd agent need to "logon" as the BladeLogicRSCD user. Then window api calls are made which apply the appropriate permissions associated with the user it is mapped to, which is configured in the user configuration file. Outside of TSSA, no one can impersonate as 'BladeLogicRSCD' user.