create an role or an application role,and add the windows users to the role? then they never need to touch the server password, they just have to have access to the network.
if they are not in the application role, they could not get to the database anyway thru their regular logins.
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!