Thank you for the answer. Solution I have developed and tested is quite straight forward:
For AD users
Get-ADUser -Filter {PasswordNotRequired -eq $true} (this will give you the list of user accounts so you can check them and even export list if needed)
Get-ADUser-Filter {PasswordNotRequired -eq $true} | Set-ADUser -PasswordNotRequired $false (this uses the found users and disable the flag on account)
For AD Computers
Get-ADCompuer-Filter {PasswordNotRequired -eq $true} (this will give you the list of computer accounts so you can check them and even export list if needed)
Get-ADCompuer-Filter {PasswordNotRequired -eq $true} | Set-ADCompuer-PasswordNotRequired $false (this uses the found users and disable the flag on account)
This is tested and works for me quite well.
But I am still looking for answer why this is standard behavior for computer objects and how to prevent it from happening.
Also if it can be abused similar way as user accounts.