What is a one sentence summary of your feature request?
Allow/Force AD Users to change their password over the PAM or RAG web portal
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
When adding a new user over active directory to access resources over PAM or RAG, the user should be able or forced (when option “User must change password at next logon” is set in ad) to change its own password when loggin in for the first time or anytime after using PAM or RAG.
So the initial password, which is often send over mail, is useless after the first login in PAM/RAG, and user can set his own (within the active directory password policy).
How do you currently solve the challenges you have by not having this feature?
less security and/or less comfort by keeping the initial password.
Welcome to the Netwrix community and thank you for the feedback.
I need some clarification, however. If a new user is created in AD with that option, they will have to change their password the next time they login. Then if they are added to NPS, they can just use those credentials. Are you thinking of a new account (managed) added to AD and the very first use would when NPS tries to connect? In that case, NPS is generally trying to inject the credentials without the user knowing them. So in this case the admin would set the new user and configure them in NPS so the initial password change is not required. NPS can take over and rotate the password before and/or after every session from there. Let me know what I am missing.
i am talking about unmanaged, interactive accounts that are only for logging into NPS. Currently our process goes as follows:
a new AD account is created. He gets an initial random password.
the user gets permissions to log in to NPS via ad group membership. The group is already added in NPS and has acces to certain policys and activities.
He loggs in to NPS and can create sessions (using an other, already created, managed AD account)
But when the AD option is set, the initial log-in account cant log in to NPS with “Invalid Username or Password”. In fact no account can log via browser in to NPS when the option is set.
For us, NPS is the only point of contact, the user can not log into any “normal” windows system with his account. They log in over the NPS/RAG, perform their task and log off/close the browser.