FortiPAM allows changing passwords manually in secrets using different templates like Windows Domain Account, Windows Machine, Unix Account, or Windows Domain Account (Samba).

Also through secret created Automatic Password Changing is also allowed based on parameters specified on secret settings.

1. Go to Secrets -> Targets -> Create.

Specify Name, Classification Tag,  Default Template select 'Windows Domain Account', Domain- Controller specify Domain IP, Domain section specify 'Domain FQDN'.

Advanced Domain Settings ensure that the Common Name is 'sAMAccountName' and the LDAPs Port used is 636.

Note: Password change will work only when FortiPAM is connected through the LDAP server using port 636.

Figure 1.Creating Target

2. Go to Secrets -> Secrets -> Create New.

Specify Name, select Folder and Target created before on step 1.

Edit the 'Fields' section and specify the user domain account and password.

Figure 2. Creating Secret

When using a password changer on Windows AD by LDAPs, it is required to enable both Change password and Reset password for the user on Windows AD.

Figure 4. User permissions

3. From More options, select Change Password.

    

In Generate next password, select from the following two options:

1. Randomly: automatically change the password.
2. Customized: enter a new password manually.

Note: The Customized option may be disabled if the secret template does not use the password for authentication.

Figure 3. Change Password

4. Go to Log & Report -> Secret Event & Video -> Password Events.

Figure 5.Password change succeeded

Troubleshooting commands to run in FortiPAM CLI when a password change is failing for some reason:

diagnose wad debug enable category secret

diagnose wad debug enable category pwdchg

diagnose wad debug enable level verbose

diagnose debug enable