FortiPAM allows manual password changes in secrets using various templates, such as Windows Domain Account, Windows Machine, Unix Account, or Windows Domain Account (Samba).

Additionally, automatic password changing is also allowed based on parameters specified in the secret settings.

1. Go to Secrets -> Targets -> Create.

Specify Name, Classification Tag,  Default Template select 'Windows Domain Account', Domain- Controller specify Domain IP, Domain section specify 'Domain FQDN'.

Advanced Domain Settings ensure that the Common Name is 'sAMAccountName' and the LDAPs Port used is 636.

Note: Password change will work only when FortiPAM is connected through the LDAP server using port 636.

Figure 1.Creating Target

Note: Domain name should be the FQDN of the domain, not the NETBIOS name.

Run the below command on CMD to get the domain FQDN:

wmic computersystem get domain

2. Go to Secrets -> Secrets -> Create New.

Specify Name, select Folder, and the Target created before in step 1.

Edit the 'Fields' section and specify the user domain account and password.

Figure 2. Creating Secret

When using a password changer on Windows AD by LDAPs, it is required to enable both Change password and Reset password for the user on Windows AD.

Figure 4. User permissions

3. From More options, select Change Password.

In Generate next password, select from the following two options:

1. Randomly: automatically change the password.
2. Customized: enter a new password manually.

Note: The Customized option may be disabled if the secret template does not use the password for authentication.

Figure 3. Change Password

4. Go to Log & Report -> Secret Event & Video -> Password Events.

Figure 5.Password change succeeded

Troubleshooting commands to run in FortiPAM CLI when a password change is failing for some reason:

diagnose wad debug enable category secret

diagnose wad debug enable category pwdchg

diagnose wad debug enable level verbose

diagnose debug enable