Active Directory account password generation and communication

What is a most secure way of generating Active Directory account password and communicating it only to the end user/their manager?

I’ve already gone through this document on compass but the requirement is not to go with the approaches :

Ideally we don’t want the password to be dynamically generated based on PII information form the identity attributes. Also, we do not want to leverage the random password generator rule on the create account page as well.

I see that this area needs a better approach as majority of the client are using custom solutions outside of ISC/IDN to perform password resets.

If any of the audience here has done a better way of generating and sharing secure passwords in a different way, this would really help.

Thanks in advance,

Hi @Arshad

Then how do you want to generate the password ?

After AD account is created, you can make use of Native Rules (Account After Create) which will trigger a PowerShell script which can be used for

  1. Generate Password
  2. Set Password in AD
  3. Email/SMS to manager/user

This is kinda outside SailPoint scope.

Same you can build using a Workflow as well.



Hi @MVKR7T ,
This seems to be a great approach, do you have any workflow json which can perform the setting the AD password and change password on next logon flags.

Thanks & Regards,
Kavindar Sharma

I have not build it yet, but it is in my bucket list. I will share once it is ready.