RSA Windows Agents have the capability to do windows password integration:
On first logon of [username], the RSA agent can capture the windows password, and
store it on the RSA server next to the [username].
Next time [username] logs into windows, they use the token, but the windows password is fetched
from the RSA server and replayed to Microsoft in the background. So, if this is set up correctly, you might
be able to use windows password integration and it will avoid anyone needing the password, except for that first
time of storing it (or changing it). If Microsoft doesn't like the password, or it is due to change, then the
agent allows the popups to change or retype password...etc.
If you use RDP to go to another 'Windows machine with an RSA agent on it', there may be no way to avoid
that initial RDP password you need to type before the connection reaches the server with the RSA agent
on it.
Now, will this work with your setup ? I am not sure, but you may be able to make use of the windows
password integration mechanism. All Windows agents attempt to perform this, and whether it goes on or not,
is handled per user, and polices applied to users based on security domain...
on the RSA Authentication Manager config...it is offline polices on the RSA server which allow or disallow it from working.
