It's standard practice to force a password change on first login if the user didn't set the password themselves (e.g. this is usually what happens on Windows domain accounts). That's a feature that should definitely stay, but it would be worth reviewing the UI to make sure it's entirely clear to the user.
If you wanted to change the sign-up process, you'd have the Site/Sys Admin invite the user via a link in an email and have the user complete a self registration process. Both approaches are valid but the current approach is simplest.