You can allow users to change their Active Directory passwords from the VMware Identity Manager login page if the password has expired or if the Active Directory administrator has reset the password, forcing the user to change the password at the next login.

You can enable this option per directory, by selecting the Allow Change Password option in the Directory Settings page.

When a user tries to log in with an expired password, the user is prompted to reset the password. The user must enter the old password as well as the new password. The requirements for the new password are determined by the Active Directory password policy. The number of tries allowed also depends on the Active Directory password policy.

Users can reset their Active Directory password from VMware Identity Manager only in the following scenarios:

If the password has expired.

If the Active Directory administrator resets the password in Active Directory, forcing the user to change the password at the next login.

The following limitations apply.

The Allow Change Password option is not available for Active Directory environments that use a global catalog.

The password of a Bind DN user cannot be reset from VMware Identity Manager, even if it expires or the Active Directory administrator resets it.

Note

Using a Bind DN user account with a non-expiring password is recommended.

Passwords of users whose login names consist of multibyte characters (non-ASCII characters) cannot be reset from VMware Identity Manager.

To enable the Allow Change Password option, you must use a Bind DN user account and must have write permissions for Active Directory.

Port 464 must be open on the domain controller.

1

In the administration console, click the Identity & Access Management tab.

2

In the Directories page, select the directory.

3

In the Allow Change Password section, select Enable change password.

4

Enter the Bind DN password in the Bind User Details section, and click Save.