Cause
How can I enable users to change their Active Directory password from their Workspace ONE account?
Resolution
VMware Identity Manager provides a feature where users can change their Active Directory password directly from their Workspace ONE account via the portal or Workspace ONE application. Users can also reset their AD passwords from the VMware Identity Manager login page if the password has expired or if the Active Directory administrator has reset the password, forcing the user to change the password at the next login.
This option can be enabled using the following steps:
In the administration console, click the Identity & Access Management tab.
In the Directories tab, click the directory.
In the Allow Change Password section, select the Enable change password checkbox.
Enter the Bind DN password in the Bind User Details section, and click Save.
Users can change their passwords when they are logged into the Workspace ONE portal by clicking their name in the top-right corner, selecting Account from the drop-down menu, and clicking the Change Password link. In the Workspace ONE app, users can change their passwords by clicking the triple-bar menu icon and selecting Password.
Expired passwords or passwords reset by the administrator in Active Directory can be changed from the login page. When a user tries to log in with an expired password, the user is prompted to reset the password. The user must enter the old password as well as the new password. The requirements for the new password as well as the number of tried allowed are determined by the Active Directory password policy.
Note that the following limitations apply:
When a directory is added to VMware Identity Manager as a Global Catalog, the Allow Change Password option is not available. Directories can be added as Active Directory over LDAP or Integrated Windows Authentication, using ports 389 or 636.
The password of a Bind DN user cannot be reset from VMware Identity Manager, even if it expires or the Active Directory administrator resets it. Note that using a Bind DN user account with a non-expiring password is recommended.
Passwords of users whose login names consist of multibyte characters (non-ASCII characters) cannot be reset from VMware Identity Manager.
The Allow Change Password option cannot be enabled for ACC directories.
The following prerequisites must be met in order to utilize this feature:
Port 464 must be open from the VMware Identity Manager connector to the domain controllers.The Allow Change Password option is only available with connector version 2016.11.1 and later.
