You can provide users the ability to change their Active Directory passwords from the Workspace ONE portal or app whenever they want. Users can also reset their Active Directory passwords from the VMware Identity Manager login page if the password has expired or if the Active Directory administrator has reset the password, forcing the user to change the password at the next login.

You enable this option per directory, by selecting the Allow Change Password option in the Directory Settings page.

Users can change their passwords when they are logged into the Workspace ONE portal by clicking their name in the top-right corner, selecting Account from the drop-down menu, and clicking the Change Password link. In the Workspace ONE app, users can change their passwords by clicking the triple-bar menu icon and selecting Password.

Expired passwords or passwords reset by the administrator in Active Directory can be changed from the login page. When a user tries to log in with an expired password, the user is prompted to reset the password. The user must enter the old password as well as the new password.

The requirements for the new password are determined by the Active Directory password policy. The number of tries allowed also depends on the Active Directory password policy.

The following limitations apply.

  • When a directory is added to VMware Identity Manager as a Global Catalog, the Allow Change Password option is not available. Directories can be added as Active Directory over LDAP or Integrated Windows Authentication, using ports 389 or 636.
  • The password of a Bind DN user cannot be reset from VMware Identity Manager, even if it expires or the Active Directory administrator resets it.

    Using a Bind DN user account with a non-expiring password is recommended.

  • Passwords of users whose login names consist of multibyte characters (non-ASCII characters) cannot be reset from VMware Identity Manager.
Note: The Allow Change Password option cannot be enabled for ACC directories.

Prerequisites

  • The domain functional level of the Active Directory domain controllers must be set to Windows 2008 or later.
  • Port 464 must be open from VMware Identity Manager to the domain controllers. In a SaaS deployment, port 464 must be open from the VMware Identity Manager connector to the domain controllers.
  • The Active Directory must use one of the following UPN formats:
    • Regular UPN format: samaccountname@domain
    • Alternative UPN prefix format: alternativePrefix@domain
    • Alternative UPN suffix format: samaccountname@alternativeSuffix

    The UPN format of alternativePrefix@alternativeSuffix is not supported.

  • Clocks on the connector and the domain controllers must be synchronized.
  • The Allow Change Password option is available with connector version 2016.11.1 and later.

Procedure

  1. In the VMware Identity Manager console, click the Identity & Access Management tab.
  2. In the Directories tab, click the directory.
  3. In the Allow Change Password section, select the Enable change password checkbox.
  4. Enter the Bind DN password in the Bind User Details section, and click Save.