You can provide users the ability to change their Active Directory passwords from the Workspace ONE portal or app whenever they want. Users can also reset their Active Directory passwords from the Workspace ONE Access login page if the password has expired or if the Active Directory administrator has reset the password, forcing the user to change the password at the next login.
You enable this option per directory, by selecting the Allow Change Password option in the Directory Settings page.
Users can change their passwords when they are logged into the Workspace ONE portal by clicking their name in the top-right corner, selecting Account from the drop-down menu, and clicking the Change Password link. In the Workspace ONE app, users can change their passwords by clicking the triple-bar menu icon and selecting Password.
Expired passwords or passwords reset by the administrator in Active Directory can be changed from the login page. When a user tries to log in with an expired password, the user is prompted to reset the password. The user must enter the old password as well as the new password.
The requirements for the new password are determined by the Active Directory password policy. The number of tries allowed also depends on the Active Directory password policy.
The following limitations apply.
- When a directory is added to VMware Workspace ONE Access as a Global Catalog, the Allow Change Password option is not available. Directories can be added as Active Directory over LDAP or Integrated Windows Authentication, using ports 389 or 636.
- The password of a Bind DN user cannot be reset from VMware Workspace ONE Access, even if it expires or the Active Directory administrator resets it.
Using a Bind DN user account with a non-expiring password is recommended.
- Passwords of users whose login names consist of multibyte characters (non-ASCII characters) cannot be reset from VMware Workspace ONE Access.
- The domain functional level of the Active Directory domain controllers must be set to Windows 2008 or later.
- Port 464 must be open from the Directory Sync service to the domain controllers.
- The Active Directory must use one of the following UPN formats:
- Regular UPN format: samaccountname@domain
- Alternative UPN prefix format: alternativePrefix@domain
- Alternative UPN suffix format: samaccountname@alternativeSuffix
The UPN format of alternativePrefix@alternativeSuffix is not supported.
- Clocks on the Directory Sync service host and the domain controllers must be synchronized.
- The Allow Change Password option is available with connector version 2016.11.1 and later.
- In the Workspace ONE Access console, navigate to the page.
- Click the directory you want to configure.
- In the Allow Change Password section, select the Enable change password check box.
- Enter the Bind DN password in the Bind User Details section, and click Save.