Users in the local domain, vsphere.local by default, can change their vCenter Single Sign-On passwords from a Web interface. Users in other domains change their passwords following the rules for that domain.

The vCenter Single Sign-On lockout policy determines when your password expires. By default, vCenter Single Sign-On user passwords expire after 90 days, but administrator passwords such as the password for administrator@vsphere.local do not expire. vCenter Single Sign-On management interfaces show a warning when your password is about to expire.

Note: You can change a password only if it is not expired.

If the password is expired, the administrator of the local domain, administrator@vsphere.local by default, can reset the password by using the dir-cli password reset command. Only members of the Administrator group for the vCenter Single Sign-On domain can reset passwords.


  1. From a Web browser, connect to the Platform Services Controller by specifying the following URL:
    In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. In the upper navigation pane, to the left of the Help menu, click your user name to pull down the menu.
    As an alternative, you can select Single Sign-On > Users and Groups and select Edit User from the right-button menu.
  4. Select Change Password and type your current password.
  5. Type a new password and confirm it.
    The password must conform to the password policy.
  6. Click OK.