Users in the local domain, vsphere.local by default, can change their vCenter Single Sign-On passwords from a Web interface. Users in other domains change their passwords following the rules for that domain.

The vCenter Single Sign-On lockout policy determines when your password expires. By default, vCenter Single Sign-On user passwords expire after 90 days, but administrator passwords such as the password for administrator@vsphere.local do not expire. vCenter Single Sign-On management interfaces show a warning when your password is about to expire.

Note: You can change a password only if it is not expired.

If the password is expired, the administrator of the local domain, administrator@vsphere.local by default, can reset the password by using the dir-cli password reset command. Only members of the Administrator group for the vCenter Single Sign-On domain can reset passwords.


  1. Log in with the vSphere Client to the vCenter Server connected to the Platform Services Controller.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. In the upper navigation pane, to the right of the Help menu, click your user name to pull down the menu.
    As an alternative, you can select Single Sign On > Users and Groups and select Edit User from the vertical ellipsis menu.
  4. Select Change Password and type your current password.
  5. Type a new password and confirm it.
    The password must conform to the password policy.
  6. Click OK.