> For the complete documentation index, see [llms.txt](https://enterprise.hideez.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://enterprise.hideez.com/hideez-server-integration/active-directory-on-premises/import-and-sync-users-from-active-directory-on-premises/user-initiated-password-changes.md).

# User-Initiated Password Changes

### Function Overview

This function allows the user to change the password of their domain account via the Hideez Client. The user has two options:

1. Change the password only on the Hideez Key (without updating it in Active Directory).\
   In this case, the user continues to use their current password as long as it remains valid in Active Directory.
2. Change the password in both Active Directory and on the Hideez Key simultaneously.\
   In this case, the new password will be used immediately for authentication in both the system and the key.

After the password is changed, the user can sign in without manually entering the password — it is automatically read from the Hideez Key.

**The password change complies with domain security policies, including:**

* password complexity requirements;
* limits on password change frequency;
* defined intervals between changes.

{% hint style="info" %}
To use this feature, the administrator must first create the user’s account on the Hideez Server. Then, the user enters their current password to verify their identity.
{% endhint %}

### Prerequisites

Before starting, ensure that:

* [Integration between the Hideez Server and Active Directory is properly configured.](/hideez-enterprise-server/administration/setting-hes-server-parameters.md#active-directory-on-premises)
* The user is created [manually](/hideez-enterprise-server/employees/how-to-add-an-employee.md) on the [Hideez Server or imported from Active Directory](/hideez-server-integration/microsoft-entra-id/import.md).
* [The user must have a Hideez Key with status “Ready”, “Active” or “Reserved**”.**](/hideez-enterprise-server/keys-management/keys-statuses.md)
* [The Hideez Client is installed on a workstation joined to the Active Directory domain.](/hideez-client-app/windows-deployment/set-up-hideez-client-app.md)
* [The workstation is approved on the Hideez Server.](/hideez-enterprise-server/workstations/how-to-add-and-approve-workstations.md)

### Step 1. Creating a Domain Account

1. Sign in to the Hideez Server using an administrator account.
2. Navigate to the user list, select the appropriate user, and open their profile.
3. Click **Create personal account**.
4. In the account creation form, fill in the required fields:
   * **Name**\* – a descriptive name for the account;
   * **Login Type** – select **AD Domain Account**;
   * **Login**\*:
     * **Domain** – the name of the Active Directory domain connected to the Hideez Server;
     * **User Logon Name** – the user’s domain login.
5. Select the checkbox **Skip Password** — the user will add the password later via the Hideez Client.
6. Click **Create** to save the account.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeq1fS0NR8WNRQszg8v7laMaoAo9xYkY1LqnUGYrVqHkv7XAJ3O85el3MG82ffakCGpYk_b3BPgQvxhHsL2ORiyaE_8UZpAsEAiq_HWmSJasRbEdXF0VNrxFqe1nSYqAONlGQMy2g?key=Hn4wVs_Xx2J61rs-jsoWIE4k" alt=""><figcaption></figcaption></figure>

**Example domain account:**

* **Name**\* – John Smith Domain Account
* **Login Type** – AD Domain Account
* **Login**\*:

  * **Domain** – Lab
  * **User Logon Name** – js

  <figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXe0YEZ59swrkxEeDYxvI1CWZ8xL_HSuuP95T0XianFb2oFAaDrxkHU5mGbca7c9RUTgi6Vtm05QizdUlqHXuRi575hWBPS7C4CaAkLn3JynS0xUxW_Yz-tLFcuQQ39dtxmbH_fguQ?key=Hn4wVs_Xx2J61rs-jsoWIE4k" alt=""><figcaption></figcaption></figure>

### Step 2. Initial Computer Unlock

The user signs in to a workstation joined to the Active Directory domain and connects the Hideez Key to the Hideez Client.

### Step 3. Setting the Current Password

After the key is connected, the user account is automatically loaded onto the key from the server. This account is marked with a gear icon and does not contain a password — it cannot be used to unlock the computer until a password is added.

To add a domain password to the account on the key, the user must manually enter their current password via the Hideez Client interface.

**To do this, follow these steps:**

1. Connect the key to the workstation.
2. Wait for the account to appear on the key.
3. Select the corresponding account on the key.
4. Set the current domain password via the **Hideez Client** interface.
5. Save the changes.

<div><figure><img src="/files/zmeT9jXdFqs97GmMAGTS" alt=""><figcaption></figcaption></figure> <figure><img src="/files/nC6ntVzvlUiR27lCzJoQ" alt=""><figcaption></figcaption></figure></div>

After completing these steps, you will be able to unlock the workstation using this account on the key.

{% hint style="info" %}
**Note:** The password will be saved on the key and automatically read during future sign-ins.
{% endhint %}

### **Step 4. User-Initiated Password Change via Hideez Client**

The user can independently change the password of their domain account — it will be updated on both the Hideez Key and in Active Directory.

**Procedure:**

1. Connect the Hideez Key to the Hideez Client and launch the application.
2. Select the account marked with the gear icon.
3. Click **Edit**.

<figure><img src="/files/zmeT9jXdFqs97GmMAGTS" alt="" width="563"><figcaption></figcaption></figure>

4. To change your domain account password, select the “Change logon password” checkbox.<br>

<figure><img src="/files/Ox7pdVtl26gVBLyuu18o" alt="" width="563"><figcaption></figcaption></figure>

5. Enter the new password.
6. Click **Save**.

**When saving the new domain user password, the following occurs:**

* The current (old) password is read from the key.
* The old and new passwords are used to initiate the password change in Active Directory using the Windows API.
* If the change is successful, the new password is saved on the key, replacing the previous one.

{% hint style="info" %}
**Additional Notes**

* The new password must not match any of the previous passwords used for this account.
* Your domain’s password policy must permit a password change at the time of the operation. For example, if a minimum interval between password changes is enforced (e.g., no more than once every 24 hours), and the previous password was changed recently, the system will block the new change until the interval expires.
* In a hybrid infrastructure, the password will be updated in both the local Active Directory and Azure AD (if synchronization is configured).
* [Refer to Microsoft’s documentation on Active Directory password policies for more information.](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/enforce-password-history)
  {% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://enterprise.hideez.com/hideez-server-integration/active-directory-on-premises/import-and-sync-users-from-active-directory-on-premises/user-initiated-password-changes.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.