![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
7,023 questions
Hi @Anonymous
Yes this is intended behavior. The two methods are using two different AD permissions, as they are intended for two different use cases. The change Password method is designed to allow users to change their own password, while the reset password is used for admins to reset a users password, and doesn't require them to know the users existing password, as this is an admin operation, it does bypass the minimum password age requirement but not the complexity requirements.
The change password method requires the Change Password permission on the user object, typically there are two permissions assigned to a user object, one for Everyone which is used to allow the user to change their password from the Windows GINA (logon screen) and Self to allow the user to change their password after they have logged on.
For the Reset method the Reset Password permission is required on the user object, this normally assigned to an admin or service desk role.
Gary.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 98%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)