This requires the password-reset privilege, and it also requires access control permission to update the password attribute.

You can configure PingDirectory Server to require users to choose a new password after their password has been reset by an administrator. This can be accomplished through the following configuration properties:

force-change-on-add
Indicates whether a user is required to choose a new password the first time they authenticate after their account has been created. This is false by default.
force-change-on-reset
Indicates whether a user is required to choose a new password the first time they authenticate after their password has been reset by an administrator. This is false by default.
max-password-reset-age
The maximum length of time that a user has to change their password after an administrative reset before their account is locked.

If a user is forced to change their password, then the server allows that user to authenticate with the new password provided by an administrator, but the bind response includes the password expired response control and a diagnostic message indicating that they must change their password. The server also rejects any operation attempted on that connection until the user has chosen a new password.

If a maximum password reset age is configured and the user does not choose a new password within that length of time after the password reset, then the account is locked and another password reset is required to restore access to it.

See the config/sample-dsconfig-batch-files/configure-password-reset-constraints.dsconfig batch file for more information about forcing users to change their password after an administrative reset.