Use an Alternate Account to Change Passwords (Optional)

For specific application types, Credential Manager can use an alternate master account with sufficient privileges to update a specific target account password. When a user does not have permission to change their own passwords, this alternate account lets Credential Manager synchronize user accounts. If a user changes a password on the target system, Credential Manager can use the master account to override the change and update the password.
capam32
For specific application types, Credential Manager can use an alternate master account with sufficient privileges to update a specific target account password. When a user does not have permission to change their own passwords, this alternate account lets Credential Manager synchronize user accounts. If a user changes a password on the target system, Credential Manager can use the master account to override the change and update the password.
When you add a target account, a tab for the associated application type becomes available. On that application tab, there is a
Change Process
setting. The following page is an example for an LDAP application type:
ChangeProcess_settings.png
To allow the existing target account to change its own password, keep the default option, 
Account can change own password
, selected. The initial password that you enter must be the same as the target account password. The exception is a user with more privileges, such as root, who can update the password.
To use an alternate master account:
  1. Select
    Use the following account to change password.
    For most target accounts, a blank field appears below the radio button.
  2. Select the magnifying glass and search for the target account to use as the alternate. Avoid using the current target account as the alternate. 
    To show the target accounts that are defined in the system, filter by account name or host name. You can also show all target accounts. Typically, the other account is an account of the same application. For example, the password for an Oracle database account is changed by a privileged account on the same database. You can use another account that is associated with a different application. Select compatible combinations.
    The only supported dissimilar account combination is the use of an LDAP or Active Directory account to change the password of a UNIX account.
  3. Some target accounts require additional information:
    MYSQL: Identify the account by specifying the user name and the hostname of the database. Enter the hostname in the
    host-Name Qualifier
    field.