Hi Steve,
The admin user should have full read-only access to query/read the full directory/structure.
This is what you need to enable password change feature for VPN users on ASA.
LDAP configuration on ASA
--------------------------------------
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host server-port 636
ldap-base-dn
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn
ldap-login-password
ldap-over-ssl enable
server-type Microsoft
NOTE: This will only work with secure LDAP TCP 636
VPN configuration on ASA
------------------------------------------
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP-AD
default-group-policy DfltGrpPolicy
password-management password-expire-in-days
Settings on the LDAP server
--------------------------------------
We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you allow users to change their password.
HTH
Regards,
JK
~Jatin