diff --git a/management/univention-ldap/10univention-ldap-server.inst b/management/univention-ldap/10univention-ldap-server.inst
index 0c3ea5134c..06a6a999a2 100755
--- a/management/univention-ldap/10univention-ldap-server.inst
+++ b/management/univention-ldap/10univention-ldap-server.inst
@@ -32,7 +32,7 @@
 
 ## joinscript api: bindpwdfile
 
-VERSION=5
+VERSION=6
 . /usr/share/univention-join/joinscripthelper.lib
 joinscript_init
 
@@ -248,12 +248,20 @@ if [ "$server_role" = "domaincontroller_master" ]; then
 			objectClass: pwdPolicy
 			cn: default
 			pwdAttribute: 2.5.4.35
-			pwdAllowUserChange: FALSE
+			pwdAllowUserChange: TRUE
 			pwdLockout: TRUE
 			pwdMaxFailure: 5
 			pwdFailureCountInterval: 900
 			%EOR
 	fi
+	if [ $JS_LAST_EXECUTED_VERSION -lt 6 ]; then
+		ldapmodify -D "cn=admin,$ldap_base" -y /etc/ldap.secret <<-%EOR
+			dn: cn=default,cn=ppolicy,cn=univention,$ldap_base
+			changetype: modify
+			replace: pwdAllowUserChange
+			pwdAllowUserChange: TRUE
+			%EOR
+	fi
 fi
 
 # Create kerberos principal for ldap/hostname.domainname