Hi Don,
No, it is not currently possible to reset a users AD (or LDAP) password from the PAM Users GUI. If you would like to see this as a feature in a future release I would suggest creating an Idea here on the communities!
However, if you have used a properly permissioned AD Bind Account then your users would be able to reset their own AD password from PAM in the event that their password has expired or thier account has been flagged with 'User must change change password on next logon'. That being said, with the exception of these 2 conditions users would NOT be able to change their own password through PAM either. More info on this can be found at the link below in the section titled "Active Directory Tasks":
LDAP - CA Privileged Access Manager - 3.0.2 - CA Technologies Documentation
Snippet from page:
"When a CA Privileged Access Manager User that has been imported from AD attempts to log in following expiration or temporary replacement of an AD password, the next screen that is presented is the User Information page. The user then must use this page to change the password, which then silently propagates the update to AD."
One other option you have would be to vault the same AD accounts into the PAM Target Accounts using a Windows Domain Service or Windows Proxy Target Application. Once vaulted in PAM you could force the password to change, however if the user ever changes their password from somewhere else then PAM may end up out of sync with the AD password. While this is possible, it wouldn't generally be the best way to go for accounts whose passwords are being managed by a real user.
Let me know if there are any questions about this,
-Christian Lutz
Support Engineer
CA Technologies