Windows has a security API called DPAPI (https://en.wikipedia.org/wiki/Data_Protection_API) that is used by Chrome and other applications to encrypt stored credentials.
When changing the password on a Windows machine itself, Windows will re encrypt the stored credentials with the new password (since it knows both the old an new password).
When changing the password outside of the machine (through iManager, LDAP, VMware Horizon View Client, MMC, etc), Windows will need to contact the domain to ask the domain to decrypt the stored credentials (since it does not know the old password anymore).
However, it turns out that DSFW does not currently support DPAPI (Micro Focus SR 02598323). Therefore when a user gets prompted to change their password by (for example) the VMware Horizon View client, they will lose all of their passwords stored by Chrome and multiple other applications get signed out. This is causing a lot of issues for us when implementing a password policy.
Samba however, does have this feature implemented (since 2011): https://git.samba.org/?p=samba.git;a=blob_plain;f=source4/rpc_server/backupkey/dcesrv_backupkey.c;hb=HEAD
DSFW however, is missing these BCKUPKEY objects that are required for this functionality to work: