diff --git a/lib/ansible/modules/cloud/univention/udm_user.py b/lib/ansible/modules/cloud/univention/udm_user.py
index ac2d8acb11e..dcebf500829 100644
--- a/lib/ansible/modules/cloud/univention/udm_user.py
+++ b/lib/ansible/modules/cloud/univention/udm_user.py
@@ -304,6 +304,13 @@ options:
         description:
             - "Define the whole position of users object inside the LDAP tree,
                e.g. C(cn=employee,cn=users,ou=school,dc=example,dc=com)."
+    update_password:
+        required: false
+        default: always
+        description:
+            - "C(always) will update passwords if they differ.
+               C(on_create) will only set the password for newly created users."
+        version_added: "2.3"
     ou:
         required: false
         default: ''
@@ -466,6 +473,9 @@ def main():
                                            type='str'),
             position                = dict(default='',
                                            type='str'),
+            update_password         = dict(default='always',
+                                           choices=['always', 'on_create'],
+                                           type='str'),
             ou                      = dict(default='',
                                            type='str'),
             subpath                 = dict(default='cn=users',
@@ -530,7 +540,7 @@ def main():
             password = module.params['password']
             if obj['password'] is None:
                 obj['password'] = password
-            else:
+            if module.params['update_password'] == 'always':
                 old_password = obj['password'].split('}', 2)[1]
                 if crypt.crypt(password, old_password) != old_password:
                     obj['overridePWHistory'] = module.params['overridePWHistory']