diff --git a/changelog/unreleased/fix-idm-resetpw-service-users.md b/changelog/unreleased/fix-idm-resetpw-service-users.md
new file mode 100644
index 00000000000..8b2eac91805
--- /dev/null
+++ b/changelog/unreleased/fix-idm-resetpw-service-users.md
@@ -0,0 +1,11 @@
+Enhancement: Allow resetting IDM service user passwords
+
+The `ocis idm resetpassword` command now supports a `--user-type` flag
+to select the account type: `user` (default, ou=users) or `service`
+(ou=sysusers). This allows resetting passwords for service accounts
+(libregraph, idp, reva) which live in `ou=sysusers`. Previously, the
+DN was hardcoded to `ou=users`, making it impossible to reset service
+user passwords via the CLI.
+
+https://github.com/owncloud/ocis/pull/12118
+https://github.com/owncloud/ocis/issues/12106
diff --git a/services/idm/pkg/command/resetpw.go b/services/idm/pkg/command/resetpw.go
index bdc37044864..fb0f69a9b5d 100644
--- a/services/idm/pkg/command/resetpw.go
+++ b/services/idm/pkg/command/resetpw.go
@@ -34,6 +34,11 @@ func ResetPassword(cfg *config.Config) *cli.Command {
 				Usage:   "User name",
 				Value:   "admin",
 			},
+			&cli.StringFlag{
+				Name:  "user-type",
+				Usage: "Type of user account: 'user' (ou=users) or 'service' (ou=sysusers)",
+				Value: "user",
+			},
 		},
 		Before: func(_ *cli.Context) error {
 			return configlog.ReturnFatal(parser.ParseConfig(cfg))
@@ -43,12 +48,18 @@ func ResetPassword(cfg *config.Config) *cli.Command {
 			ctx, cancel := context.WithCancel(c.Context)
 
 			defer cancel()
-			return resetPassword(ctx, logger, cfg, c.String("user-name"))
+
+			userType := c.String("user-type")
+			if userType != "user" && userType != "service" {
+				return fmt.Errorf("invalid --user-type %q: must be 'user' or 'service'", userType)
+			}
+
+			return resetPassword(ctx, logger, cfg, c.String("user-name"), userType)
 		},
 	}
 }
 
-func resetPassword(_ context.Context, logger log.Logger, cfg *config.Config, userName string) error {
+func resetPassword(_ context.Context, logger log.Logger, cfg *config.Config, userName string, userType string) error {
 	servercfg := server.Config{
 		Logger:      log.LogrusWrap(logger.Logger),
 		LDAPHandler: "boltdb",
@@ -57,7 +68,11 @@ func resetPassword(_ context.Context, logger log.Logger, cfg *config.Config, use
 		BoltDBFile: cfg.IDM.DatabasePath,
 	}
 
-	userDN := fmt.Sprintf("uid=%s,ou=users,%s", userName, servercfg.LDAPBaseDN)
+	ou := "users"
+	if userType == "service" {
+		ou = "sysusers"
+	}
+	userDN := fmt.Sprintf("uid=%s,ou=%s,%s", userName, ou, servercfg.LDAPBaseDN)
 	fmt.Printf("Resetting password for user '%s'.\n", userDN)
 	if _, err := os.Stat(servercfg.BoltDBFile); errors.Is(err, os.ErrNotExist) {
 		fmt.Fprintf(os.Stderr, "IDM database does not exist.\n")