So you want to change your expired passwords in OWA…


Update 10/21/11: Exchange 2010 Service Pack 1 Update Rollup 3 and later supports using a UPN in the change password dialog. Also, please see our TechNet documentation on the subject, here.

A while back, I posted What you need to know about the OWA Change Password feature of Exchange Server 2007, which higlighted a significant pain point — the loss of the IISADMPWD virtual directory as a supported feature in Windows Server 2008/IIS 7.0. This prevented web client users with expired passwords from being able to change their password and log on. This was a problem for many OWA users — especially remote/mobile users with non-domain-joined computers.

Good news! Exchange Server 2010 Service Pack 1 and Exchange Server 2007 Service Pack 3 (running on Windows Server 2008 or Windows Server 2008 R2) have a new feature that will allow users with expired passwords to change their password. This also works for users who have their accounts configured to change password on next logon (User must change password at next logon in ADUC).

Use this procedure to enable it on Exchange 2007 SP3 and Exchange 2010 SP1 Client Access servers:

Note: If you are using a CAS Array, you must perform these steps on each CAS in the array.

  1. On the Client Access Server (CAS), click Start > Run and type regedit.exe and click OK.
  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
  3. Right click the MSExchange OWA key and click New > DWord (32-bit).
  4. The DWORD value name is ChangeExpiredPasswordEnabled and set the value to 1.
    Note: The values accepted are 1 (or any non-zero value) for “Enabled” or 0 or blank / not present for “Disabled”
  5. After you configure this DWORD value, you must reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.

Important: When changing passwords, users can’t use a UPN (for example, johndoe@contoso.com) in the Domain\user name field in the Change Password window shown below, unless E2010 SP1 RU3 or later has been deployed on the Client Access servers.

That’s it. No other steps are required.

Enjoy!

Reference: TechNet: How to Enable the Exchange 2007 SP3 Password Reset Tool

Will Duff


Comments (21)
  1. Julian says:

    Excellente feature!!! It will save IT and HR a lot of time dealing with "users". thanks!!!

  2. Courtenay says:

    Brilliant. For all of my remote deskless workers, they can now self manage passwords again without calling the Helpdesk.  Thanks indeed.

  3. kswail says:

    Any plans on supporting this feature via UPNs instead of DOMAINUsername format?  We try as much as possible to enforce UPNs with our users since the DOMAINUsername notation is foreign to them and they have a hard time remembering it.  UPN on the other hand matches their email address, so it is much more practical for them.

  4. pesos says:

    what KSWail said.  everything, EVERYTHING needs to be UPN-based nowadays…

  5. Eldorado29 says:

    I think so. EVERYTHING needs to be UPN-based !!! [ Hosting Base ]

  6. Chinese cellular phone wholesales says:

    Excellente feature!!! It will save IT and HR a lot of time dealing with "users". thanks!!!

  7. Danny says:

    Congratulations!. This feature is a great improve. It´ll be excellent for a particular type of users.

  8. sammoh says:

    Really good, even there are few limitations.

  9. DC5 says:

    This doesn’t seem to work with TMG, if get this error: "You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again"

    If I turn off require password change, I can login with no issues. Is there something special that needs to be done on the TMG server?

  10. Patrick Hufford says:

    In the spirit of other changes in Exchange 2010 SP1…this seems like something that should be turned into a cmdlet for a future release/service pack. Editing the registry shouldn’t be a big deal for anyone dealing with Exchange, however, a cmdlet could be written to enable this on the current CAS server or all CAS servers (with the proper arguments) in an organization to simplify the entire process for administrators.

  11. savarina says:

    Do you have any plans to modify this so we can use UPN instead of domainusername?

  12. Martijn says:

    Hi Will,

    Very nice feature but how to deal with ISA/TMG? ISA/TMG requires IIS basic auth on Exchange CAS vdir so internal OWA access cannot leverage this change password feature.

    Regards, Martijn

  13. Johnathan says:

    This would be useful if we were not using the ISA/TMG server to publish resources. Is there going to be any assistance there?

  14. Lifevantage Dad says:

    I can’t stand passwords

  15. Adnan says:

    UPN would be awesome.

    And CMDLET option from above is a good suggestion

  16. Peter V says:

    You HAVE to change this feature to support UPN, this is not usable on a Multi-Tenant setup, come on MS, please change this, so that we can use this on our 2010 SP1 Multi-Tenant setup

  17. Avinash Lewis says:

    As most OWA users are Bigwigs, Non working, unable to change OWA password@ log on brings us one step near to getting fired, This feature saves our Lives!.

  18. Kevin Partridge says:

    Nice feature but I need users to be able to change their password using the userPrincipalName format as well.  Anyone know how to enable this?

  19. Kristie Atkinson says:

    Also anxiously scouring the internet for how to make this wonderful new feature of Exchange SP3 work with Forefront TMG 2010.  Thank you.

  20. Nisse Jäntti says:

    Does this work with linked mailboxies?

  21. BGCTNV says:

    This should be considered a bug since the password reset tool resides under /owa and does not honor the settings specified for the owa virtual directory:

    Get-OwaVirtualDirectory "owa (Default Web Site)" | fl Name,InternalAuthenticationMethods,LogonFormat

    Name : owa (Default Web Site)

    InternalAuthenticationMethods : {Basic, Fba} <- forms-based authentication

    LogonFormat : PrincipalName <- UPN aka user@domain

Comments are closed.