Exchange 2k7 sp3 --> Allowing end-users to change their expired passwords using OWA (Outlook Web Access)

Password Change in OWA with Exchange 2007 SP3:

Now that we went through the process of installing Exchange Management Tools on Windows 7 and also on Windows Server 2008 R2, we can check one of the new features introduced in this new release which is the Exchange Server 2007 SP3 Password Reset Tool.

This tool is only for Exchange Server 2007 using IIS 7.x because SP3 creates a new module for that purpose on IIS 7 only. Bear in mind that this feature is only for the Client Access Server roles, if you have a NLB make sure to enable all of them with the steps that we will list in this article.

Before explaining the feature let's understand the context where this new feature can help the end-users. Basically when we create a new user or when a user password is reset and the option User must change password at next logon is selected (Figure 7), if the user tries to log on using OWA the user will receive the following error message:The user name or password that you entered is not valid. Try entering it again.

Figure 7

If you have ISA Server in order to publish your OWA you may not need to change anything since ISA has this feature built-in to fix the issue described previously. However, if you don’t have ISA, you have to publish Exchange Server using a different firewall make sure that the internal OWA is able to change expired passwords, then this new feature will help you.

Note:
If you are an ISA customer and want to validate if you are using a similar feature, this page can help you out. 

Okay, let’s go to the fun stuff. In order to enable OWA to change expired passwords, we can use the following steps:

1. Logged on the Client Access Server
2. Click on Start, Run and type in regedit and click on OK
3. Expand HKEY_LOCAL_Machine
4. Expand System
5. Expand CurrentControlSet
6. Expand Services
7. Click on MSExchange OWA
8. Right-click on the right side, and click on New  and then DWORD (32 bit) value
9. Let’s name the key as ChangeExpiredPasswordEnabled and its value will be 1, as shown in Figure 08

Figure 8

After changing the registry information we need to restart IIS, we can use IISReset /noforce and then we will be ready to start testing. The test is not a big deal, just create a new user and try to log on in OWA, the user will receive a new OWA form asking for the current password and the new password, as shown in figure 09.

Figure 9

After typing new passwords and hitting the Submit button, a new page will appear with the information that the password has been changed will be displayed. The user just needs to click OK (Figure 10) and then type in again the user name and the new password to access its OWA.

Figure 10

As you may have noticed, this article is showing some ways to automate the process. If you want to enable the feature described previously you can save the following lines in a file and save it as .ps1 and run it from a PowerShell session.

Write-Host "Adding ChangeExpiredPasswordEnable key in the registry..." 

New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\services\MSExchange OWA" -Name "ChangeExpiredPasswordEnabled" -Value 1 -PropertyType "DWord" 

Write-Host "Restarting IIS using /noforce option.." 

IISReset /noforce

Note:You may have to use Set-ExecutionPolicy unrestricted in order to run the script.

Conclusion

In this article we validated the installation process of Exchange Server 2007 SP3 on top of the new Operating System supported by the product and also how to enable the Reset Password feature.