Configuring the Change Password Feature in Outlook Web Access
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
The Change Password feature in Microsoft Office Outlook Web Access enables domain users to change their password when they are using Outlook Web Access. This topic discusses the Change Password feature and how it is implemented in an Microsoft Exchange Server 2007 organization and in an Exchange 2007 organization that also uses servers that are running Microsoft Exchange Server 2003.
The IISADPMWD functionality that is discussed in this topic is included with Internet Information Services (IIS) 6.0 in Windows Server 2003. The IISADPMWD functionality is not included with or supported in Windows Server 2008 or in Internet Information Services (IIS) 7.0. The Change Password feature in Exchange Server 2007 Outlook Web Access does not require the IISADMPWD functionality.
If you need the ability to change passwords after they expire, you can configure Microsoft Internet Security and Acceleration (ISA) Server 2006 to implement this functionality. For more information, see Configuring and Troubleshooting the Password Change Feature in ISA Server 2006 or the Exchange Server Team Blog article What you need to know about the OWA Change Password feature of Exchange Server 2007.
There are three types of Account policies that are found in a Microsoft Windows Server 2003 domain: password policies, account lockout policies, and Kerberos authentication protocol policies. A single Windows Server 2003 domain will have one of each of these policies. In Windows Server 2003 Active Directory domains, you can apply one password and account lockout policy. This password is specified in the Default Domain Policy for the domain. The settings that are configured will apply to all users within the domain. This includes Outlook Web Access users.
Password and account lockout settings protect accounts and data in your organization by preventing a person from guessing another user's account password. The settings found in the Account Lockout and Password Policy nodes of the Default Domain policy settings enable you to configure the account lockout policies and password policy settings that will affect the Outlook Web Access users in your Exchange organization. These password policy settings directly affect Outlook Web Access users and will be enforced. Password policies include the following settings:
Minimum Password Length
Maximum Password Age
Minimum Password Age
When you create a user account and mailbox-enable the user, the password policies and the settings on the user's account will be applied to the user. However, there are other user password settings that may also affect Outlook Web Access users, such as User Must Change Password at First Logon and User Cannot Change Password.
The Change Password Feature in Outlook Web Access
By default, the domain password that is used by the user to access a Microsoft Windows-based network is the same as the password that is used to access Outlook Web Access. A domain user can change their password by using the Change Password feature within Outlook Web Access.
The Change Password feature is provided from within Outlook Web Access and by Microsoft Internet Information Services (IIS) and enables the user to use a Web browser to change their domain password. The Change Password feature is not specific to Microsoft Exchange. It is implemented by Outlook Web Access and the IISADMPWD virtual directory from inside IIS. Outlook Web Access provides the functionality to change passwords that have not expired yet. However, Outlook Web Access relies on functionality found in IIS if a password has already expired or if the user's mailbox is located on a server that is running an earlier version of Microsoft Exchange.
For the user to be able to change their password by using Outlook Web Access, they must first log on to Outlook Web Access, click Options in the toolbar, and then enter the new password.
An Outlook Web Access user can use the Change Password feature in the following cases:
To change their password after they have logged on to their mailbox by using Outlook Web Access
To change their password if their password will expire within a given time period
To change their password if their password has already expired
To change their password if the User must change password at first logon is enabled
To change their password if the User cannot change password option is enabled
When Basic authentication or forms-based authentication is used with Outlook Web Access, the Change Password feature may not work correctly when a user uses a password that uses extended ASCII or Unicode characters. This is the case because passwords that use extended ASCII or Unicode characters are not transmitted correctly between Internet Information Services (IIS) and some Web browsers. We recommend that Outlook Web Access users use only ASCII characters if they will be using the Change Password feature in Outlook Web Access to make sure that the Change Password features works correctly.
By default, the Change Password feature is implemented when you use both Exchange 2007 Client Access and Mailbox servers in your Exchange organization. It requires no additional configuration unless you want to support changing passwords that have already expired or user accounts that are configured to change their password the next time the user logs on.
You can enable or disable the Change Password feature for a single user by configuring the user's mailbox, or for multiple users by configuring the /owa virtual directory or another virtual directory that is used for Outlook Web Access. You can enable or disable the Change Password feature by using segmentation. For more information about segmentation in Outlook Web Access, see How to Manage Segmentation in Outlook Web Access.
If you have both Exchange 2007 Client Access servers and Exchange 2003 or Microsoft Exchange 2000 Server back-end servers in your Exchange organization, additional configuration steps are required to enable the Change Password feature to work correctly. To enable the Change Password feature to work correctly, follow these steps:
Create the appropriate IISADMPWD folder and virtual directory on each Client Access server. For more information about how to create and configure the IISADMPWD folder and virtual directory, see Implementing the Change Password feature with Outlook Web Access.
Follow these steps to create the appropriate registry key on each Exchange 2003 or Exchange 2000 back-end server:
Click Start, click Run, type regedit and then click OK.
In Registry Editor, locate the following subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeWeb\OWA
On the Edit menu, point to New, and then click DWORD Value. In the result pane, name the new value DisablePassword.
Right-click the DisablePassword DWORD value, and then click Modify.
In the Value data field, enter 0, and then click OK.
On each Client Access server, open IIS Manager, and then select Web Service Extensions.
In the result pane, select Active Server Pages, and then click Allow.
Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.