Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2

Topic Last Modified: 2012-07-23

The Change Password feature in Microsoft Office Outlook Web App enables domain users to change their password when they're using Outlook Web App. This topic discusses the Change Password feature and how it's implemented in Microsoft Exchange Server 2010.

Password Overview

Three types of Account policies are found in Windows Server 2008 or Windows Server 2003 domains: password policies, account lockout policies, and Kerberos authentication protocol policies. A single domain will have one of each of these policies. In Active Directory domains, you can apply one password and account lockout policy. This password is specified in the Default Domain Policy for the domain. The settings that are configured will apply to all users within the domain. This includes Outlook Web App users.

Password and account lockout settings protect accounts and data in your organization by preventing a person from guessing another user's account password. You can use the Account Lockout and Password Policy nodes of the Default Domain policy settings to configure the account lockout policies and password policy settings that will affect the Outlook Web App users in your Exchange organization and be enforced. Password policies include the following settings:

  • Password Complexity

  • Password History

  • Minimum Password Length

  • Maximum Password Age

  • Minimum Password Age

When you create a user account and mailbox-enable the user, the password policies and the settings on the user's account will be applied to the user. However, there are other user password settings that may also affect Outlook Web App users, such as User Must Change Password at First Logon and User Cannot Change Password.

Change Password Feature in Outlook Web App

By default, the domain password that's used by the user to access a Windows-based network is the same as the password that's used to access Outlook Web App. A user can change their domain password using a Web browser by using the Change Password feature within Outlook Web App.

Outlook Web App provides the functionality to change passwords that haven't expired yet. However, if a password has already expired or is required to be changed at the first sign-in, the password can't be changed via Outlook Web App unless you make a configuration change on the Client Access server to enable changing expired passwords.

If you don't enable changing expired passwords, a user whose password must be changed will have to contact their administrator to have their password reset. When the password is reset, the administrator must clear the User must change password at next logon check box.

If you haven't enabled changing expired passwords and are using forms-based authentication, a user who must change their password will be returned to the sign-in page, and the following error message will be displayed: The user name or password you entered isn't correct. Try entering it again. If forms-based authentication isn't used for Outlook Web App, the user will be returned to the sign-in window but won't see any error message.

Important:
When Basic authentication or forms-based authentication is used with Outlook Web App, the Change Password feature may not work correctly when a user uses a password that includes extended ASCII or Unicode characters. This happens because passwords that use extended ASCII or Unicode characters aren't transmitted correctly between IIS and some Web browsers. We recommend that Outlook Web App users use only ASCII characters if they'll be using the Change Password feature in Outlook Web App.

You can enable or disable the Change Password feature for a single user by configuring the user's mailbox, or for multiple users by configuring the /owa virtual directory or another virtual directory that's used for Outlook Web App. You can enable or disable the Change Password feature by using segmentation. For more information, see Configure Segmentation in Outlook Web App.

Enable Users to Change Expired Passwords

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Outlook Web App Registry Editor" entry in the Client Access Permissions topic.

Caution:
Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data.
  1. Log on to the Client Access server.

  2. Start Registry Editor (regedit).

  3. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA.

  4. Create the following DWORD value if it doesn't already exist: ChangeExpiredPasswordEnabled. The value type will be REG_DWORD.

  5. Set the value of ChangeExpiredPasswordEnabled to 1.

  6. Exit Registry Editor.

Note:
You must make this change on each Client Access server that supports Outlook Web App.