Update 10/21/11: Exchange 2010 Service Pack 1 Update Rollup 3 and later supports using a UPN in the change password dialog. Also, please see our TechNet documentation on the subject, here.
A while back, I posted What you need to know about the OWA Change Password feature of Exchange Server 2007, which higlighted a significant pain point — the loss of the IISADMPWD virtual directory as a supported feature in Windows Server 2008/IIS 7.0. This prevented web client users with expired passwords from being able to change their password and log on. This was a problem for many OWA users — especially remote/mobile users with non-domain-joined computers.
Good news! Exchange Server 2010 Service Pack 1 and Exchange Server 2007 Service Pack 3 (running on Windows Server 2008 or Windows Server 2008 R2) have a new feature that will allow users with expired passwords to change their password. This also works for users who have their accounts configured to change password on next logon (User must change password at next logon in ADUC).
Use this procedure to enable it on Exchange 2007 SP3 and Exchange 2010 SP1 Client Access servers:
Note: If you are using a CAS Array, you must perform these steps on each CAS in the array.
On the Client Access Server (CAS), click Start > Run and type regedit.exe and click OK.
Navigate to HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
Right click the MSExchange OWA key and click New > DWord (32-bit).
The DWORD value name is ChangeExpiredPasswordEnabled and set the value to 1. Note: The values accepted are 1 (or any non-zero value) for "Enabled" or 0 or blank / not present for "Disabled"
After you configure this DWORD value, you must reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.
Important: When changing passwords, users can't use a UPN (for example, firstname.lastname@example.org) in the Domain\user name field in the Change Password window shown below, unless E2010 SP1 RU3 or later has been deployed on the Client Access servers.