Home

Update 10/21/11: Exchange 2010 Service Pack 1 Update Rollup 3 and later supports using a UPN in the change password dialog. Also, please see our TechNet documentation on the subject, here.

A while back, I posted What you need to know about the OWA Change Password feature of Exchange Server 2007, which higlighted a significant pain point — the loss of the IISADMPWD virtual directory as a supported feature in Windows Server 2008/IIS 7.0. This prevented web client users with expired passwords from being able to change their password and log on. This was a problem for many OWA users — especially remote/mobile users with non-domain-joined computers.

Good news! Exchange Server 2010 Service Pack 1 and Exchange Server 2007 Service Pack 3 (running on Windows Server 2008 or Windows Server 2008 R2) have a new feature that will allow users with expired passwords to change their password. This also works for users who have their accounts configured to change password on next logon (User must change password at next logon in ADUC).

Use this procedure to enable it on Exchange 2007 SP3 and Exchange 2010 SP1 Client Access servers:

Note: If you are using a CAS Array, you must perform these steps on each CAS in the array.

  1. On the Client Access Server (CAS), click Start > Run and type regedit.exe and click OK.
  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
  3. Right click the MSExchange OWA key and click New > DWord (32-bit).
  4. The DWORD value name is ChangeExpiredPasswordEnabled and set the value to 1.
    Note: The values accepted are 1 (or any non-zero value) for "Enabled" or 0 or blank / not present for "Disabled"
  5. After you configure this DWORD value, you must reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.

Important: When changing passwords, users can't use a UPN (for example, johndoe@contoso.com) in the Domain\user name field in the Change Password window shown below, unless E2010 SP1 RU3 or later has been deployed on the Client Access servers.

That's it. No other steps are required.

Enjoy!

Reference: TechNet: How to Enable the Exchange 2007 SP3 Password Reset Tool

Will Duff

21 Comments
Not applicable
Excellente feature!!! It will save IT and HR a lot of time dealing with "users". thanks!!!
Not applicable
Brilliant. For all of my remote deskless workers, they can now self manage passwords again without calling the Helpdesk.  Thanks indeed.
Not applicable
Any plans on supporting this feature via UPNs instead of DOMAINUsername format?  We try as much as possible to enforce UPNs with our users since the DOMAINUsername notation is foreign to them and they have a hard time remembering it.  UPN on the other hand matches their email address, so it is much more practical for them.
Not applicable
what KSWail said.  everything, EVERYTHING needs to be UPN-based nowadays...
Not applicable
I think so. EVERYTHING needs to be UPN-based !!! [ Hosting Base ]
Not applicable
Excellente feature!!! It will save IT and HR a lot of time dealing with "users". thanks!!!
Not applicable
Congratulations!. This feature is a great improve. It´ll be excellent for a particular type of users.
Not applicable
Really good, even there are few limitations.
Not applicable
This doesn't seem to work with TMG, if get this error: "You could not be logged on to Forefront TMG. Make sure that your domain name, user name, and password are correct, and then try again"

If I turn off require password change, I can login with no issues. Is there something special that needs to be done on the TMG server?
Not applicable
In the spirit of other changes in Exchange 2010 SP1...this seems like something that should be turned into a cmdlet for a future release/service pack. Editing the registry shouldn't be a big deal for anyone dealing with Exchange, however, a cmdlet could be written to enable this on the current CAS server or all CAS servers (with the proper arguments) in an organization to simplify the entire process for administrators.
Not applicable
Do you have any plans to modify this so we can use UPN instead of domainusername?
Not applicable
Hi Will,

Very nice feature but how to deal with ISA/TMG? ISA/TMG requires IIS basic auth on Exchange CAS vdir so internal OWA access cannot leverage this change password feature.

Regards, Martijn
Not applicable
This would be useful if we were not using the ISA/TMG server to publish resources. Is there going to be any assistance there?
Not applicable
I can't stand passwords
Not applicable
UPN would be awesome.
And CMDLET option from above is a good suggestion
Not applicable
You HAVE to change this feature to support UPN, this is not usable on a Multi-Tenant setup, come on MS, please change this, so that we can use this on our 2010 SP1 Multi-Tenant setup
Not applicable
As most OWA users are Bigwigs, Non working, unable to change OWA password@ log on brings us one step near to getting fired, This feature saves our Lives!.
Not applicable
Nice feature but I need users to be able to change their password using the userPrincipalName format as well.  Anyone know how to enable this?
Not applicable
Also anxiously scouring the internet for how to make this wonderful new feature of Exchange SP3 work with Forefront TMG 2010.  Thank you.
Not applicable
Does this work with linked mailboxies?
Not applicable
This should be considered a bug since the password reset tool resides under /owa and does not honor the settings specified for the owa virtual directory:

Get-OwaVirtualDirectory "owa (Default Web Site)" | fl Name,InternalAuthenticationMethods,LogonFormat

Name : owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba} <- forms-based authentication
LogonFormat : PrincipalName <- UPN aka user@domain