Friday, April 22, 2011

Password Reset Feature in Exchange 2007 and 2010

In many organizations, creating new mailbox enabled users includes checking the "User must change password at next logon" box on the account. From a security perspective, that makes sound sense. However, if the user is a mobile user and only signs in to OWA, this has been a problem, as checking the box would prevent the user from being able to log in the first time. The same problem exists if a user's password expires before they change it. The resolution is a call to the Help Desk to have the account unlocked.

Microsoft recently added a feature that helps aleviate this issue. When enabled, users are allowed to change their password and then login - thus eliminating the call to the Help Desk.

In Exchange 2007, the feature was added in SP3, while in Exchange 2010, it was added inSP1. One important note is that the feature only works in Exchange servers running on Windows 2008 or later.

Enabling the feature is very easy, and takes only a minute. For either version of Exchange, go to the server(s) holding the Client Access Server role and open regedit.

Navigate toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA

Create a new DWORD (32-bit) value called ChangeExpiredPasswordEnabled

Assign the new DWORD a value of 1 as shown below.

Note: If the ChangeExpiredPasswordEnable registry key already exists, set its value to 1. Any value other than 1 will disable the feature.

Restart IIS by opening a cmd prompt and typing IISRESET /NOFORCE.

Repeat this process for all Client Access Servers. Once finished, when a user logs in with an expired password, they are prompted with a new screen as shown in both Exchange 2007 (left) and Exchange 2010 (right) below:

Once the user enters a valid new password, they are shown the following screen:

Once the user clicks on "OK", they are prompted to login with their new password. Enjoy!

0 comments

Post a Comment