One of the features a lot of companies loved about Microsoft’s Internet Security and Acceleration Server (ISA Server) 2006 and the Forefront Threat Management Gateway (TMG) 2010 forms-based authentication was the built-in functionality to allow for password resets before a user logs on. This scenario was very useful if users forgot their password or if the user/domain password policy forced users to change passwords on a regular basis.
While the password reset feature is well documented for Exchange 2010, I haven’t found any description on how to make this work for Exchange 2013. After investigating a bit, I think I have found an acceptable solution, which – of course – results in another how-to article for Petri IT Knowledgebase! This is a two-part series. In this first article, I’ll focus on the change password feature Outlook Web Access for Exchange 2013: how it works and how Exchange administrators can take control of this feature, allowing or disallowing it for all or certain mailbox users within the company.
In part two I’ll explain how to configure your Exchange Servers to allow mailbox users to reset their expired passwords from within the Forms Based Authentication page.
I see two possible scenarios in which password resets could be helpful:
A third scenario is a situation in which an end user mistypes his or her password too many times resulting in an account lock-out, but I haven’t found a solution for that one within OWA. I guess it has more to do with Active Directory default security mechanisms and not so much with Exchange 2013.
The first scenario is rather easy and already existed in Exchange OWA since version 5.5, so even in Exchange 2013 this feature is activated by default. It gives the mailbox user the possibility to change a AD password from within OWA – similar to when the end user forces to change a domain password from his or her own PC.
If something goes wrong during the password change process, you’ll receive a notification popup. A common problem is not having a new password according to the company’s security password policy settings.
Now, imagine you don’t want to give this feature to your endusers, or maybe not to all of them. In this case, you have to modify certain settings on the Exchange server-side.
The above feature is very useful and most probably used as a security policy in certain companies to prevent AD password resets over the Internet (although all communication is encrypted by SSL-certificates, but hey, who are we to argue with a security officer, right?), you might have a case in which you want to block the change password feature within OWA, but not for all users. In that case, another few settings need to be changed on the Exchange 2013 server.
Here’s how to achieve this:
Notice the default policy that is already there; when opening its properties, you will see all OWA security features are enabled by default.
In the next step, we will apply this new policy to a single mailbox as follows:
When logging into OWA for that specific mailbox user, you will notice the change password setting is not available anymore.
In the last step, we will apply this new policy to multiple mailbox users as follows:
Now when your mailbox users go to login to OWA, they will notice the change password setting is not available anymore.