In many organizations, creating new mailbox enabled users includes checking the “User must change password at next logon” box on the account. From a security perspective, that makes sound sense. However, if the user is a mobile user and only signs in to OWA, this has been a problem, as checking the box would prevent the user from being able to log in the first time. The same problem exists if a user’s password expires before they change it. The resolution is a call to the Help Desk to have the account unlocked.
Microsoft recently added a feature that helps aleviate this issue. When enabled, users are allowed to change their password and then login – thus eliminating the call to the Help Desk.
Enabling the feature is very easy, and takes only a minute. For either version of Exchange, go to the server(s) holding the Client Access Server role and open regedit.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA
Create a new DWORD (32-bit) value called ChangeExpiredPasswordEnabled
Assign the new DWORD a value of 1 as shown below.
Note: If the ChangeExpiredPasswordEnable registry key already exists, set its value to 1. Any value other than 1 will disable the feature.
Restart IIS by opening a cmd prompt and typing IISRESET /NOFORCE.
Repeat this process for all Client Access Servers. Once finished, when a user logs in with an expired password, they are prompted with a new screen as shown in both Exchange 2007 (left) and Exchange 2010 (right) below:
Once the user enters a valid new password, they are shown the following screen:
Once the user clicks on “OK”, they are prompted to login with their new password. Enjoy!