You are running Exchange 2010 and your remote users use Outlook Web Access (OWA) for access to email. You also have AD password expiration enabled, and your OWA users get locked out when their password expires because they don’t have access to a Windows workstation in your domain so that they can change their password.
Exchange 2010 OWA includes a feature to allow users to change their passwords, but by default it’s disabled. You need to enable it.
- Log into your Exchange CAS machine (the OWA server). In a single Exchange environment, this is just your Exchange server. In a more complex setup, you will have a server(s) dedicated for CAS.
- Update your Registry per Microsoft’s article to enable the Change Password Feature in Outlook Web Access.
- Open regedit.
- Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSExchange OWA
- Create the DWORD key ChangeExpiredPasswordEnabled
- Set ChangeExpiredPasswordEnabled to 1
- Reboot the CAS server.
Now let’s test the change.
- Before the regedit, if a user’s password had expired and they tried to login they would get “The user name or password entered isn’t correct. Try entering it again.”
- After the change, the user will see “Your password has expired and you need to change it before you sign in to Outlook Web App.”
- After the password change, they will see “Your password has been changed. We recommend that you close all browser windows at this time.” At this point, they should re-enter the URL for OWA and login.