Controlling the Change Password Feature in Exchange 2013 Outlook Web Access (OWA)

One of the features a lot of companies loved about Microsoft’s Internet Security and Acceleration Server (ISA Server) 2006 and the Forefront Threat Management Gateway (TMG) 2010 forms-based authentication was the built-in functionality to allow for password resets before a user logs on. This scenario was very useful if users forgot their password or if the user/domain password policy forced users to change passwords on a regular basis.

While the password reset feature is well documented for Exchange 2010, I haven’t found any description on how to make this work for Exchange 2013. After investigating a bit, I think I have found an acceptable solution, which – of course – results in another how-to article for Petri IT Knowledgebase! This is a two-part series. In this first article, I’ll focus on the change password feature Outlook Web Access for Exchange 2013: how it works and how Exchange administrators can take control of this feature, allowing or disallowing it for all or certain mailbox users within the company.

In part two I’ll explain how to configure your Exchange Servers to allow mailbox users to reset their expired passwords from within the Forms Based Authentication page.

OWA Password Resets

I see two possible scenarios in which password resets could be helpful:

  1. While user is logged on in OWA
  2. When a user’s password has expired

A third scenario is a situation in which an end user mistypes his or her password too many times resulting in an account lock-out, but I haven’t found a solution for that one within OWA. I guess it has more to do with Active Directory default security mechanisms and not so much with Exchange 2013.

Allow Password Resets for Non-Expired OWA Accounts

The first scenario is rather easy and already existed in Exchange OWA since version 5.5, so even in Exchange 2013 this feature is activated by default. It gives the mailbox user the possibility to change a AD password from within OWA – similar to when the end user forces to change a domain password from his or her own PC.

  • Log on to your OWA environment using your company’s OWA URL. In my example, it is https://owa.iamct.org/owa, but it can be about anything in your environment.
  • Now go to your mailbox settings and click on the gear wheel icon in the upper-right corner of your OWA 2013, next to your mailbox name.

login Outlook Web Access (OWA)

  • Click on Settings, and a small context menu will open up from which you can select Change Password. This will bring you to the Change Password settings page.

Outlook Web Access change password

  • Enter your current Active Directory password, followed by your new password twice. Although the password change should be successful and you expect a confirmation of this, I noticed I was actually immediately redirected to the Outlook Web App logon page again. Not sure if that is intentional or a small bug.

If something goes wrong during the password change process, you’ll receive a notification popup. A common problem is not having a new password according to the company’s security password policy settings.

Block Change Password Feature for All Users

Now, imagine you don’t want to give this feature to your endusers, or maybe not to all of them. In this case, you have to modify certain settings on the Exchange server-side.

  • Logon to your company’s Exchange Administrative Center with an Exchange Admin account, using this default URL.
  • From within the EAC, select Servers / Virtual Directories.

change password feature Outlook Web Access

  • From within the list of Exchange Virtual Directories, select OWA (default website).
  • Open its Properties, which by default looks like the image shown below.

Outlook Web Access features

  • From this list, notice the Change Password flag. Remove the flag if you want to turn this feature off for all users. (Note: if you only want to take this feature away from certain users, continue reading!)
  • Save the changes and done. When logging into OWA with a mailbox user, notice the Change Password option is not listed in the settings menu anymore.

Block Change Password Feature for Specific Users

The above feature is very useful and most probably used as a security policy in certain companies to prevent AD password resets over the Internet (although all communication is encrypted by SSL-certificates, but hey, who are we to argue with a security officer, right?), you might have a case in which you want to block the change password feature within OWA, but not for all users. In that case, another few settings need to be changed on the Exchange 2013 server.

  1. Create a new custom OWA security policy
  2. Link the new custom OWA security policy to a mailbox / multiple mailboxes

Here’s how to achieve this:

  • From within the Exchange Admin Center, go to Permissions / Outlook Web App Policies.

Outlook Web App Policies

Notice the default policy that is already there; when opening its properties, you will see all OWA security features are enabled by default.

  • Now let’s create a new policy by clicking on the plus sign (+) icon.

Block Outlook Web Access password change

  • Let’s give it a descriptive name of Block Change Password. Remove the flag from the Change Password feature here, and save the policy.

In the next step, we will apply this new policy to a single mailbox as follows:

  • Go to Recipients and select the individual mailbox you want to get this policy applied.
  • In the right pane, go to Email Connectivity.

Block Outlook Web Access enable email

  • Select View Details.

Block Outlook Web Access view details

  • Notice the field is empty, actually meaning the default policy gets applied. Click Browse… and select the new custom Block Password Change policy.

When logging into OWA for that specific mailbox user, you will notice the change password setting is not available anymore.

In the last step, we will apply this new policy to multiple mailbox users as follows:

  • Go to Recipients and select the multiple mailbox users for whom you want to get this policy applied. In the right pane, go to Outlook Web App.
  • Select Assign a policy. This will open the Bulk assign Outlook Web App window.

Block Outlook Web Access bulk assign

  • Notice the field is empty, actually meaning the default policy gets applied. Click Browse and select the new custom Block Password Change policy we created earlier.

Now when your mailbox users go to login to OWA, they will notice the change password setting is not available anymore.