Free Microsoft Outlook Resources & Whitepapers

OWA hangs when account set to "change password at next logon

Hello,

We are experiencing an issue in our new exchange 2003 w2k3 environment.
When users try to login through OWA and their account is set to "user must
change password at next logon" they cannot login at all. The page tries to
load, but it does it very slowly and after about 10 minutes you get a
connection timed out error. I did a little more investigating on this and
determined that the same login will work fine and allow you to change the
password on w2k3 and w2ksp3 systems, but it will not work on winxp and w2ksp4
systems. Any ideas?
--
Thanks!!
Ranya


Post your answer or comment

comments powered by Disqus
Hi.

Running Exchange 2003 and OWA.

We are running some password audit for our Active Directory .Some of them don't comply with current password policy so we need they change their password at next logon.

Our users don't use their account to logon to domain, instead they use OWA interface mainly for their business.So we think it would be great if OWA could force those who password don't comply with current password policy to change their password the on their next logon attempt.

We need to force those who don't comply with password policy to change password at next logon because password policy only applies when setting a new password or changing a password.
Initial tests, indicates that setting "change password at next logon" for these flagged users in the active directory prevents them from logging to OWA

To add some complexity to this,we use a third-party application to change the password , so if i get OWA force them to change their password at the next logon attempt , they should be redirected to our password change application web site.

Am i asking for too much?
Hoping someone has implemented this before.

Thanks

Offtheboxuser

Hi everyone.

I am unable to make a user changes his password in OWA 2003 when the case "user must change password at next logon" is checked in AD. In normal situation, it's work.
I have Exchange 2003 SP2 backend", OWA 2003 front end  and active diorectory 2003. On all servers I have windows 2003 server with SP2.

I am running in this trouble for more than 2 weeks, and i am unable to make it work. I see a lot of post for this problem on the net, but any clear solution. I try to apply the WindowsServer2003-KB833734-v5-x86-FRA.exe KB, with no success, because I have SP2 installed. This patch is for the SP1.

Please help me.

Thank you.

Albert

Environment is as follows:

Domain A - Domain B

Exchange & OWA server exist on domain B, while users authenticate via domain A.

I have setup the password change feature as we have users who access only mail. Everything works great with the exception of the 'force user to change password on next logon' option.

When we setup a new employee or reset a password we have a generic password and force the user to change the password on their first logon. OWA will not allow them to log on if this option is selected. It just keeps saying username or password is invalid.

Any suggestions? Thanks

I have Exchange 2003 running on a 2000 server and my users can successfully
change their password from the OWA interface. If I select the "user must
change password at next logon " in Active Directory Users and Computers they
get a prompt to change their password when they logon to owa and everything
works as it should. But from that point on if they try to change the
password again from owa they get the error number: -2147023569. I don't have
minimum password age set in the security policy so I'm not sure why this
would break it. Any thoughts? JD

When "User must change password at next logon" is selected the logon screen will keep flipping back to logon. This was an issue with exchange 2003 and a Virtual Directory had to be created, and that work fine.

I found instruction for exchange 2010 but it's not working, below are the instructions.

HLKMSYSTEMCurrentControlSetServicesMSExchange OWA
Create the following DWORD value if it does not already exist:
Value name: ChangeExpiredPasswordEnabledValue type: REG_DWORDValue data: 1
 
Then I did a iisreset on both CAS servers.
 
2 windows 2008R2 servers with exchange 2010 sp1, connected with a cisco hardware load balancer.
 
We are still currently co-exsisting with exchange 2003 until all the mailboxes have been moved.

Hi,

I have implemented the IISPWDADM directory on Exchange 2007 server however,
it still doesn't work for users with "Change password at next logon" enabled.

Please help how can my users change password when I have selected "Change
password at next logon".

Regards
Neeraj Mehra

Hi,

I have implemented the IISPWDADM directory on Exchange 2007 however, it
still
doesn't work for users with "Change password at next logon" enabled.

Regards
Neeraj Mehra

Hi,

I have implemented the IISPWDADM directory on Exchange 2007 however, it
still
doesn't work for users with "Change password at next logon" enabled.

Regards
Neeraj Mehra

Hi. Can you NOT log into OWA in E2K or E2K3 if you have the "user must
change pword at next logon" checked? I thought you could...but cannot. Upon
hitting google, it looks as if other users are doing it, but we cannot. You
do have the ability to change passwords in OWA at this site.

Thanks!

I am having problems with the password changes for users that have been
moved over from our 2003 server to the new 2007 server.

When I set up a new user, or someone forgets their password, I reset
their password and set the “User must change password on next login”
option. When this flag is set, the user cannot login to OWA on the
exchange 2007 box. If I login to the old OWA (2003), I can change the
password, then login to the new OWA page. It’s happened on 2 test
accounts, and at least 3 live accounts I’ve changed the password on.

Whats going on?

I am having problems with the password changes for users that have been
moved over from our 2003 server to the new 2007 server.

When I set up a new user, or someone forgets their password, I reset
their password and set the “User must change password on next login”
option. When this flag is set, the user cannot login to OWA on the
exchange 2007 box. If I login to the old OWA (2003), I can change the
password, then login to the new OWA page. It’s happened on 2 test
accounts, and at least 3 live accounts I’ve changed the password on.

Whats going on?

Synopsis:
Since I've started working at this job the OWA password feature for Exchange 2007 has never worked.  I need to get it up and running and would like to get my ducks in a row before I schedule maintenance to get this fixed.  I have laid out my entire problem below.  If anyone has any suggestions for how to fix this, or some kind of manual (IE: does m$ make man pages like unix/linux/etc,etc because KB/Technet  don't seem to help much?  Or can I just get the OWA source code so I can fix the problem myself?) so I can fix the source of the problem it would be much appreciated.

Server Specs:
1 Domain Controller running Windows Server 2003 R2 32bit Standard Edition w/SP2

1 Exchange Server running Windows Server 2003 64bit Standard Edition w/SP2
Exchange is running SP1 w/Rollup 9
This 1 Exchange server houses all of our roles.

I have only one domain setup on these servers so everything that comes back to the domain controller should default to the single domain that it runs.

The Problem:
I am unable to properly change passwords in OWA 2007.  There are 3 parts to this problem and I'm trying to get a better understanding of why some ways work and some don't.

1) If you log into OWA, choose options then change password I always receive the error "The password supplied does not meet the minimum security requirements".  Once every so often I can get the password to change, but I don't know what triggers it to suddenly want to work.

2) If I set the "Change password at next logon" flag the user will get a prompt when they log in to OWA that says something to the effect of "Your password will expire soon do you want to change it? yes/no".  If you choose yes then you can change your password.  This password prompt is the same one from the Change Password page and I don't see any reason why this one works over doing it in options.

3) The final method is if a user with the "Change password at next logon" flag does not change their password in time they are prompted with a simple IIS page that forces them to change their password.  The only way I can get the password to update from this screen is to type username@domain.com in the user name field.  If @domain.com is not at the end of the username then it will not update.  At this point I could get by with just this feature so if there is a way to tell IIS to specify a certain domain for authentication I think I could get by with this for now.

Possible Resolutions:
From what I've been reading there are a few different solutions to this that I've written down.  If anyone has fixed this with other methods let me know.

1) Make changes to the default minimum password age settings.
- Look at what policies are applied to the domain and OU's.
- Modify the minimum password age to be 0
- Set the accounts to be updated through OWA to password never expires.
- Reboot the domain controller because the password age policy is only read on startup?  Isn't this policy just a piece of the ldap DB? why would the system need to be rebooted?

2) Try reregistring IIS pw change dll's:
regsvr32 C:WINDOWSsystem32inetsrviisadmpwdiispwchg.dll
iisreset /noforce

3) I've read some stuff about group policy replication between exchange and ldap.  Does anyone know anything about this?  I would think that because Exchange uses the ldap DB for everything it would be a direct connection, not something that it would replicate locally.  I know very little about this question so anything would help on this one. 

When a user logs in to OWA and they are required to change their password at
next login, how can I get our Domain Name to be automatically added to the
password change window?

Username: DOMAIN_NAME/username
Old Password:
New Password:
Confirm:

Thanks,

OWA (2003) change password feature works fine, except when the user account is set to change password at next logon. It gives this error Error number: -2147022675
I even tried to enter in the domainusername instead of just the username. It then gives this error 2147023570
Knowledge base articles and eventid.net have not really helped yet.

Thanks.

Hello all

I am using ms exchange 5.5 with sp6. i set my client must change his
password at next logon but in ms outlook2000 he unable to change his
password...any help.....

thanks all..

Hi...We enable the OWA password with SSL, however, we realized that
when a user account is set to "must change the password at next logon",
the user is not able to logon to OWA.

How to solve this problem?

Is there a way to find out or set the AD account in 5 days the password
will be expired?

BTW, we have Exchange 2003 SP1 under windows 2003 SP1.

thanks,
fshguo.

Hopefully someone here can help me figure this one out.

I've set up owa so a user can change their password from the options screen (wouldn't work by default, since we migrated from Exch2003).  It works great, with the exception of new users.

Typical account policy is to create a new user with the "User must change password at next logon" option, but most of the users I create are owa only users.  They may never log on at a PC actually sitting on the network.

If I check that option when I create a new account, the user cannot log in.  I'm pretty sure this is because of the "time zone" page that pops up the first time you log into owa.  Once the person has logged into owa, I can then tick the box and they will have to change their password (in owa) within 24 hrs. 

If this was just a user or two, I'd log in and set their time zone so I could tick the box "must change password" box.  But we're talking about 50+ users at a pop. 

There is another issue I'm worried about.  Once the user has logged in, I can tick that box.  The next time they log in, they'll get a note on the top of their owa page that says something to the effect of "Your password will expire in 24 hours. Do you want to change it now?".  What happens after 24 hours?  Since they're owa only users, will they be locked out as in the case of the first log in?  I'm setting up a test account today to figure that out, but if someone could answer that today, I'd appreciate it.

Thanks in advance. 

Everytime our uses go to the OWA site they are prompted to change their password with the message "Your password has expired and must be changed. Please change your password now." I've verified that their LAN passwords have not expired or near expiration. It would go away if I check "password never expires" in AD account settings for the user account.

Anyone seen this problem and offer a solution?

Thanks

Hi,

How can we restore the settings in OWA 2007 to get them to work as they should with "Change pasword" after trying to implement IISADMPWD on the CAS-servers IIS?

Background
We have a Exchange 2007 SP2 server (actually 2 servers, CAS, mailbox etc internal and Edge Hub in DMZ). The server works fine.
We decided to take on a new password policy in the organization and force password change by using "User must change password at next logon". There are a lot of consultants outside the company who only uses Outlook RPC/https or webmail OWA. We asked them to change password through OWA, but when they try to login they got the "User or password incorrect". We searched for answers and found the article
http://support.microsoft.com/?kbid=297121

We tried to implement the IISADMPWD Virtual Directory, big mistake. Now, instead of getting the wrong user/password response, the http 403 pops up (instead of the OWA window) if the user needs to change the password. If the users password is OK, the OWA works fine.
We tried to Delete the virtual directory IISADMPWD, the result is instead: "You are not authorized to view this page" if the user needs to change the password. If the users password is OK, the OWA works fine.

Then I found this trick above which probably works with OWA 2007, but our settings are messed up. What can we do to restore the original OWA 2007 settings for "change password"?

==============
Here is the trick after you have done all the hard work you will have to reset IIS and make sure the information store service is restarted on the BE (back end server) to get this working otherwise you won't see the option change password when you log into OWA.
There is one property in MetaBase: PasswordChangeFlags. The default value in
Windows 2003 (IIS 6.0) is 6.PasswordChangeFlags, Metabase , Property With the value set to 6 u cannot change the password in OWA when the user password expires/Change password at next logon is selected.
You can run the below command on the server to check the value
If everthing is not working, but you are not getting "User must Change password" password expired, you have to run below scripts to get it going on the FE servers, so Click run, cmd, and go to"C:InetpubAdminScripts" directory, use get script first if you get "6" it means prompt for expired password is not allowed, so use the second script to set it to "0" after IISRESET, OWA will happly will prompt you, your password expired and must be changed window.
C:InetPubAdminScripts> cscript adsutil.vbs get w3svcPasswordChangeFlags
Set the value by following command on the server:
C:InetPubAdminScripts> cscript adsutil.vbs set w3svcPasswordChangeFlags 0

==============

I installed the hotfix from kb 833734. I've also tried to follow the steps
found at kb 327843.

However, when I set an account to "change password at next logon" and go to
that account in OWA on a FE that's using forms based auth, it doesn't
redirect to the page for changing an expired password. However if i direct
my browser to that page manually and fill in the form, it unexpires my
password just fine.

Is this how it's supposed to work? Shouldn't it detect that it's expired and
thus redirect me to the page for resetting my password?

Thanks.

I have read almost all the respones for changing passwords in OWA 2003 and
want to know how or if possible to change the password at logon, before OWA
actually loads. This may need to be looked at from the Active Directory side
also.

Reason: In a hospital environment where about 800 or more nurses need access
to email only on workstations that are already logged in with autologon
accounts. This part can't change. As we create this large group of accounts,
the default in Active Directory is to force the user to change password at
FIRST logon. These users will not need to logon onto the PC/Domain as
themselves except thru OWA 2003. Because of this, the logon to OWA 2003
doesn't work because user never gets a option to change password for the
domain.

Can anyone suggest a remedy for this situation. The nurses are all over and
work different shifts and it is a logistical nightmare to try and get them
all to come in a logon to PC to change the default password. Need another
set of eyes on this.

Thanks in advance.

I installed the hotfix from kb 833734. I've also tried to follow the steps
found at kb 327843.

However, when I set an account to "change password at next logon" and go to
that account in OWA on a FE that's using forms based auth, it doesn't
redirect to the page for changing an expired password. However if i direct
my browser to that page manually and fill in the form, it unexpires my
password just fine.

Is this how it's supposed to work? Shouldn't it detect that it's expired and
thus redirect me to the page (http://mydomain.com/iisadmpwd/aexp3.asp) for
resetting my password?

Thanks.

Hi
I have installed Exchange server 2000 in our company's network.I access exchange via OWA,everything is fine except the change password option.When i click change password in options,the browser shows "page can not be displayed" and asks for settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0. I have enabled the same & made the browser security to LOW but stil it din't work for me. If any one has idea please let me know ?.
2. Is there any option that we can change password for a mail box at client side using outlook. Like option available for windows login i.e. "user must change password at first logon"

Regards
Yakoob

Hi I seem to have a problem with certain off site users that our in our domain. Most of them are given an account with a generic password. They dont come into the office and need to use OWA.

For security we have set forced them to change their password at next logon.
This is where the problem occurs...

For some reason no of them can access their Mailboxes. But if I uncheck the required to change password at next logon they can.

I could leave it off for all of them and get them to change their password in OWA, but not all of them will and this will be a security risk that I dont want exploited.

Is there a way around this? Can Exchange apply the same force user to change password at next logon like AD can?

Thanks


Not finding an answer? Try a Google search.