How can we restore the settings in OWA 2007 to get them to work as they should with "Change pasword" after
trying to implement IISADMPWD on the CAS-servers IIS?
We have a Exchange 2007 SP2 server
(actually 2 servers, CAS, mailbox etc internal and Edge Hub in DMZ). The server works fine.
We decided to take on a new
password policy in the organization and force password change by using "User must change password at next logon". There are a
lot of consultants outside the company who only uses Outlook RPC/https or webmail OWA. We asked them to change password
through OWA, but when they try to login they got the "User or password incorrect". We searched for answers and found the
We tried to implement the IISADMPWD Virtual Directory,
big mistake. Now, instead of getting the wrong user/password response, the http 403 pops up (instead of the OWA window) if
the user needs to change the password. If the users password is OK, the OWA works fine.
We tried to Delete the virtual
directory IISADMPWD, the result is instead: "You are not authorized to view this page" if the user needs to change the
password. If the users password is OK, the OWA works fine.
Then I found this trick above which probably works
with OWA 2007, but our settings are messed up. What can we do to restore the original OWA 2007 settings for "change
Here is the trick after you have done all the hard work you will have to reset IIS
and make sure the information store service is restarted on the BE (back end server) to get this working otherwise you won't
see the option change password when you log into OWA.
There is one property in MetaBase: PasswordChangeFlags. The
default value in
Windows 2003 (IIS 6.0) is 6.PasswordChangeFlags, Metabase , Property With the value set to 6 u cannot
change the password in OWA when the user password expires/Change password at next logon is selected.
You can run the
below command on the server to check the value
If everthing is not working, but you are not getting "User must Change
password" password expired, you have to run below scripts to get it going on the FE servers, so Click run, cmd, and go
to"C:InetpubAdminScripts" directory, use get script first if you get "6" it means prompt for expired password is not allowed,
so use the second script to set it to "0" after IISRESET, OWA will happly will prompt you, your password expired and must be
C:InetPubAdminScripts> cscript adsutil.vbs get w3svcPasswordChangeFlags
Set the value by following
command on the server:
C:InetPubAdminScripts> cscript adsutil.vbs set w3svcPasswordChangeFlags 0