OWA 2003 - Default Domain for Change Password at next Logon


When a user logs in to OWA and they are required to change their password at
next login, how can I get our Domain Name to be automatically added to the
password change window?

Username: DOMAIN_NAME/username
Old Password:
New Password:
Confirm:

Thanks,


Sponsored Links:



Hi everyone.

I am unable to make a user changes his password in OWA 2003 when the case "user must change password at next logon" is checked in AD. In normal situation, it's work.
I have Exchange 2003 SP2 backend", OWA 2003 front end† and active diorectory 2003. On all servers I have windows 2003 server with SP2.

I am running in this trouble for more than 2 weeks, and i am unable to make it work. I see a lot of post for this problem on the net, but any clear solution. I try to apply the WindowsServer2003-KB833734-v5-x86-FRA.exe KB, with no success, because I have SP2 installed. This patch is for the SP1.

Please help me.

Thank you.

Albert




Hi.

Running Exchange 2003 and OWA.

We are running some password audit for our Active Directory .Some of them don't comply with current password policy so we need they change their password at next logon.

Our users don't use their account to logon to domain, instead they use OWA interface mainly for their business.So we think it would be great if OWA could force those who password don't comply with current password policy to change their password the on their next logon attempt.

We need to force those who don't comply with password policy to change password at next logon because password policy only applies when setting a new password or changing a password.
Initial tests, indicates that setting "change password at next logon" for these flagged users in the active directory prevents them from logging to OWA

To add some complexity to this,we use a third-party application to change the password , so if i get OWA force them to change their password at the next logon attempt , they should be redirected to our password change application web site.

Am i asking for too much?
Hoping someone has implemented this before.

Thanks

Offtheboxuser




I have Exchange 2003 running on a 2000 server and my users can successfully
change their password from the OWA interface. If I select the "user must
change password at next logon " in Active Directory Users and Computers they
get a prompt to change their password when they logon to owa and everything
works as it should. But from that point on if they try to change the
password again from owa they get the error number: -2147023569. I don't have
minimum password age set in the security policy so I'm not sure why this
would break it. Any thoughts? JD




Hello,

We are experiencing an issue in our new exchange 2003 w2k3 environment.
When users try to login through OWA and their account is set to "user must
change password at next logon" they cannot login at all. The page tries to
load, but it does it very slowly and after about 10 minutes you get a
connection timed out error. I did a little more investigating on this and
determined that the same login will work fine and allow you to change the
password on w2k3 and w2ksp3 systems, but it will not work on winxp and w2ksp4
systems. Any ideas?
--
Thanks!!
Ranya




When "User must change password at next logon" is selected the logon screen will keep flipping back to logon. This was an issue with exchange 2003 and a Virtual Directory had to be created, and that work fine.

I found instruction for exchange 2010 but it's not working, below are the instructions.

HLKMSYSTEMCurrentControlSetServicesMSExchange OWA
Create the following DWORD value if it does not already exist:
Value name: ChangeExpiredPasswordEnabledValue type: REG_DWORDValue data: 1

Then I did a iisreset on both CAS servers.

2 windows 2008R2 servers with exchange 2010 sp1, connected with a cisco hardware load balancer.

We are still currently co-exsisting with exchange 2003 until all the mailboxes have been moved.




Hi,

I have implemented the IISPWDADM directory on Exchange 2007 however, it
still
doesn't work for users with "Change password at next logon" enabled.

Regards
Neeraj Mehra




Hi,

I have implemented the IISPWDADM directory on Exchange 2007 however, it
still
doesn't work for users with "Change password at next logon" enabled.

Regards
Neeraj Mehra




Hi. Can you NOT log into OWA in E2K or E2K3 if you have the "user must
change pword at next logon" checked? I thought you could...but cannot. Upon
hitting google, it looks as if other users are doing it, but we cannot. You
do have the ability to change passwords in OWA at this site.

Thanks!




Hi,

I have implemented the IISPWDADM directory on Exchange 2007 server however,
it still doesn't work for users with "Change password at next logon" enabled.

Please help how can my users change password when I have selected "Change
password at next logon".

Regards
Neeraj Mehra




I am having problems with the password changes for users that have been
moved over from our 2003 server to the new 2007 server.

When I set up a new user, or someone forgets their password, I reset
their password and set the ďUser must change password on next loginĒ
option. When this flag is set, the user cannot login to OWA on the
exchange 2007 box. If I login to the old OWA (2003), I can change the
password, then login to the new OWA page. Itís happened on 2 test
accounts, and at least 3 live accounts Iíve changed the password on.

Whats going on?




I am having problems with the password changes for users that have been
moved over from our 2003 server to the new 2007 server.

When I set up a new user, or someone forgets their password, I reset
their password and set the ďUser must change password on next loginĒ
option. When this flag is set, the user cannot login to OWA on the
exchange 2007 box. If I login to the old OWA (2003), I can change the
password, then login to the new OWA page. Itís happened on 2 test
accounts, and at least 3 live accounts Iíve changed the password on.

Whats going on?




Environment is as follows:

Domain A - Domain B

Exchange & OWA server exist on domain B, while users authenticate via domain A.

I have setup the password change feature as we have users who access only mail. Everything works great with the exception of the 'force user to change password on next logon' option.

When we setup a new employee or reset a password we have a generic password and force the user to change the password on their first logon. OWA will not allow them to log on if this option is selected. It just keeps saying username or password is invalid.

Any suggestions? Thanks




OWA (2003) change password feature works fine, except when the user account is set to change password at next logon. It gives this error Error number: -2147022675
I even tried to enter in the domainusername instead of just the username. It then gives this error 2147023570
Knowledge base articles and eventid.net have not really helped yet.

Thanks.




Hello all

I am using ms exchange 5.5 with sp6. i set my client must change his
password at next logon but in ms outlook2000 he unable to change his
password...any help.....

thanks all..




Synopsis:
Since I've started working at this job the OWA password feature for Exchange 2007 has never worked.† I need to get it up and running and would like to get my ducks in a row before I schedule maintenance to get this fixed.† I have laid out my entire problem below.† If anyone has any suggestions for how to fix this, or some kind of manual (IE: does m$ make man pages like unix/linux/etc,etc because KB/Technet† don't seem to help much?† Or can I just get the OWA source code so I can fix the problem myself?) so I can fix the source of the problem it would be much appreciated.

Server Specs:
1 Domain Controller running Windows Server 2003 R2 32bit Standard Edition w/SP2

1 Exchange Server running Windows Server 2003 64bit Standard Edition w/SP2
Exchange is running SP1 w/Rollup 9
This 1 Exchange server houses all of our roles.

I have only one domain setup on these servers so everything that comes back to the domain controller should default to the single domain that it runs.

The Problem:
I am unable to properly change passwords in OWA 2007.† There are 3 parts to this problem and I'm trying to get a better understanding of why some ways work and some don't.

1) If you log into OWA, choose options then change password I always receive the error "The password supplied does not meet the minimum security requirements".† Once every so often I can get the password to change, but I don't know what triggers it to suddenly want to work.

2) If I set the "Change password at next logon" flag the user will get a prompt when they log in to OWA that says something to the effect of "Your password will expire soon do you want to change it? yes/no".† If you choose yes then you can change your password.† This password prompt is the same one from the Change Password page and I don't see any reason why this one works over doing it in options.

3) The final method is if a user with the "Change password at next logon" flag does not change their password in time they are prompted with a simple IIS page that forces them to change their password.† The only way I can get the password to update from this screen is to type username@domain.com in the user name field.† If @domain.com is not at the end of the username then it will not update.† At this point I could get by with just this feature so if there is a way to tell IIS to specify a certain domain for authentication I think I could get by with this for now.

Possible Resolutions:
From what I've been reading there are a few different solutions to this that I've written down.† If anyone has fixed this with other methods let me know.

1) Make changes to the default minimum password age settings.
- Look at what policies are applied to the domain and OU's.
- Modify the minimum password age to be 0
- Set the accounts to be updated through OWA to password never expires.
- Reboot the domain controller because the password age policy is only read on startup?† Isn't this policy just a piece of the ldap DB? why would the system need to be rebooted?

2) Try reregistring IIS pw change dll's:
regsvr32 C:WINDOWSsystem32inetsrviisadmpwdiispwchg.dll
iisreset /noforce

3) I've read some stuff about group policy replication between exchange and ldap.† Does anyone know anything about this?† I would think that because Exchange uses the ldap DB for everything it would be a direct connection, not something that it would replicate locally.† I know very little about this question so anything would help on this one.†




Hi...We enable the OWA password with SSL, however, we realized that
when a user account is set to "must change the password at next logon",
the user is not able to logon to OWA.

How to solve this problem?

Is there a way to find out or set the AD account in 5 days the password
will be expired?

BTW, we have Exchange 2003 SP1 under windows 2003 SP1.

thanks,
fshguo.




Hi,

I have identified serious problems for password policy with an "Exchange hosted system" style Exchange 2007 setup.† We are not a hosting provider, but have this style setup in that our users are all remote users connecting via OWA (Outlook Web Access) and OA (Outlook Anywhere), and are never on the domain or LAN/VPN.

The first problem is that when a user's password expires, via group policy or because someone ticks "User must change password at next logon", the user is prompted to change it in Outlook when they next connect via OA.† This is apparently not possible via OA because the password change is unsuccessful and an error message occurs.† This is not ideal, but it is bearable because the user can then log in via OWA and change the password there.

The second problem is that if a user's password expires, via group policy or because an administrator ticks "User must change password at next logon", the user cannot logon to OWA unless they have previously done so at least once before their password expired!† For example, a user can use OA for 3 months but never log onto OWA, then their password expires, and they are stuck, unable to logon to OA or OWA.

The third problem, which is basically an inevitable consequence of the second problem, is that if you create a user and tick "User must change password on first logon" then the user is unable to login to either OA or OWA.

This all adds up to a not-very-ideal situation.

When I create users I want to give them a password and force them to change it immediately via OWA.† Normally the "User must change password on first logon" box would be perfect for this, but it doesn't work as described in the third problem above.† How can I possibly acheive this?

In case you were thinking about the SDK: The Exchange SDK for 2003 and also the Exchange 2007 beta2 SDK feature scripts that tried to create a user and then log onto owa automatically for you, but the script doesn't work under 2007.† That might be why it was removed from the final Exchange 2007 April SDK (?)

Sorry for the long post but I wanted to explain the full situation.† Can anyone please offer any help?

Thanks,
John




Hi,

How can we restore the settings in OWA 2007 to get them to work as they should with "Change pasword" after trying to implement IISADMPWD on the CAS-servers IIS?

Background
We have a Exchange 2007 SP2 server (actually 2 servers, CAS, mailbox etc internal and Edge Hub in DMZ). The server works fine.
We decided to take on a new password policy in the organization and force password change by using "User must change password at next logon". There are a lot of consultants outside the company who only uses Outlook RPC/https or webmail OWA. We asked them to change password through OWA, but when they try to login they got the "User or password incorrect". We searched for answers and found the article
http://support.microsoft.com/?kbid=297121

We tried to implement the IISADMPWD Virtual Directory, big mistake. Now, instead of getting the wrong user/password response, the http 403 pops up (instead of the OWA window) if the user needs to change the password. If the users password is OK, the OWA works fine.
We tried to Delete the virtual directory IISADMPWD, the result is instead: "You are not authorized to view this page" if the user needs to change the password. If the users password is OK, the OWA works fine.

Then I found this trick above which probably works with OWA 2007, but our settings are messed up. What can we do to restore the original OWA 2007 settings for "change password"?

==============
Here is the trick after you have done all the hard work you will have to reset IIS and make sure the information store service is restarted on the BE (back end server) to get this working otherwise you won't see the option change password when you log into OWA.
There is one property in MetaBase: PasswordChangeFlags. The default value in
Windows 2003 (IIS 6.0) is 6.PasswordChangeFlags, Metabase , Property With the value set to 6 u cannot change the password in OWA when the user password expires/Change password at next logon is selected.
You can run the below command on the server to check the value
If everthing is not working, but you are not getting "User must Change password" password expired, you have to run below scripts to get it going on the FE servers, so Click run, cmd, and go to"C:InetpubAdminScripts" directory, use get script first if you get "6" it means prompt for expired password is not allowed, so use the second script to set it to "0" after IISRESET, OWA will happly will prompt you, your password expired and must be changed window.
C:InetPubAdminScripts> cscript adsutil.vbs get w3svcPasswordChangeFlags
Set the value by following command on the server:
C:InetPubAdminScripts> cscript adsutil.vbs set w3svcPasswordChangeFlags 0

==============




Hopefully someone here can help me figure this one out.

I've set up owa so a user can change their password from the options screen (wouldn't work by default, since we migrated from Exch2003).† It works great, with the exception of new users.

Typical account policy is to create a new user with the "User must change password at next logon" option, but most of the users I create are owa only users.† They may never log on at a PC actually sitting on the network.

If I check that option when I create a new account, the user cannot log in.† I'm pretty sure this is because of the "time zone" page that pops up the first time you log into owa.† Once the person has logged into owa, I can then tick the box and they will have to change their password (in owa) within 24 hrs.†

If this was just a user or two, I'd log in and set their time zone so I could tick the box "must change password" box.† But we're talking about 50+ users at a pop.†

There is another issue I'm worried about.† Once the user has logged in, I can tick that box.† The next time they log in, they'll get a note on the top of their owa page that says something to the effect of "Your password will expire in 24 hours. Do you want to change it now?".† What happens after 24 hours?† Since they're owa only users, will they be locked out as in the case of the first log in?† I'm setting up a test account today to figure that out, but if someone could answer that today, I'd appreciate it.

Thanks in advance.†