- Users of Outlook Web Access do not receive notification of soon-to-expire or expired passwords and lack the ability to securely change their domain password without VPN technology.
- Outlook Web Access no longer displays the ‘Gold Bar’ notification of expiring passwords
Solutions Presented:
Step 1) Enable Password Change Button within the OWA OptionsStep 2) Configure OWA to handle already expired passwords or requirements to change password on next login
Step 3) Enable ‘Gold-Bar’ notification within OWA
Step 1) Enabling the Password Change Button within OWA Options:
1. In Administrative Tools, open Internet Services Manager (IIS)
2. Right-click the default Website and create a new Virtual directory
3. Follow the creation wizard using IISADMPWD in the alias box
4. In the directory box. type c:\winnt\system32\inetsrv\iisadmpwd and then click Next
5. Verify that only ‘Read’ and ‘Run’ Script check boxes are selected , click Next and Finish
6. Right click and verify virtual directory has only basic authentication (default) and change the application pool to ExchangeApplication Pool
7. Start Registry Editor (regedit) and browse to HKLM\System\CurrentControlSet\Services\MSExchangeWeb.
8. Find the OWA key or create a new key ‘OWA’ if one does not exist
9. Locate the DisablePassword value and change data to 0. If value is not present, create a new DWORD_Value to add the DisablePassword subkey (and set to 0)
10. Stop and restart IIS (interrupts OWA service)
Step 2) Configuring OWA to handle expired passwords or password change requirements:
If you are not running Windows 2003 SP1, you must apply the 833734 hot fix to handle accounts with already expired passwords . After applying the hotfix:
1. Open a command prompt and type type regsvr32 c:\windows\system32\inetsrv\iisadmpwd\iispwchg.dll
2. Change directory to C:\inetpub\AdminScripts
3. Type cscript.exe adsutil.vbs set w3svc/passwordchangeflags 0 (Enables password change through SSL connection)
4. Type cscript.exe adsutil.vbs set w3svc/PasswordExpirePreNotifyDays 0 (Delays password expiration notifications until password is expired)
5. Stop and restart IIS (interrupts OWA service)
Step 3) Enable the Golden Bar expiration notification within OWA:
1. Open the Active Directory Schema MMC and note the Operations Master Role
2. Use the ADSIEdit tool and Choose Connect To and choose Schema as the naming context making sure you are connecting to the Operations Master server identified above.
Expand the Schema container making sure all attributes are displayed. Find the attribute named PwdLastSet (cn=Pwd-Last-Set) and select properties. In the list find isMemberOfPartialAttributeSet and change this to True. Choose OK.
