Registry hack lets OWA users

reset their passwords



All it takes is this simple registry hack to give users with expired
passwords access to their OWA accounts.








By

 Brien Posey

Published: 22 Nov 2010

Most Exchange Server administrators probably don’t spend much time

thinking about resetting passwords, possibly because there’s nothing overly
complex about the process involved. Still, problems do occur, especially when
Outlook Web Access passwords expire. Editing the registry lets users fix this
problem themselves -- without having to call help desk.
If a user’s password has expired, OWA won’t let him log on or give him a
chance to change his password -- even after the Exchange Server 2010 SP1
rollup. In Figure 1, you’ll notice that when a user with an expired password
attempts to log into Outlook Web App, Exchange denies the user access and
produces a misleading error message. Instead of informing the user that his
password has expired, OWA states that the user has entered either his
username or password incorrectly.

Figure 1. OWA does not actually inform the user that his password has
expired.

Depending on which version of Exchange you’re running, you can solve this
problem using a registry hack. When Microsoft released Exchange Server
2007 SP3, it included an option to allow users to reset passwords from
the OWA logon screen.

Since then, Microsoft disabled this option and designed OWA to only enable
the password changing functionality using the following registry hack.
Microsoft did eliminate this functionality in the RTM release of Exchange
Server 2010, but brought it back in Exchange 2010 SP1.
Warning: Before I explain the registry hack, remember that editing your
registry can be dangerous. Be sure to make a full backup of your client access
server (CAS) before attempting the hack.

Performing the registry hack to enable password resets

Open the Registry Editor on your CAS and navigate
to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSEx
change OWA. Then create a new DWORD value. The Registry Editor will ask
if you want to create a 32-bit or a 64-bit DWORD value. Even though
Exchange Server 2010 is a 64-bit application, you must create a 32-bit
DWORD value for this method to work.

Name the new DWORD value ChangeExpiredPasswordEnabled (Figure 2)

and assign it a value of 1. If you ever want to disable this hack, you can either
delete the registry key or change the value to 0.

Figure 2. To enable the registry hack, create a 32-bit DWORD value and
name it ChangeExpiredPasswordEnabled.

After you create the registry entry, you’ll need to either reboot your CAS or
reset IIS. To reset IIS, open a command prompt window and enter the
following command: IISRESET /NoForce (Figure 3).
Figure 3. To create the registry entry, reset IIS using the
IISRESET/NoForce command.

Once you’ve reset the server, users with expired passwords will be allowed to
access OWA. If a user with an expired password attempts to log into OWA,
the system will display a screen giving him the opportunity to reset his
password and use OWA (Figure 4).

Figure 4. Users can reset their expired Outlook Web Access passwords.

ABOUT THE AUTHOR

Brien M. Posey, MCSE, is a seven-time Microsoft MVP for his work with
Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a
nationwide chain of hospitals and was once in charge of IT security for Fort
Knox. For more information visit www.brienposey.com.