Configuring the Change Password Feature in Outlook Web App

Applies to: Exchange Server 2010

Topic Last Modified: 2010-01-27

The Change Password feature in Microsoft Office Outlook Web App enables domain users to change their password when they're using Outlook Web App. This topic discusses the Change Password feature and how it's implemented in Microsoft Exchange Server 2010.

Three types of Account policies are found in Windows Server 2008 or Windows Server 2003 domains: password policies, account lockout policies, and Kerberos authentication protocol policies. A single domain will have one of each of these policies. In Active Directory domains, you can apply one password and account lockout policy. This password is specified in the Default Domain Policy for the domain. The settings that are configured will apply to all users within the domain. This includes Outlook Web App users.

Password and account lockout settings protect accounts and data in your organization by preventing a person from guessing another user's account password. You can use the Account Lockout and Password Policy nodes of the Default Domain policy settings to configure the account lockout policies and password policy settings that will affect the Outlook Web App users in your Exchange organization and be enforced. Password policies include the following settings:

  • Password Complexity
  • Password History
  • Minimum Password Length
  • Maximum Password Age
  • Minimum Password Age

When you create a user account and mailbox-enable the user, the password policies and the settings on the user's account will be applied to the user. However, there are other user password settings that may also affect Outlook Web App users, such as User Must Change Password at First Logon and User Cannot Change Password.

By default, the domain password that's used by the user to access a Windows-based network is the same as the password that's used to access Outlook Web App. A user can change their domain password using a Web browser by using the Change Password feature within Outlook Web App.

Outlook Web App provides the functionality to change passwords that haven't expired yet. However, if a password has already expired or is required to be changed at the first sign-in, the password can't be changed via Outlook Web App.

For the user to be able to change their password using Outlook Web App, they must first sign in to Outlook Web App, then use Options > Settings > Password, to change their password.

If the user's password has expired, or if the user must change their password at first sign-in and forms-based authentication is used, the user will be returned to the sign-in page and the following error message will be displayed: The user name or password you entered isn't correct. Try entering it again. The user will have to contact their administrator to have their password reset. When the password is reset, the User must change password at next logon check box must be cleared (unchecked).

If forms-based authentication isn't used for OWA, the user is returned to the sign-in window with no error.

An Outlook Web App user can use the Change Password feature in the following cases:

  • To change their password after they've signed in to their mailbox using Outlook Web App
  • To change their password if their password will expire within a given time period
    When Basic authentication or forms-based authentication is used with Outlook Web App, the Change Password feature may not work correctly when a user uses a password that includes extended ASCII or Unicode characters. This happens because passwords that use extended ASCII or Unicode characters aren't transmitted correctly between IIS and some Web browsers. It's recommended that Outlook Web App users use only ASCII characters if they'll be using the Change Password feature in Outlook Web App.

By default, the Change Password feature is implemented when you use both Exchange 2010 Client Access and Mailbox servers in your Exchange organization. It requires no additional configuration.

You can enable or disable the Change Password feature for a single user by configuring the user's mailbox, or for multiple users by configuring the /owa virtual directory or another virtual directory that's used for Outlook Web App. You can enable or disable the Change Password feature by using segmentation. For more information about segmentation in Outlook Web App, see Configure Segmentation in Outlook Web App.