Configuring the Change Password Feature in Outlook Web App - Exchange Server 2010 SP2
The Change Password feature in Microsoft Office Outlook Web App enables domain users to change their password when they're using Outlook Web App. This topic discusses the Change Password feature and how it's implemented in Microsoft Exchange Server 2010.
Password Overview
Three types of Account policies are found in Windows Server 2008 or Windows Server 2003 domains: password policies, account lockout policies, and Kerberos authentication protocol policies. A single domain will have one of each of these policies. In Active Directory domains, you can apply one password and account lockout policy. This password is specified in the Default Domain Policy for the domain. The settings that are configured will apply to all users within the domain. This includes Outlook Web App users.
Password and account lockout settings protect accounts and data in your organization by preventing a person from guessing another user's account password. You can use the Account Lockout and Password Policy nodes of the Default Domain policy settings to configure the account lockout policies and password policy settings that will affect the Outlook Web App users in your Exchange organization and be enforced. Password policies include the following settings:
Password and account lockout settings protect accounts and data in your organization by preventing a person from guessing another user's account password. You can use the Account Lockout and Password Policy nodes of the Default Domain policy settings to configure the account lockout policies and password policy settings that will affect the Outlook Web App users in your Exchange organization and be enforced. Password policies include the following settings:
- Password Complexity
- Password History
- Minimum Password Length
- Maximum Password Age
- Minimum Password Age
Change Password Feature in Outlook Web App By default, the domain password that's used by the user to access a Windows-based network is the same as the password that's used to access Outlook Web App. A user can change their domain password using a Web browser by using the Change Password feature within Outlook Web App.
Outlook Web App provides the functionality to change passwords that haven't expired yet. However, if a password has already expired or is required to be changed at the first sign-in, the password can't be changed via Outlook Web App unless you make a configuration change on the Client Access server to enable changing expired passwords.
If you don't enable changing expired passwords, a user whose password must be changed will have to contact their administrator to have their password reset. When the password is reset, the administrator must clear the User must change password at next logon check box.
If you haven't enabled changing expired passwords and are using forms-based authentication, a user who must change their password will be returned to the sign-in page, and the following error message will be displayed: The user name or password you entered isn't correct. Try entering it again. If forms-based authentication isn't used for Outlook Web App, the user will be returned to the sign-in window but won't see any error message.
Important:
You can enable or disable the Change Password feature for a single user by configuring the user's mailbox, or for multiple users by configuring the /owa virtual directory or another virtual directory that's used for Outlook Web App. You can enable or disable the Change Password feature by using segmentation. For more information, see Configure Segmentation in Outlook Web App.
Outlook Web App provides the functionality to change passwords that haven't expired yet. However, if a password has already expired or is required to be changed at the first sign-in, the password can't be changed via Outlook Web App unless you make a configuration change on the Client Access server to enable changing expired passwords.
If you don't enable changing expired passwords, a user whose password must be changed will have to contact their administrator to have their password reset. When the password is reset, the administrator must clear the User must change password at next logon check box.
If you haven't enabled changing expired passwords and are using forms-based authentication, a user who must change their password will be returned to the sign-in page, and the following error message will be displayed: The user name or password you entered isn't correct. Try entering it again. If forms-based authentication isn't used for Outlook Web App, the user will be returned to the sign-in window but won't see any error message.
Important: | When Basic authentication or forms-based authentication is used with Outlook Web App, the Change Password feature may not work correctly when a user uses a password that includes extended ASCII or Unicode characters. This happens because passwords that use extended ASCII or Unicode characters aren't transmitted correctly between IIS and some Web browsers. We recommend that Outlook Web App users use only ASCII characters if they'll be using the Change Password feature in Outlook Web App. |
Enable Users to Change Expired Passwords You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Outlook Web App Registry Editor" entry in the Client Access Permissions topic.
Caution:
Caution: | Incorrectly editing the registry can cause serious problems that may require you to reinstall your operating system. Problems resulting from editing the registry incorrectly may not be able to be resolved. Before editing the registry, back up any valuable data. |
- Log on to the Client Access server.
- Start Registry Editor (regedit).
- Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange OWA.
- Create the following DWORD value if it doesn't already exist: ChangeExpiredPasswordEnabled. The value type will be REG_DWORD.
- Set the value of ChangeExpiredPasswordEnabled to 1.
- Exit Registry Editor.
Configure Segmentation in Outlook Web App
Segmentation lets you enable and disable many features in Outlook Web App. You can manage segmentation using the EMC or the Shell.
By default, segmentation changes take effect after 60 minutes of inactivity for users who are signed in to Outlook Web App, or when a user signs in to Outlook Web App. To force the changes to take effect immediately, restart Internet Information Services (IIS) by running the command
Looking for other advanced management tasks for Outlook Web App? Check out Managing Outlook Web App Advanced Features.
http://technet.microsoft.com/en-us/library/bb684904.aspx
http://technet.microsoft.com/en-us/library/bb123962.aspx
http://blogs.catapultsystems.com/tharrington/archive/2010/08/29/exchange-2010-sp1-password-reset-tool.aspx
By default, segmentation changes take effect after 60 minutes of inactivity for users who are signed in to Outlook Web App, or when a user signs in to Outlook Web App. To force the changes to take effect immediately, restart Internet Information Services (IIS) by running the command
iisreset/noforce on the Client Access server.Looking for other advanced management tasks for Outlook Web App? Check out Managing Outlook Web App Advanced Features.
Use the EMC to configure Outlook Web App segmentation
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Outlook Web App virtual directories" entry in the Client Access Permissions topic.- In the console tree, navigate to Server Configuration > Client Access.
- In the work pane, select the server that hosts the Outlook Web App virtual directory you want to modify.
- From the work pane, on the Outlook Web App tab, select owa (Default Web Site), and then, in the action pane, click Properties.
- On the owa (Default Web Site) Properties page, click the Segmentation tab.
- The Segmentation window provides a list of features for Outlook Web App that you can enable or disable for all users.
- To enable or disable a feature for Outlook Web App for all users, select a feature, and then click Enable or Disable.
- The status for all features is displayed in the center section in the Segmentation window.
http://technet.microsoft.com/en-us/library/bb684904.aspx
http://technet.microsoft.com/en-us/library/bb123962.aspx
http://blogs.catapultsystems.com/tharrington/archive/2010/08/29/exchange-2010-sp1-password-reset-tool.aspx
Không có nhận xét nào:
Đăng nhận xét