27 October 2014

Exchange 2013 Password Reset Tool

Just like in Exchange 2010 there is a password reset tool, but it's not enabled by default.
See my previous post here.

In Exchange 2013 the same options is present by the change of a registry.

From Petri.com comes the following excellent post:

The configuration to allow users to change their expired passwords involves:
  • Setting the appropriate registry key on your Exchange 2013 CAS Servers
  • Configuring settings within IIS on your Exchange 2013 CAS Servers
  • Configuring correct password policy on AD domain level
The following example moves through these three steps in more detail. Imagine a default non-admin mailbox user whose password setting has been configured to “Change password at next logon”. This is the default setting for newly-created users in most organizations. The setting is also valid when a user’s password has expired.

1. Set appropriate registry key on the Exchange 2013 CAS Servers

This registry key is not terribly different from Exchange 2010.
1)     Open your Registry Editor (regedit.exe)
2)     Browse to the following key:
HKey_Local_MachineSystemCurrentControlSetServicesMS Exchange OWA
3)     There should be a REG_DWORD Value String of “ChangeExpiredPasswordEnabled”, and that key has a value of “1”. You can change this key manually. If the key should be active but has a value of zero (0), make sure you set it to “1”.

2. Configure settings in IIS on your Exchange 2013 CAS Servers

1)     On your Exchange 2013 CAS Server(s), open the IIS Admin Console.
2)     Browse to Server / Sites / Default Web Site / OWA.
3)     Select “HTTP Redirect” and open its properties.


4)     Make sure the HTTP redirect checkbox is not checked.


5)     Browse to Server / Sites / Default Web Site / OWA.
6)     Select “Authentication” and then select Basic Authentication.

7)     Right-click Edit.
8)     In the Default Domain field text field, enter a backslash – ““.

9)     Save your settings and close the IIS Admin Console.
10)  From a command prompt with Admin rights, run “IISReset /noforce” to reset the IIS services. In some scenarios the IISReset will fail, in which case you can try to manually restart the “Worldwide Web Publishing Service”. If you can’t manually restart, execute a reboot of the server as last resort.
Sponsored

3. Configure correct password policy settings at Active Directory domain level

Please note: The following settings are valid in a lab environment and updated to demonstrate the specific scenario where we want OWA to prompt a user to reset his or her password upon logon. In the lab environment this was accomplished by setting “change password at next logon.” In your environment it could be based on password expiration policy. In the lab we set it to a “zero day policy” that forces users to reset their password immediately.
1)     From a Domain Controller in your domain (or from an admin workstation with the RSAT tools installed), open the Group Policy Management Editor.

2)     Browse to Default domain policy. Right-click and select Edit. (Note: depending on your environment, it could be a best practice to create a specific GPO for the password policy settings)

3)     Next, browse to Computer Configuration / Policies / Windows Settings / Security Settings / Account Policies / Password Policy.
4)     Change the Minimum Password Age to “0”. This setting refers to the number of days a user must have used his password before it can be reset. In the lab environment we set this to zero to make it effective immediately. In your environment this policy setting could be different.

5)     Lastly, we will force our demo mailbox user to have his or her password changed. This is done via the  Active Directory Users & Computers / user account / properties / User must change password at next logon path.
Please note: Make sure that both the “user cannot change password” and “Password never expires” settings are disabled. Otherwise the change password feature in OWA won’t work.

Final Step: Test the change password feature from within the OWA logon page

1)     Open up our OWA logon page by going to https//<servername>/OWA
2)     Enter your AD mailbox user credentials.
3)     You will receive a notification that your password has expired and will be prompted to enter your old/new password.


4)     After successfully entering your new credentials, you will be informed you have to re-authenticate using the new credentials. After that, your mailbox user should have logged on to his or her OWA environment successfully.

Source

No comments:

Post a Comment