Block Change Password Feature for Specific Users

The above feature is very useful and most probably used as a security policy in certain companies to prevent AD password resets over the Internet (although all communication is encrypted by SSL-certificates, but hey, who are we to argue with a security officer, right?), you might have a case in which you want to block the change password feature within OWA, but not for all users. In that case, another few settings need to be changed on the Exchange 2013 server.

Create a new custom OWA security policy
Link the new custom OWA security policy to a mailbox / multiple mailboxes
Here’s how to achieve this:

From within the Exchange Admin Center, go to Permissions / Outlook Web App Policies.

Notice the default policy that is already there; when opening its properties, you will see all OWA security features are enabled by default.

Now let’s create a new policy by clicking on the plus sign (+) icon.
Let’s give it a descriptive name of Block Change Password. Remove the flag from the Change Password feature here, and save the policy.
In the next step, we will apply this new policy to a single mailbox as follows:

Go to Recipients and select the individual mailbox you want to get this policy applied.
In the right pane, go to Email Connectivity.

Select View Details.

Notice the field is empty, actually meaning the default policy gets applied. Click Browse… and select the new custom Block Password Change policy.
When logging into OWA for that specific mailbox user, you will notice the change password setting is not available anymore.

In the last step, we will apply this new policy to multiple mailbox users as follows:

Go to Recipients and select the multiple mailbox users for whom you want to get this policy applied. In the right pane, go to Outlook Web App.
Select Assign a policy. This will open the Bulk assign Outlook Web App window.

Notice the field is empty, actually meaning the default policy gets applied. Click Browse and select the new custom Block Password Change policy we created earlier.
Now when your mailbox users go to login to OWA, they will notice the change password setting is not available anymore

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s