Allow Password change for specific users in Exchange 2013/2016/2019

This becomes very useful and most probably used as security policy in certain companies to prevent AD password resets over the Internet (although all communication is encrypted by SSL-certificates, yes, safety precautions need to be taken into consideration.

Whenever you wish to deny password change within OWA, but not for all users in Exchange 2013/2016/2019, follow these steps below.

Create a new custom OWA security policy
Link the new custom OWA security policy to a mailbox / multiple mailboxes

To achieve this, logon to Exchange Admin Center

Navigate to Permissions / Outlook Web App Policies.

Here you will notice the default policy,
– Open its properties, you will see all OWA security features are enabled by default.

Create a new policy by clicking on the plus sign (+) icon.
Give it a descriptive name of Block Change Password
Remove the flag from the Change Password feature here, and save the policy.

In the next step, we will apply this new policy to a single mailbox as follows

Go to Recipients.
Select the individual mailbox you want to get this policy applied.
In the right pane, go to Email Connectivity.
Select View Details.

Notice the field is empty, actually meaning the default policy gets applied.

Click Browse and
Select the new custom Block Password Change policy

When next this specific user logs on via the OWA, He/she will notice the change password setting is no available to him anymore.

In the last step, we would like to apply this new policy to multiple mailbox users. Kindly follow these steps below.

Go to Recipients and select the multiple mailbox users for whom you want to get this policy applied.
In the right pane, go to Outlook Web App.
Select Assign a policy. 
This will open the Bulk assign Outlook Web App window.

You will notice the field is empty, which means, the default policy gets applied. .

Click Browse.
Select the new custom Block Password Change policy we created earlier

Now when your mailbox users go to login to OWA, they will notice the change password setting is not available anymore.

To see how users can have their passwords changed via OWA, see https://techdirectarchive.com/2016/04/14/668/

On how to disable Password Change for all Users Exchange server 2013/2016/2019 https://techdirectarchive.com/2020/01/28/how-to-disable-password-change-for-all-users-exchange-server-2013-2016-2019/

How to disable Password Change for all Users Exchange server 2013/2016/2019

When you wish to give the possibility to selected end-users in order to have their passwords changed via OWA, here are the steps to perform this task.

This change can only be performed on the server-side (Exchange server 2013/2016/2019).

Logon to your company’s Exchange Administrative Center using this default URL.
From within the EAC, select Servers / Virtual Directories.
From within the list of Exchange Virtual Directories, select OWA (default website).
Open its Properties,
From this list, notice the Change Password flag. 
Remove the flag if you want to turn this feature off for all users.
Save the changes and that is all.

When logging into OWA with a mailbox user, notice the Change Password option is not listed in the settings menu anymore. For how to change Password using Outlook Web Access (OWA) for Exchange 2013/2016/2019 when permitted by an administrator, see https://techdirectarchive.com/2016/04/14/668/

Note: If you only want to take this feature away from certain users, see the link here https://techdirectarchive.com/2020/01/28/allow-password-change-for-specific-users-in-exchange-2013-2016-2019/

How to disable Outlook, Yahoo Auto-Complete

Here are the steps to remove entries from the AutoComplete cache

  • Open a new email message.
  • Type the first few characters of the AutoComplete entry that you want to remove.
  • When the entry appears in the list of suggested names, move your mouse pointer over the name until it becomes highlighted, but do not click the name.
  • When the “X” icon appears next to the highlighted name, click X to remove the name from the list, or press the Delete key on the keyboard.

To disable AutoComplete or clear your AutoComplete completely in Outlook.

In Outlook 2010 - 2016, follow the steps below to have this completely disabled. This is a sort of required in order not to send an email to a wrong recipient.

- click the File menu and 
- select Options.
- In the Outlook Options window click the Mail tab.
- Scroll down to Send messages. 
- Uncheck the Use Auto-Complete List to suggest names when typing in the To, Cc, and Bcc lines box.

Note: To clear the AutoComplete list, simply click the Empty AutoComplete List button. You’ll see a confirmation window about clearing the AutoComplete list, click Yes.

Outlook AutoComplete should be completely disabled and any history that was in the auto-complete list should be completely erased (if you clicked the clear autocomplete button).

What to know when an IP (domain) has been Blacklisted.

When a specific domain or IP is blacklisted internally, there is a possibility that this is propagated to third-party blocklist (blacklist).

And this record takes time to update and can take up to 48 hours. As soon as you have removed the IP (domain) internally, The third blocklist (the record still needs to be updated and this can take some time to update).

Note: A lot of mail servers work this way (e.g, Exchange Online Protection).

Prevent Emails Going into a Junk Folder Not Having the Right Domain Name

In other to prevent this false positive from moving emails from a specific Email ID to JUNK folder in Outlook

Note: These emails were filtered out because of the following reasons,

  • Because we had the safe lists enabled, only emails from specific domains are allow and delivered to inbox in Outlook. (i,e. name@iPAddress.eu-central-1.compute.internal), This does not have the right domain name and thus goes to the junk folder. To mitigate against this, i had to create a rule to deliver this this to user mailbox correctly.
  • We need to add the email addresses to allow (spam filter policy) Options
  • You can use a safe sender list or a mail flow rule to bypass spam filtering and prevent good email messages from getting marked as junk mail.

Steps to Fix (using Mail flow rule)

Search and get the the email header from a message sent by the sender that you want to allow as shown below.
name@iPAddress.eu-central-1.compute.internal

To configure the Spam Filter Policy.
Use the Exchange Admin Center (EAC) to configure spam filter policies

In the Exchange admin center (EAC), 
- navigate to Protection 
- Spam filter.

Do one of the following on the general page as shown below.

  1. Double-click the default policy in order to edit this company-wide policy. OR
  2. Click the Add Icon New icon in order to create a new custom spam-filter policy that can be applied to users, groups, and domains in your organisation.

Note: You can also edit existing custom policies by double-clicking on them.

Note: There is no need to create a transport rule for this basic task to bypass an IP

What to know about SPF and TXT Records in AWS

When a server sends an e-mails from a domain techdirectarchive.de or techdirectarchive.com, the Internet Protocol (IP) needs an SPF record to get identified as a trusted sender.

Step-by-step guide for adding an SPF record
– Sign in to the AWS Management Console.
– Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/
– In the left navigation panel, under Dashboard,

– Click Hosted Zones. e.g. techdirectarchive.com
– Click on the domain name hosted zone that you want to update.
– On the DNS hosted zone page,
– create a new SPF record by completing the following actions
– Click Create Record Set button from the dashboard top menu.
– Leave the Name field empty.

From the Type dropdown list
– Select SPF – Sender Policy Framework.
In the Time To Leave (TTL) in seconds field,
– Enter a value of 3600 (1 hour) for Time to Live.

In the Value text box,
– Enter the SPF value required, e.g. “v=spf1 include:_spf.google.com-all”.

Note: If you do not use Google mail servers, replace include:_spf.google.com with the authorised mail server hostame/IP address e.g. “v=spf1 ip4:IPAddress/32-all”.

From the Routing Policy dropdown list,
– Select Simple as the routing method for the SPF DNS record.
– Click Create to add the new SPF record to the DNS hosted zone.

If you have multiple DNS hosted zone without SPF record sets (see the Audit section to determine which domains require SPF records). https://www.cloudconformity.com/conformity-rules/Route53/sender-policy-framework-record-present.html

Note: Adding a SPF record also requires a TXT record

Step for adding an TXT record
– Sign in to the AWS Management Console.
– Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/
– In the left navigation panel,
– Under Dashboard,
– Click Hosted Zones.
– Click on the hosted zone that you want to update (e. g. techdirectarchive.com).
– On the DNS hosted zone page,
– Create a new TXT record by completing the following actions
– Click Create Record Set button from the dashboard top menu.
– Leave the Name field empty.
– From the Type dropdown list
– Select TXT – text.

In the TTL (Seconds) field,
– Enter a value of 3600 (1 hour) for Time to Live.
In the Value text box, enter the TXT value required, e.g. “v=spf1 mx ip4:IPAddress/32 a:spf.protecxxx.outlook.com a:spf.crsend.com -all”.
– From the Routing Policy dropdown list,
– Select Simple as the routing method for the TXT DNS record.
– Click Create to add the new TXT record to the DNS hosted zone.