Changing password feature Outlook Web Access for Exchange 2013 and 2016
Allow Password Resets for Non-Expired OWA Accounts
The first scenario is rather easy and already existed in Exchange OWA since version 5.5, so even in Exchange 2013 this feature is activated by default. It gives the mailbox user the possibility to change a AD password from within OWA – similar to when the end user forces to change a domain password from his or her own PC.
Log on to your OWA environment using your company’s OWA URL. In my example, it is https://owa.iamct.org/owa, but it can be about anything in your environment.
Now go to your mailbox settings and click on the gear wheel icon in the upper-right corner of your OWA 2013, next to your mailbox name.
login Outlook Web Access (OWA)
Click on Settings, and a small context menu will open up from which you can select Change Password. This will bring you to the Change Password settings page.
Enter your current Active Directory password, followed by your new password twice. Although the password change should be successful and you expect a confirmation of this, I noticed I was actually immediately redirected to the Outlook Web App logon page again. Not sure if that is intentional or a small bug.
If something goes wrong during the password change process, you’ll receive a notification popup. A common problem is not having a new password according to the company’s security password policy settings.
Block Change Password Feature for All Users
Now, imagine you don’t want to give this feature to your endusers, or maybe not to all of them. In this case, you have to modify certain settings on the Exchange server-side.
Logon to your company’s Exchange Administrative Center with an Exchange Admin account, using this default URL.
From within the EAC, select Servers / Virtual Directories.
From within the list of Exchange Virtual Directories, select OWA (default website).
Open its Properties, which by default looks like the image shown below
From this list, notice the Change Password flag. Remove the flag if you want to turn this feature off for all users. (Note: if you only want to take this feature away from certain users, continue reading!)
Save the changes and done. When logging into OWA with a mailbox user, notice the Change Password option is not listed in the settings menu anymore.
Block Change Password Feature for Specific Users
The above feature is very useful and most probably used as a security policy in certain companies to prevent AD password resets over the Internet (although all communication is encrypted by SSL-certificates, but hey, who are we to argue with a security officer, right?), you might have a case in which you want to block the change password feature within OWA, but not for all users. In that case, another few settings need to be changed on the Exchange 2013 server.
Create a new custom OWA security policy
Link the new custom OWA security policy to a mailbox / multiple mailboxes
Here’s how to achieve this:
From within the Exchange Admin Center, go to Permissions / Outlook Web App Policies.
Notice the default policy that is already there; when opening its properties, you will see all OWA security features are enabled by default.
Now let’s create a new policy by clicking on the plus sign (+) icon.
Let’s give it a descriptive name of Block Change Password. Remove the flag from the Change Password feature here, and save the policy.
In the next step, we will apply this new policy to a single mailbox as follows:
Go to Recipients and select the individual mailbox you want to get this policy applied.
In the right pane, go to Email Connectivity.
Select View Details.
Notice the field is empty, actually meaning the default policy gets applied. Click Browse… and select the new custom Block Password Change policy.
When logging into OWA for that specific mailbox user, you will notice the change password setting is not available anymore.
In the last step, we will apply this new policy to multiple mailbox users as follows:
Go to Recipients and select the multiple mailbox users for whom you want to get this policy applied. In the right pane, go to Outlook Web App.
Select Assign a policy. This will open the Bulk assign Outlook Web App window.
Notice the field is empty, actually meaning the default policy gets applied. Click Browse and select the new custom Block Password Change policy we created earlier.
Now when your mailbox users go to login to OWA, they will notice the change password setting is not available anymore