I've seen this question asked repeatedly with no clear answer.Setup: Server 2008+ Exchange 2007 + CAS.When a user has either "user must change password at next logon" set or the password is already expired the user is NOT able to change their password using OWA. They are just repeatedly prompted to enter their username and password.The user isable to change thier password via OWA if those conditions are not met.There are no error messages.I see conflicting posts about needing IISPWDADM and where to get it from. I also see suggestions to use ISA - that's not possible in my environment.Has MS or anyone come up with at comprehensive set of instructions to fix this problem?

hi,just look at this article, there is detailed information about it. http://support.microsoft.com/kb/297121regards,Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com

Thanks Mumin. That works for the most part but leaves me with a question.When a user logs in with "must change password" set, they areallowed to log in and just informed that their password will expire in 1Day.Should theforced to change the password before logging in?The main point of confusion I believe is that no where is Server 2008 mentioned in that document so I wasn't sure it was applicable.Thanks again for your help.

Hi, I would like to provide some information regarding Change Password feature in Exchange 2007: 1. By default, the Change Password feature is implemented when you use both Exchange 2007 Client Access and Mailbox servers in your Exchange organization. It requires no additional configuration unless you want to support changing passwords that have already expired or user accounts that are configured to change their password the next time the user logs on. 2. If you would like to change password which already expired, the scenarios still requires the change password functionality offered by IIS and the IISADMPWD virtual directory to be in the same application pool as OWA, MSExchangeOWAAppPool. Note: The IISADPMWD functionality is included with Internet Information Services (IIS) 6.0 in Windows Server 2003. The IISADPMWD functionality is not included with or supported in Windows Server 2008 or in Internet Information Services (IIS) 7.0. 3. The IISADMPWD functionality is not included with IIS 7.0 on Windows Server 2008. Some workarounds have been posted on the web that show a method to implement the same behavior for IIS 7.0. However, these workarounds are not supported or recommended by Microsoft and we have observed that the solution does not always work as expected with Exchange Server 2007. Specifically, changing passwords for users whose passwords have expired is unreliable. If you require the ability to change passwords after they have expired or when the user must change the password at first logon, and your Client Access Servers run Windows Server 2008 and Exchange Server 2007 SP1, you can use ISA Server 2006 to implement the feature. See the following: Configuring and Troubleshooting the Password Change Feature in ISA Server 2006 http://technet.microsoft.com/en-us/library/cc514301.aspx For more information: What you need to know about the OWA Change Password feature of Exchange Server 2007 http://msexchangeteam.com/archive/2008/12/09/450238.aspx Mike

I've seen that answer before and still wonder why MS thinks adding anotherapplication/serveris a viable solution. It makes no sense at all.

Hi, Based on my research, the reason behind it is that password change functionality is not related to IIS. It was provided at the time when account management wasnt offered elsewhere. Since IIS 7 is a complete rewrite in terms of architecture/code as compared to its predecessors, it was decided by the product group to remove this functionality. I think that you can also consider other workaround such as using a VPN/Windows interface, leaving a 2k3 server in place to serve IISADMPWD. Mike