Why do Exchange applications - OWA, ActiveSync, Outlook - have a different password expiration time than that set by the FGPP?


  • We recently implemented Fine Grain Password Policies so that we could have different policies for different users. We created two security groups - one for accounts that should have the policy and one for accounts that shouldn't have the policy. Passwords expire every 120 days. I have verified that the FGPP is configured correctly using the Get-ADUserResultantPasswordPolicy username in AD PowerShell. I also confirmed that the users are in the correct groups to apply/not apply the FGPP.  We are seeing some strange behavior in Exchange applications since making these changes. 

    OWA - Approximately half of our users access their e-mail through Outlook Web Access. Some of these users are starting to see a notice in OWA that says their password is going to expire in 1 or 10 or 14 days but their network password is not set to expire for at least another 100 days. Interestingly enough, my OWA account said my password was going to expire yesterday. I ignored it to see what would happen and I had no problem accessing network resources today so clearly the FGPP overrides the setting that OWA is getting.  The message can basically be ignored but why is OWA getting a different expiration date?

    ActiveSync - It appears that ActiveSync is getting the same expiration time that OWA gets and it is causing a much bigger problem for users who get email on their phones.  What I think is happening is that their phones keep sending the password - which is correct - but ActiveSync sees it as expired and doesn't accept it. After the phone sends the password three times, the user's account gets locked.  When this happens, a user cannot access network resources until an administrator unlocks their account.  It also appears to affect the regular outlook client as it starts to prompt for a password even though it is not set to expire for another 100+ days.  It also seems to happen much more frequently than it should.

    It has been suggested that OWA & ActiveSync are getting their expiration from the default domain policy.  I do not have any account security settings defined in the default domain policy so I am not sure why there would be any expiration notice.  I could, I suppose, enable the expiration setting in the default domain policy but have not done so because I have accounts with passwords that should never expire.  Their accounts in AD are set to never expire but I am not sure that this setting will override any expiration setting in the default domain policy.

    Some additional information...The AD & Exchange 2010 servers are running Windows 2008 R2. Exchange OWA is configured for integrated windows authentication using forms-based authentication with user name only.

    Any and all help appreciated!

    Mary Pat Conroy
    Information Systems Manager

    Thursday, January 8, 2015 9:17 PM

All replies