An old password still works after you change it in Outlook Web Access

Assume that a user changes their password in Outlook Web Access (OWA) in one of the following versions of Microsoft Exchange Server:

  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2003

In this case, you may notice a 15-minute period during which the user can log on to their mailbox by using either the old password or the new password. However, if the user uses a MAPI client (such as Microsoft Outlook) to access the mailbox or if the user tries to access other files and resources, the user is authenticated only if they use the new password.

This latency exists by design for Internet Information Services (IIS) performance reasons and is controlled by the following registry setting.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Start Registry Editor (Regedt32.exe) on the server that is running IIS and through which the user gains access to OWA.
Locate the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters
On the Edit menu, click Add Value, and then add the following registry value:
Value Name: UserTokenTTL (Note This is case-sensitive!) Data Type: REG_DWORD Value Range: 0 – 0x7FFFFFFF (Note This unit is in seconds.)
Exit Registry Editor, and then restart IIS.

Command Line to list users in a Windows Active Directory Group

For a PowerShell solution that doesn’t require the Quest AD add-in, try the following
Import-Module ActiveDirectory

Get-ADGroupMember "Domain Admins" -recursive | Select-Object name 

This will enumerate the nested groups as well. If you don’t wish to do so, remove the -recursive switch.