Password expiration messages no longer appear in Outlook Web Access after you update Exchange Server 2003

Consider the following scenario:

• You configure the option that lets you use Microsoft Office Outlook Web Access for Exchange Server 2003 to change domain passwords.
• Password expiration messages appear as expected in Outlook Web Access.
  
  Note The password expiration messages appear as yellow a banner in the upper part of the details pane in Outlook Web Access. These messages resemble the following:
  Your password expires in 6 days. Use the Options page to change your password.

After you apply updates to Exchange, the password expiration message may no longer appear for Outlook Web Access users. You may experience this problem after you apply one of the following updates:

Note This problem may also occur after you apply any update that updates the Davex.dll file to version 6.5.7651.60 or to a later version.

This problem occurs for the following two reasons:

• The pwdLastSet attribute is not a member of the Lightweight Directory Access Protocol (LDAP) partial set.
• The pwdLastSet attribute is included in the cacheable attributes collection of naming context-based objects.

If the first request to the user object uses the global catalog, the pwdLastSet attribute is cached in DSACCESS together with a value of Not set. Therefore, when the Davex component retrieves the value of the pwdLastSet attribute, the following behavior occurs:

• If the DSACCESS component has an unexpired cached value, the cached value is returned in the LDAP query.
• If the cached value is Not set, the LDAP query returns a value of zero to Davex.
• If the value is zero, Davex does not display the password notification message to the user in Outlook Web Access.

To work around this problem, perform both of the following actions:

• Add the pwdLastSet attribute to the LDAP partial set of the global catalog on the schema master.
• Configure the pwdLastSet attribute to replicate to the global catalog.

To do this, follow these steps.

Step 1: Enable updates to the Active Directory directory service schema

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

Set the Schema Update Allowed registry entry to let the schema administrator modify the schema. To do this, follow these steps:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
   HKEY LOCAL MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
3. In the details pane, right-click Schema Update Allowed, and then click Modify.
4. In the Value data box, type 1 (one), and then click OK.
5. Exit Registry Editor.

Step 2: Set the "isMemberOfPartialAttributeSet" attribute value to TRUE

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To add the pwdLastSet attribute to the LDAP partial set of the global catalog, you must set the isMemberOfPartialAttributeSet attribute value to TRUE on the schema master. After you set the isMemberOfPartialAttributeSet attribute, you must give enough time for the Active Directory directory service to replicate the change among the domain controllers in the domain.

To set the isMemberOfPartialAttributeSet attribute to TRUE, follow these steps:

1. Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.
   
   Note The ADSI Edit tool is included with the Windows Support Tools. To install the Windows Support Tools, double-click Supptools.msi in the Support\Tools folder on the Windows Server 2003 CD.
2. Expand Schema [domainController.example.com, and then click CN=Schema,CN=Configuration,DC=example,DC=com.
3. In the details pane, right-click CN=Pwd-Last-Set, and then click Properties.
4. In the CN=Pwd-Last-Set Properties dialog box, click isMemberOfPartialAttributeSet, and then click Edit.
5. In the Boolean Attribute Editor dialog box, click True, and then click OK.
6. Click Apply, click OK, and then exit the ADSI Edit tool.
7. Give enough time for the changes to replicate among the domain controllers in Active Directory. For more information about how to force replication to occur in Active Directory, visit the following Microsoft Web site:
   http://technet.microsoft.com/en-us/library/cc776188.aspx

Step 3: Register the Schmmgmt.dll file

To configure the pwdLastSet attribute to replicate to the global catalog, you must use the Active Directory Schema stand-alone Microsoft Management Console (MMC) snap-in. By default, this snap-in does not appear in the Available Standalone Snap-ins list in Microsoft Windows Server 2003. For this snap-in to appear, you must register the Schmmgmt.dll file.

To do this, follow these steps:

1. Click Start, click Run, type regsvr32 c:\windows\system32\schmmgmt.dll, and then click OK.
   
   Note If Windows is installed on a drive other than drive C or if Windows is installed in a folder other than the Windows folder, modify this path as appropriate.
2. If you receive the following message, click OK:
   DllRegisterServer in c:\windows\system32\schmmgmt.dll succeeded.

Step 4: Replicate the "pwdLastSet" attribute value to the global catalog

Configure the pwdLastSet attribute to replicate to the global catalog. To do this, follow these steps:

1. Click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. Click Add, click Active Directory Schema, and then click Add.
4. Click Close, and then click OK.
5. In the Console1 MMC snap-in, expand Active Directory Schema, and then click Attributes.
6. In the details pane, locate and then double-click pwdLastSet.
7. In the pwdLastSet Properties dialog box, click to select the Replicate this attribute to the Global Catalog check box, and then click OK.

Step 5: Turn off schema updates

Set the Schema Update Allowed registry entry to 0 (zero) to turn off schema updates. To do this, follow the procedure that is listed in the "Step 1: Enable updates to the Active Directory directory service schema" section.

Note In step 4 of this procedure, do not type 0 (zero) in the Value data box. Instead, type 1 (one), and then click OK.

Step 6: Restart the domain controller

Sometimes, you must restart the domain controller to apply the changes. If the Outlook Web Access password expiration message does not appear, restart the domain controller.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: For more information about how to obtain the Microsoft Exchange Server Outlook Web Access Web Administration tool, visit the following Microsoft Web site: