EWS does not currently have a way to have users reset passwords for a set amount of time (example 90 days). But not having this feature available when audit time comes my auditor company gives us a finding on this. It's standard protocol to have users reset password for a certain amount of time. It seems like a huge security risk to not have this. Or at the least have a report to show when the user last changed the password so they can be reminded to change the password.