Original Article: https://superuser.com/questions/1196477/allow-users-to-change-expired-password-via-remote-desktop-connection#:~:text=To%20enable%20the%20password%20change,change%20its%20value%20to%20true.
I have a situation where I am forced to use a server (Windows 2012 R2) that is NOT part of a domain, and does NOT have AD. This is not my choice, is not optimal, but out of my control.
I also have local users that connect to this server through RDP, and the local users have a password expiration policy.
Since AD/Exchange is not part of the picture, the users receive no notification that their passwords are about to expire.
PROBLEM: The problem is when a user's password has expired and they try to login using a Remote Desktop Connection. It does not allow them to change their password.
I have unchecked the "Allow connections ONLY from computers running Remote Desktop with Network Level Authentication" from the server side, so the server is NOT requiring NLA from incoming RDP sessions.
However, when using Windows Remote Desktop Connection Manager, it seems to be forcing NLA.
If I am using the "Terminals" Remote Desktop Client, there is an option on the client side, to disable using "Network Level Authentication". If I disable NLA through the Terminals client, and I connect to the server, it allows me to change the users expired password.
QUESTION: I am making the assumption, perhaps incorrectly, that the Terminals program is just sitting on top of Windows Remote Desktop Connection protocols, and that if you can disable Network Level Authentication client side through the Terminals program, then you should also be able to disable this through Windows built-in Remote Desktop Connection Manager. Unfortunately, I do not see this option in the connection managers GUI, and I do not see any parameters in ".RDP" files specific to NLA.
If I click "About" on the client side Remote Desktop Connection Manager, it tells me that "Network Level Authentication supported". The wording leads me to believe that using it is optional, but again, I see no way to turn it off in the connection manager. BTW, this particular connection manager is v10.
- 1I edited your question (the title specifically) to focus on your underlying goal, instead of a proposed method of achieving the goal. See the XY problem. – I say Reinstate Monica Apr 7 '17 at 16:02
You can solve this with a two pronged approach:
1. Install the RD Web Access role and enable the remote password change option
The following directions are from the woshub.com article Allow users to reset expired password via RD WebAccess in Windows Server 2012:
In Windows 2012 / 2012 R2 an option appeared that allows a remote user to change their password (current or an expired one) using a special web-page on the RD Web Access server. The password will be changed like this: a user signs in to the registration web page on the server with the RD Web Access role and changes his password using a special form.
A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but it is disabled by default. To change a password, a script password.aspx is used, which is located in C:\Windows\Web\RDWeb\Pages\en-US.
To enable the password change option, on the server with the configured RD Web Access role open the IIS Manager console, go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the section Application Settings.
In the right pane, find PasswordChangeEnabled parameter and change its value to true.
You can test the password change mechanism going to the following web-page:
Now when trying to connect to the RD Web Access server with the expired password, a user will be redirected to password.aspx web-page and offered to change his password.
Tip. The same Windows Server 2008 R2 feature can become available after you install a special patch — KB2648402.
2. Enable prompts notifying users of pending password expiration
gpedit.mscon the RDSH server to open Local Group Policy
- Nagivate to
Computer Configuration\Windows Settings\Local Policies\Security Options
- Edit the setting Interactive logon: Prompt user to change password before expiration and specify a reasonable number of days, such as 14.
- Users, including those logged in via Remote Desktop, will receive a notification prior to their password expiring.