I have a situation where I am forced to use a server (Windows 2012 R2) that is NOT part of a domain, and does NOT have AD. This is not my choice, is not optimal, but out of my control.
I also have local users that connect to this server through RDP, and the local users have a password expiration policy.
Since AD/Exchange is not part of the picture, the users receive no notification that their passwords are about to expire.
PROBLEM: The problem is when a user's password has expired and they try to login using a Remote Desktop Connection. It does not allow them to change their password.
I have unchecked the "Allow connections ONLY from computers running Remote Desktop with Network Level Authentication" from the server side, so the server is NOT requiring NLA from incoming RDP sessions.
However, when using Windows Remote Desktop Connection Manager, it seems to be forcing NLA.
If I am using the "Terminals" Remote Desktop Client, there is an option on the client side, to disable using "Network Level Authentication". If I disable NLA through the Terminals client, and I connect to the server, it allows me to change the users expired password.
QUESTION: I am making the assumption, perhaps incorrectly, that the Terminals program is just sitting on top of Windows Remote Desktop Connection protocols, and that if you can disable Network Level Authentication client side through the Terminals program, then you should also be able to disable this through Windows built-in Remote Desktop Connection Manager. Unfortunately, I do not see this option in the connection managers GUI, and I do not see any parameters in ".RDP" files specific to NLA.
If I click "About" on the client side Remote Desktop Connection Manager, it tells me that "Network Level Authentication supported". The wording leads me to believe that using it is optional, but again, I see no way to turn it off in the connection manager. BTW, this particular connection manager is v10.
In Windows 2012 / 2012 R2 an option appeared that allows a remote user to change their password (current or an expired one) using a special web-page on the RD Web Access server. The password will be changed like this: a user signs in to the registration web page on the server with the RD Web Access role and changes his password using a special form.
A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but it is disabled by default. To change a password, a script password.aspx is used, which is located in C:\Windows\Web\RDWeb\Pages\en-US.
To enable the password change option, on the server with the configured RD Web Access role open the IIS Manager console, go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the section Application Settings.
In the right pane, find PasswordChangeEnabled parameter and change its value to true.
You can test the password change mechanism going to the following web-page: