Windows 2019 RDP user cannot change expired password

T3hboy 1 Reputation point
2022-09-19T10:55:05.02+00:00

Hello

I have a issue on my domain users that needs to change expired password. I have NLA enabled and this is still not possible.
When they are connecting first time or they have already passed time to change password before it will expire pop up with Remote Desktop Connection windows appears with You must change password without option to do it.
My domain is 2019 functional lvl and users are connecting starting from Win2008 and Windows 7 clients. Is it possible to make it possible to change password via some GPO setting ? .
Any advice are welcomed.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,480 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karlie Weng 14,641 Reputation points Microsoft Vendor
    2022-09-23T09:26:21.893+00:00

    Hello @T3hboy

    Is it possible to make it possible to change password via some GPO setting ?

    In case of users' password expiration, as I know no such group policy can help change it.

    This article Domain Password Policy in the Active Directory explains in detail password policy in AD.

    You will need to manually editing an RDP file to disable CredSSP (not recommended) to fix this temporarily. see Forced password change at next logon and RDP

    Essentially you are better off enabling the GPO to "warn users in X number of days" when their password is about to expire and ensure they manually change it after they have authenticated to the server with the valid password.

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards
    Karlie

    0 comments
  2. Limitless Technology 43,966 Reputation points
    2022-09-23T10:10:34.167+00:00

    Hello,

    Selecting that "User must change password at next logon" and then their first login attempt on the domain is a RDP login will cause that error. That setting forces them to change their password when they log in for the first time, it isn't what allows them to change the password. When attempting to remotely authenticate, it will error because they haven't logged directly into the domain yet.

    To resolve this issue you can either provide temporary passwords to the users to long in and change for a private one, or you have to edit the Session Collection, Security, Configure Security settings and then change the Security Layer setting from Auto-Negotiate to RDP Security Layer. Once that change has been applied, remote RDP users return to being able to set a new password.

    As an added bonus, this RDP Security Layer is actually more secure, and is also PCI Compliant

    ------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments