User needs to change password on first login but only access is via RDP. RDP will not permit user to connect to make the password change

Question

I'm working on an Industrial Control System build, with a small dozen or so machine Domain comprising Windows 2019 DC, Windows 2019 member servers and Win 10 Clients. The AD Domain controller is configured with a number of user accounts, each of which has the 'Change Password at first Log On' box ticked at account creation. Due to the nature of the industrial plant this system is going to, there will only be RDP access to all machines once delivered and installed/commissioned.

However, when any user attempts to use RDP as their first log on, which requires a password change, an error results and they are not permitted to log in. I have read about changing a setting to RDP Security - however these posts seem to apply top Server 2008. Is there a way to make a setting change in Win10 or Server2019 to get the same result - that the user can make an RDP connection and on first use change their password as required by the DC?

Answer 1

I have ran into the same issue, as referenced in : https://docs.hetzner.com/robot/dedicated-server/windows-server/changing-windows-password/ (though it may differ based on installation).

Steps :

1. Open RDP, show options & Save As
2. Edit that saved file in notepad, adding these lines at the bottom :

username:s:Administrator
authentication level:i:2
enablecredsspsupport:i:0

Now load the saved file and reconnect.

Hope this helps you / whomever landed here from a search engine!

Answer 2

Thank you for the reply - the issue occurs when a user is trying to connect for the very first time using a new domain account which has the 'User much change password on first login' flag set. So both of those suggestions require the user to have already logged in, which at the moment is not possible. The failure occurs when the user attempts to log in, there appears to be no way to authenticate until the user has changed their password, but the user is not allow to progress to a connection which would allow access to the pre-login password change function - hence a chicken and egg situation or possibly a Catch-22...!

Answer 3

Hello @Tim C (ICS Security)

Have you tried press CTRL + ALT + END On Windows Server 2019 to reset the password?

You may refer to Change User Password in an RDP Session on Windows. It introduces different ways of changing password according to a different situation.

Best regards
Karlie

Answer 4

Hello

Thank you for your question and reaching out. I can understand you are having issues related to change password using RDP.

Generally by disabling NLA policy the user can change the password through RDP session. Get in detailed here:

https://social.technet.microsoft.com/Forums/ie/en-US/677b39dd-8595-4334-b7e5-387c8ff230ec/can-users-change-expired-passwords-via-rdp-to-windows-server-2012-r2-windows-81-if-nla-is?forum=winserverTS

Also ,If they are able to log in *******, they can do "Ctrl + Alt + End" and then select "change password" from the list.

-------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--