User needs to change password on first login but only access is via RDP. RDP will not permit user to connect to make the password change

Tim C (ICS Security) 56 Reputation points
2022-10-25T13:54:19.927+00:00

I'm working on an Industrial Control System build, with a small dozen or so machine Domain comprising Windows 2019 DC, Windows 2019 member servers and Win 10 Clients. The AD Domain controller is configured with a number of user accounts, each of which has the 'Change Password at first Log On' box ticked at account creation. Due to the nature of the industrial plant this system is going to, there will only be RDP access to all machines once delivered and installed/commissioned.

However, when any user attempts to use RDP as their first log on, which requires a password change, an error results and they are not permitted to log in. I have read about changing a setting to RDP Security - however these posts seem to apply top Server 2008. Is there a way to make a setting change in Win10 or Server2019 to get the same result - that the user can make an RDP connection and on first use change their password as required by the DC?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,156 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
3,985 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,600 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tim C (ICS Security) 56 Reputation points
    2022-10-27T08:10:09.583+00:00

    Thank you for the reply - the issue occurs when a user is trying to connect for the very first time using a new domain account which has the 'User much change password on first login' flag set. So both of those suggestions require the user to have already logged in, which at the moment is not possible. The failure occurs when the user attempts to log in, there appears to be no way to authenticate until the user has changed their password, but the user is not allow to progress to a connection which would allow access to the pre-login password change function - hence a chicken and egg situation or possibly a Catch-22...!

    1 person found this answer helpful.
    0 comments
  2. Karlie Weng 9,886 Reputation points Microsoft Vendor
    2022-10-27T02:35:54.097+00:00

    Hello @Tim C (ICS Security)

    Have you tried press CTRL + ALT + END On Windows Server 2019 to reset the password?

    You may refer to Change User Password in an RDP Session on Windows. It introduces different ways of changing password according to a different situation.

    Best regards
    Karlie

    0 comments
  3. Limitless Technology 43,231 Reputation points
    2022-10-30T15:31:01.46+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having issues related to change password using RDP.

    Generally by disabling NLA policy the user can change the password through RDP session. Get in detailed here:

    https://social.technet.microsoft.com/Forums/ie/en-US/677b39dd-8595-4334-b7e5-387c8ff230ec/can-users-change-expired-passwords-via-rdp-to-windows-server-2012-r2-windows-81-if-nla-is?forum=winserverTS

    Also ,If they are able to log in *******, they can do "Ctrl + Alt + End" and then select "change password" from the list.

    -------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments