User needs to change password on first login but only access is via RDP. RDP will not permit user to connect to make the password change

Tim C (ICS Security) 66 Reputation points
2022-10-25T13:54:19.927+00:00

I'm working on an Industrial Control System build, with a small dozen or so machine Domain comprising Windows 2019 DC, Windows 2019 member servers and Win 10 Clients. The AD Domain controller is configured with a number of user accounts, each of which has the 'Change Password at first Log On' box ticked at account creation. Due to the nature of the industrial plant this system is going to, there will only be RDP access to all machines once delivered and installed/commissioned.

However, when any user attempts to use RDP as their first log on, which requires a password change, an error results and they are not permitted to log in. I have read about changing a setting to RDP Security - however these posts seem to apply top Server 2008. Is there a way to make a setting change in Win10 or Server2019 to get the same result - that the user can make an RDP connection and on first use change their password as required by the DC?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,824 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,623 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,944 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. John M 20 Reputation points
    2024-04-06T15:24:29.95+00:00

    I have ran into the same issue, as referenced in : https://docs.hetzner.com/robot/dedicated-server/windows-server/changing-windows-password/ (though it may differ based on installation).

    Steps :

    1. Open RDP, show options & Save As
    2. Edit that saved file in notepad, adding these lines at the bottom :
    username:s:Administrator
    authentication level:i:2
    enablecredsspsupport:i:0
    

    Now load the saved file and reconnect.

    Hope this helps you / whomever landed here from a search engine!

    4 people found this answer helpful.

  2. Tim C (ICS Security) 66 Reputation points
    2022-10-27T08:10:09.583+00:00

    Thank you for the reply - the issue occurs when a user is trying to connect for the very first time using a new domain account which has the 'User much change password on first login' flag set. So both of those suggestions require the user to have already logged in, which at the moment is not possible. The failure occurs when the user attempts to log in, there appears to be no way to authenticate until the user has changed their password, but the user is not allow to progress to a connection which would allow access to the pre-login password change function - hence a chicken and egg situation or possibly a Catch-22...!

    2 people found this answer helpful.
    0 comments No comments

  3. Karlie Weng 18,586 Reputation points Microsoft Vendor
    2022-10-27T02:35:54.097+00:00

    Hello @Tim C (ICS Security)

    Have you tried press CTRL + ALT + END On Windows Server 2019 to reset the password?

    You may refer to Change User Password in an RDP Session on Windows. It introduces different ways of changing password according to a different situation.

    Best regards
    Karlie

    0 comments No comments

  4. Limitless Technology 44,431 Reputation points
    2022-10-30T15:31:01.46+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having issues related to change password using RDP.

    Generally by disabling NLA policy the user can change the password through RDP session. Get in detailed here:

    https://social.technet.microsoft.com/Forums/ie/en-US/677b39dd-8595-4334-b7e5-387c8ff230ec/can-users-change-expired-passwords-via-rdp-to-windows-server-2012-r2-windows-81-if-nla-is?forum=winserverTS

    Also ,If they are able to log in *******, they can do "Ctrl + Alt + End" and then select "change password" from the list.

    -------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.