Good day to you all!
Guys tell me what I can not find, in short, there is a domain theme - right-click on the account = change password, check the box: The user must change the password... Type a temporary password for example 123456
Ideally, and on many DC machines via mstsc or other client, type in the address of the RDS machine, 1. A logon window appears and then you are asked to enter your login and password, we enter our login and password 123456, then in the same logon it asks you to change your password... This is configurable in GPO and so on, but here's the thing, there are controllers or PCs which have terminal server configured so that the logon window is not issued and immediately at the above request to change the password the following is issued
![147812-img.jpg][1] [1]: /api/attachments/147812-img.jpg?platform=QnA
Where to look for what? What setting is responsible for this, that I can not find (( All in advance BIG THANK YOU!
---
- Directly the PC inside 192.168.0.220 (the car in the collection of RDS farm, of course in the domain, server 2019) on port 3389 is forwarded, I enter from outside and from the usual client mstsc and through remina, the result is the same, when setting the checkbox "User must change password at the next login ..." ALL OK, change the password to 123456, check the box to change the password, fill in the remina or other client password 123456 logon screen is shown and asks to change the password.
- Log in from an external location but through the gateway to the connection to the farm, the role on the machine gateway, a broker, a gateway, a license server, configured groups, accesses, also set up a collection of configured certificates, all ok, but as soon as we force a change of password from step 1, any client that Remina, that mstsc, just say - Error, or that the user must change the password (picture 1y post). That's it!
So is it the fault of the gateway or the broker? In essence the gateway doesn't care, its just a matter of routing the network to the outside and to the inside, encrypting the traffic with a certificate = that's it?!
You can't manage the broker as such, there are no snap-ins, nothing else... All the role reversals did from the domain controller, all without errors, if I connect without changing the password, everything is OK, for all parameters. WHAT IS WRONG AND WHERE DO I SCREW UP?
Regarding the WEB access, but we do not have this practice and will not, users will not separately log on the web and there what to change, besides it is necessary to create their own circuit + policies + to explain each user what and how ... This is crazy. There is such an answer, to lower the security of users on the policy: https://ibb.co/3vC5S9h