question

Alexey-4605 avatar image
0 Votes"
Alexey-4605 asked Alexey-4605 answered

RDP MSTSC no logo screen?

Good day to you all!

Guys tell me what I can not find, in short, there is a domain theme - right-click on the account = change password, check the box: The user must change the password... Type a temporary password for example 123456

Ideally, and on many DC machines via mstsc or other client, type in the address of the RDS machine, 1. A logon window appears and then you are asked to enter your login and password, we enter our login and password 123456, then in the same logon it asks you to change your password... This is configurable in GPO and so on, but here's the thing, there are controllers or PCs which have terminal server configured so that the logon window is not issued and immediately at the above request to change the password the following is issued

![147812-img.jpg][1] [1]: /answers/storage/attachments/147812-img.jpg

Where to look for what? What setting is responsible for this, that I can not find (( All in advance BIG THANK YOU!



  1. Directly the PC inside 192.168.0.220 (the car in the collection of RDS farm, of course in the domain, server 2019) on port 3389 is forwarded, I enter from outside and from the usual client mstsc and through remina, the result is the same, when setting the checkbox "User must change password at the next login ..." ALL OK, change the password to 123456, check the box to change the password, fill in the remina or other client password 123456 logon screen is shown and asks to change the password.

  2. Log in from an external location but through the gateway to the connection to the farm, the role on the machine gateway, a broker, a gateway, a license server, configured groups, accesses, also set up a collection of configured certificates, all ok, but as soon as we force a change of password from step 1, any client that Remina, that mstsc, just say - Error, or that the user must change the password (picture 1y post). That's it!

So is it the fault of the gateway or the broker? In essence the gateway doesn't care, its just a matter of routing the network to the outside and to the inside, encrypting the traffic with a certificate = that's it?!
You can't manage the broker as such, there are no snap-ins, nothing else... All the role reversals did from the domain controller, all without errors, if I connect without changing the password, everything is OK, for all parameters. WHAT IS WRONG AND WHERE DO I SCREW UP?

Regarding the WEB access, but we do not have this practice and will not, users will not separately log on the web and there what to change, besides it is necessary to create their own circuit + policies + to explain each user what and how ... This is crazy. There is such an answer, to lower the security of users on the policy: https://ibb.co/3vC5S9h

remote-desktop-serviceswindows-server-2019
img.jpg (17.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Alexey-4605 avatar image
0 Votes"
Alexey-4605 answered

I am tried using this:
https://serverfault.com/questions/604811/how-is-the-change-password-at-next-logon-requirement-supposed-to-work-with-rdp/1083039#1083039
https://mssec.wordpress.com/2015/12/26/forced-password-change-at-next-logon-and-rdp/
https://darrenmyher.com/2017/03/29/windows-server-2016-rdp-you-must-change-your-password-before-logging-on-the-first-time/

Guys, i have forced RDP security, but still can't connect to logon for change my pass? What can i do? I am using RDS farm and when I connect directly to RDS I get logon, but when I connect with RDGW I cant get logon screen for change my password... OMG. I am set and install old utilities like tsadmin and tsconfig and set RDP security on RDS and RDGW and trying connect to RDS and to RDGW directly with settings: user must change password, and ALL IS OK, i saw logon screen, but!!! When i trying connect to RDS with RDGW, i cant connect and i cant see any logon screen, just ERROR CONNECTION!!! SO SO SAD... I so tired... Do not know what do next... FCK.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Alexey-4605 avatar image
0 Votes"
Alexey-4605 answered

Guys, PLEASE, who knows anything about the farm, absolutely:

  1. Doesn't work with policy: network level authentication - disabled, restarting the desktop id service.

  2. Doesn't work with tsconfig.msc on ALL machines in the farm setting protocol: RDP instead of NLA (negotiation), restart desktop account service.

Doesn't work when unchecked: only connect when client is running on network authentication..., set on ALL farm machines, restart desktop services.

ANYWHERE on the connection GATEWAY-BROKER-TEMINAL is a bug with the involvement of the protocol NLA or something else, but LOGON when using a farm gateway (the role of the gateway + broker + Web RD on one machine) - NO! I.e. once you check the box: user must change password at next login, you no longer get logon and therefore cannot change user password!!!

Who knows where to dig in the GATEWAY-BROKER-TEMINAL bundle, somewhere in the innards of the protocol, somewhere in the policies or somewhere else?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Alexey-4605 avatar image
0 Votes"
Alexey-4605 answered

In short! Here's the solution!

  1. Make an account that will not be in any group of the domain, or rather make the group empty and put it the main user, removing even from the group domain users.

  2. We add this user to the remote desktop group on the farm gateway only.

  3. Then we write in ANY client properties of this user together with login, password, domain, ONLY in the gateway section.

  4. In the same connection settings write the PC (usually the 1st PC in the farm), which needs to connect.

Everything. Profit. Thank you all. The solution was found by the collective mind of my team, for which she and I, including a BIG THANK YOU!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.