Allow Users to Change Expired Password via Remote Desktop Connection
You can solve this with a two pronged approach:
1. Install the RD Web Access role and enable the remote password change option
The following directions are from the woshub.com article Allow users to reset expired password via RD WebAccess in Windows Server 2012:
In Windows 2012 / 2012 R2 an option appeared that allows a remote user to change their password (current or an expired one) using a special web-page on the RD Web Access server. The password will be changed like this: a user signs in to the registration web page on the server with the RD Web Access role and changes his password using a special form.
A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but it is disabled by default. To change a password, a script password.aspx is used, which is located in C:\Windows\Web\RDWeb\Pages\en-US.
-
To enable the password change option, on the server with the configured RD Web Access role open the IIS Manager console, go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the section Application Settings.
-
In the right pane, find PasswordChangeEnabled parameter and change its value to true.
-
You can test the password change mechanism going to the following web-page:
https://RDSServerName/RDWeb/Pages/en-US/password.aspx
-
Now when trying to connect to the RD Web Access server with the expired password, a user will be redirected to password.aspx web-page and offered to change his password.
Tip. The same Windows Server 2008 R2 feature can become available after you install a special patch — KB2648402.
2. Enable prompts notifying users of pending password expiration
- Run
gpedit.msc
on the RDSH server to open Local Group Policy - Nagivate to
Computer Configuration\Windows Settings\Local Policies\Security Options
- Edit the setting Interactive logon: Prompt user to change password before expiration and specify a reasonable number of days, such as 14.
- Users, including those logged in via Remote Desktop, will receive a notification prior to their password expiring.
It turns out this is controlled through an unlisted property in the .RDP configuration file called "enablecredsspsupport", by setting this to "0" it loads the login page in an RDP session, and allows a user to change their expired password.
The exact syntax needed in the .RDP configuration file is:
enablecredsspsupport:i:0
If you need further reference or reading go here: The Tyranny of Network Level Authentication and CredSSP
None of the options worked for me since I have NLA enabled. Here's a way to change it via PowerShell - full story on How to change your own expired password when you can’t login to RDP.
function Set-PasswordRemotely {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)][string] $UserName,
[Parameter(Mandatory = $true)][string] $OldPassword,
[Parameter(Mandatory = $true)][string] $NewPassword,
[Parameter(Mandatory = $true)][alias('DC', 'Server', 'ComputerName')][string] $DomainController
)
$DllImport = @'
[DllImport("netapi32.dll", CharSet = CharSet.Unicode)]
public static extern bool NetUserChangePassword(string domain, string username, string oldpassword, string newpassword);
'@
$NetApi32 = Add-Type -MemberDefinition $DllImport -Name 'NetApi32' -Namespace 'Win32' -PassThru
if ($result = $NetApi32::NetUserChangePassword($DomainController, $UserName, $OldPassword, $NewPassword)) {
Write-Output -InputObject 'Password change failed. Please try again.'
} else {
Write-Output -InputObject 'Password change succeeded.'
}
}
Simply run Set-PasswordRemotely
and it will ask you 4 questions - username, old password, new password, domain controller and change the password for you. It works from non-domain joined PC as well. Requires connectivity to DC.