How can users change their Active Directory password without Remote Desktop?

Question

In our Active Directory setup, some users will be accessing domain resources (shared folders on the network, specifically) from non-domain computers. Only users from the domain have permission to access these shared folders, so Windows prompts the non-domain users for credentials when they try to access said folders. A user can then enter their domain username and password, and afterwards they can access their files without a problem.

This all works fine, except when a user is required to change their password. For example: when a new user is set up, I would like to provide them with a random password which they would be required to change before authenticating. If they were using Remote Desktop, the RDP client would prompt them automatically for a new password before logging them in, but when accessing a file share through Windows Explorer, Windows only gives them a message insisting that they must change their password before using their account before promptly denying them access without any way to do so.

So the question is: how can I provide a user the ability to change their own password?

Note: There are no Remote Desktop servers in the environment which they could connect to (only the domain controller).

Answer 1

You can use the below PowerShell script to allow the user to change their password remotely. The user simply executes this script and completes the prompts. For the below script to work, you will need to open PowerShell as an administrator and run the command Set-ExecutionPolicy RemoteSigned to allow the execution of unsigned scripts created locally.

function Set-PasswordRemotely {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $true)][string] $UserName,
        [Parameter(Mandatory = $true)][string] $OldPassword,
        [Parameter(Mandatory = $true)][string] $NewPassword,
        [Parameter(Mandatory = $true)][alias('DC', 'Server', 'ComputerName')][string] $DomainController
    )
    $DllImport = @'
[DllImport("netapi32.dll", CharSet = CharSet.Unicode)]
public static extern bool NetUserChangePassword(string domain, string username, string oldpassword, string newpassword);
'@
    $NetApi32 = Add-Type -MemberDefinition $DllImport -Name 'NetApi32' -Namespace 'Win32' -PassThru
    if ($result = $NetApi32::NetUserChangePassword($DomainController, $UserName, $OldPassword, $NewPassword)) {
        Write-Output -InputObject 'Password change failed. Please try again.'
    } else {
        Write-Output -InputObject 'Password change succeeded.'
    }
}

What it will do, is prompt the user for their username, old password, new password and the domain controller. Do note, that the passwords will be displayed in the PowerShell window in plain text however will not send the new password in plain text.

Answer 2

Alternatively, for a more "user friendly" way (the script looks great, but might be daunting for end users), you can install the Remote Desktop Web Service role

There's no need for the full Remote Desktop suite. By default it simply has a logon page. This can be configured with a link to click for password changes via the web interface.

There's more overhead with this method, such as needing to install IIS with the new RDWeb role. You need a trusted certificate (it can be from an internal CA) to secure the website with HTTPS - you don't want password changes sent in clear text. But it can all be done in under an hour.

This guide describes it quite clearly, but doesn't discuss the SSL cert. http://woshub.com/allow-users-to-reset-expired-password-via-rd-webaccess-windows-server-2012/. There are other guides if you do a quick google.

The actual line to modify is slightly different in different versions of Windows. Look for the surrounding code.