This is my first implementation of Remote Desktop Services/Terminal Services; we are using it as a solution for Mac clients that need to run a piece of new Windows-only software.
My question is about streamlining the user installation process. We don't have a directory service that extends to the Windows Server at present, so I need to temporarily activate these accounts with an admin-defined password, and force the user to change their password at first login.
Unfortunately, the relevant checkbox in user management does not seem to be a workable solution... the Mac client as well as the windows RDP client fail to log in.
(Perhaps I am missing something here? We only have the RD Session Host installed so far; I'm not sure what the purpose of the Gateway Server is in our implementation. Maybe one of these solve the password reset issue? I am using the new "Microsoft Remote Desktop" client available from the App Store, but see the same behavior with the old RDC app.)
Ideally I would like the user to be able to log in with my provided credentials, and be immediately prompted with a password change dialog. I already have a batch file running at first login, and was hoping for something that could be implemented there... the farthest I've gotten is control /name Microsoft.UserAccounts, but I'm unable to figure out how to drill down into the "Change your password" screen.
I was also considering net User %USERNAME% * until I realized that has to be run as Admin, which the batch file is not.
It's almost certainly going to be difficult to extricate myself from the client setup process in the first place, so one final alternative I've been considering is to randomly generate secure passwords on my own, and save the user's to his or her OS X Keychain when I install -- effectively making the server login transparent.
Any wisdom from more experienced admins about how I should go about this?
