2

I have an RDS solution for one of our customers. There is a session collection serving desktops via an RD Gateway and there are a handful of session host servers; all load balanced etc. It works a treat in terms of users connecting in and performance.

We've had the users set to 'password never expires' whilst the system has been bedded in, however, we've now come to a point where we need to get the password policy enforced. We opted to force all users to change their passwords at next logon as we had issued 'easy' passwords for a smooth transition. This was done simply by checking the 'user must change password at next logon' box in AD under the users properties, however rather than prompting users for a new password at the next logon, the logon was immediately denied.

I tried again to ensure I hadn't entered the password incorrectly, but sure enough, my login is denied with the error 'The logon attempt failed'. I go back into AD and uncheck the 'user must change password at next logon' and I am able to log back in again without an issue.

Once logged in, If I press CTRL, ALT & END and choose 'change a password', It seems like it will allow me to change the password - It prompts for old, new and confirm password, but no matter what I use, it says 'Unable to update the password. The value provided for new password does not meet the length, complexity or history requirements of the domain'. I used randomly generated 24 character passwords with upper and lowercase letters, numbers and symbols... there is just no way it doesn't meet the default 2012 complexity rules.

So I have two questions...

  • Why would checking this option in AD cause it to deny the user logon?

  • How can I allow/force my users to change their passwords?

John
  • 525
  • 3
  • 16
  • 32
  • Have the password expired? If they have, is there a GPO that denies logon with expired passwords? – Elliot Huffman Jan 08 '18 at 12:30
  • This should help https://mssec.wordpress.com/2015/12/26/forced-password-change-at-next-logon-and-rdp/ – Drifter104 Jan 08 '18 at 12:36
  • the passwords havent expired no... I confirmed by creating a brand new user and setting his password to need changing at next logon, and the behavour is the same. – John Jan 08 '18 at 13:31

2 Answers2

4

If you use Network Level Authentication in conjunction with RDP (which you should because it's the more secure option,) then you cannot connect if your password is expired. This means that you cannot connect in order to change your password because you cannot connect with an expired password. This is considered by design because there is no such feature in the underlying CredSSP protocol.

You'll have to provide some other means for users to change their expired passwords, such as a self-service password reset portal. (Forefront Identity Manager, for example.)

As for the password complexity requirements not being met, my guess is that you're hitting that other password policy roadblock that rarely gets mentioned - the minimum password age. If the password has changed recently, you can't change it again until a certain amount of time has elapsed.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
0

Passwords for remote users can be changed with the RD Web Access role, which is described in this answer, where there also is a solution for notifying users of pending password expiration.

(I can see you have tagged RDWeb, so I hope you can use this solution).

And when NLA is used, you can't logon or change the password through RDP, as described already.

PatrikN
  • 155
  • 6