Professional Documents
Culture Documents
Expired Password Remote Desktop
Expired Password Remote Desktop
Expired Password Remote Desktop
If your AD account has the “User must change password at next logon” option enabled:
1 of 9 10/15/2020, 4:47 PM
Forced password change at next logon and RDP | Microsoft Security Sol... https://mssec.wordpress.com/2015/12/26/forced-password-change-at-nex...
“You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.”
This is a classic catch 22 issue: You have to logon to change you password, but you cannot logon until you’ve
changed you password.
If you have access to a “normal” network connected Windows client you can change the password that way, but
what if you only have RDP access?
Client side
Well, if the server allows it, you can temporary disable “Credential Security Support Provider (CredSSP)” in the
RPD client. This disables Network Layer Authentication, the pre-RPD-connection authentication, and therefore
enables you to change your password via RDP. CredSSP is enabled by default in the RDP client on Windows Vista
and forward.
There is no option to disable CredSSP in the RDP client, so here is how you have to do it:
Start mstsc.exe
Click Show Options
Click Save As
2 of 9 10/15/2020, 4:47 PM
Forced password change at next logon and RDP | Microsoft Security Sol... https://mssec.wordpress.com/2015/12/26/forced-password-change-at-nex...
Call it ChangePassword.rpd (or anything you’d like, but avoid the name Default.rdp)
Open the saved ChangePassword.rpd in Notepad
Add a new row at the end with the following text:
enablecredsspsupport:i:0
Instead of the local Windows Security prompt (the second image in the blog post) you should see a Windows
Logon screen on the remote computer (if not, read on anyway):
If the account you log on with at this point has the “User must change password at next logon” option enabled,
you get notified about that:
3 of 9 10/15/2020, 4:47 PM
Forced password change at next logon and RDP | Microsoft Security Sol... https://mssec.wordpress.com/2015/12/26/forced-password-change-at-nex...
After changing the password you get confirmation about the change:
In fact, you do not need to have access to sign in through RDP, in that case this shows up, but only after you
successfully changed your password:
4 of 9 10/15/2020, 4:47 PM
Forced password change at next logon and RDP | Microsoft Security Sol... https://mssec.wordpress.com/2015/12/26/forced-password-change-at-nex...
Delete the ChangePassword.rdp file when you are done (or at least do not use it until you are forced to change
your password again), since disabling CredSSP lowers the security of RDP connections.
In that case, try connecting using the FQDN (DC01.tomdemo.se and not only DC01) or connect to other servers
that might allow you to disable CredSSP. As I mentioned above, you don’t have to have access to actually logon to
the server.
Server side
You can also disable CredSSP on the server side, but since that lowers the security on all RDP connections to that
server it is not recommended.
If you chose to do this anyway, you do it either by de-selecting “Allow connections only from computers running
Remote Desktop with Network Level Authentication (recommended)” in System Properties:
5 of 9 10/15/2020, 4:47 PM
Forced password change at next logon and RDP | Microsoft Security Sol... https://mssec.wordpress.com/2015/12/26/forced-password-change-at-nex...
Note that if you already have an existing access to a server (with the account you need to change the password
with) you could just change your password in that session by pressing Ctrl-Alt-Del (or Ctrl-Alt-End in an RDP
connection) and choosing Change a password:
6 of 9 10/15/2020, 4:47 PM
Forced password change at next logon and RDP | Microsoft Security Sol... https://mssec.wordpress.com/2015/12/26/forced-password-change-at-nex...
Related
Get free SSL certificates with Let's Encrypt Manually remove old CA references in Active Can disabling Delta CRL on a CA cause
Directory problems?
This worked for me. Problem was in trying to allow User Role access to my Server Windows Instance; wasn’t able to get them
to authenticate by logging in. I believe that the blocker was the checkbox on System Properties “Allow Connections from
Computers running Remote Desktop with Network Level Authentication” ; upon unchecking it, new users accounts could
login by changing password assigned by Sys-Admin.
Reply
This worked for me! Thanks for your help! The blocker was that the option “Allow connections from Computer running
Remote Desktop with Network Level Authentication” was checked. Upon unchecking, new user accounts that i had created
were able to login to the instance.
7 of 9 10/15/2020, 4:47 PM
Forced password change at next logon and RDP | Microsoft Security Sol... https://mssec.wordpress.com/2015/12/26/forced-password-change-at-nex...
Reply
edis says:
3 June, 2020 at 08:07
Sure as hell, you are lowering you security, if you do not require NLA from clients. I would not pass this in security audit.
This is flaw of the Microsoft OS architecture. Last known password should be employed to mandatory hold into sandbox of
password change screen, until password updated, just like it flows in local access. All the bag of tricks to try is worth nothing
for single feature missing in design.
Reply
should
be required everywhere. That being said, this “trick” has helped me and many others where that is not the case yet.
What if I were to set up a dedicated server that does not require NLA , and deny logon for Everyone, and use that
as a remote password change host. Would that pass a security audit?
Reply
edis says:
3 June, 2020 at 01:05
Tom, another trick? If you host RDP-without-NLA server, for auditors you do not deliver there outright.
Then, if you deny logon, why password change should be served by the system? For abuser to be able of
resetting passwords, if they can’t logon on your behalf? I do appreciate search for at least some fragile paths
how to get around issues, but it makes sad, that engineers of today do not stick to the foremost principle in
our field: do the right thing. Which is, to deliver feature of the system properly, instead of focusing on
hackable workarounds. It is about consistency, which will support engineer himself, in the long run. Cheers.
Security is not black or white, it is – and will always be – gray. What exactly is “the right thing” for any
given issue? Right for Security, IT, end-user or finance department? Secure, user-friendly, affordable.
Choose any two. Why allow RDP at all, maybe require physical presence?
I often compare security with a cars. Seatbelt doesn’t always work, but still use it (is seatbelt a
workaround?). Also have an airbag. Drive sober and alert. Regularly test the car. Require drivers to take a
test. Not driving at all would be safer (is that the “right thing” here?), but that might not always an option.
Sorry for the rant, I often have this discussion with customers. But I thing we agree in general
edis says:
5 June, 2020 at 10:27
Tom, when we say right thing, we mean all the constellation of the engineering sense.
Engineers are not that disturbed at all.
Maxim says:
8 of 9 10/15/2020, 4:47 PM
Forced password change at next logon and RDP | Microsoft Security Sol... https://mssec.wordpress.com/2015/12/26/forced-password-change-at-nex...
it is good because it work, because it helps, because it resolve this issue that wasdesigned and not tested
Reply
edis says:
5 June, 2020 at 10:21
Maxim, you are either from Russia, or, less probable because of the name, from China. Proceed from this.
Reply
Eu fiz todos estes testes e nada funcionou comigo, para resolver eu abrir o atalho da conexão remota do usuário editei com o
bloco de notas e na linha NEGOTIATE SECURITY LAYER estava setado como 1, marquei 0
Reply
Mircea says:
8 October, 2020 at 12:14
THANKS A MILLION. This was a life saver for me. I changed the Administrator password on a remote machine (very
remote) and it seems I accidentally checked the “user must change password” option. I practically locked myself, the only
admin, out.
Reply
Glad it helped
Reply
9 of 9 10/15/2020, 4:47 PM