expired password and TS Gateway probelm
-
Saturday, December 06, 2008 4:51 PM
Hi,
I have problem with Terminal Server Gateway. When password expire or I tick option, user must change password during next logon, user is not able to login at all using TS gateway or Terminal Web Access and obviously he is not prompted abut change password as well.
Could you help me resolve this issue please?
Answers
-
Monday, December 08, 2008 4:25 AMModerator There is no option to change expired passwords through TS Gateway. You can change the password by using direct TS (without TS Gateway) when you are in the internal network.
Thanks,
Vikash- Marked As Answer by piotrkow Tuesday, December 09, 2008 11:49 AM
-
Monday, December 08, 2008 6:00 PMOwner Hi,
Although not ideal, one possibility is to setup a VPN to have available to your remote users, so in the cases that their password expires, they can still fall back to VPN to change their password.
Thanks,
Drew- Proposed As Answer by Alex Juschin a.k.a Dr.Conti [MVP]MVP, Moderator Friday, July 10, 2009 2:03 PM
- Marked As Answer by Alex Juschin a.k.a Dr.Conti [MVP]MVP, Moderator Saturday, July 18, 2009 12:00 PM
All Replies
-
Monday, December 08, 2008 4:25 AMModerator There is no option to change expired passwords through TS Gateway. You can change the password by using direct TS (without TS Gateway) when you are in the internal network.
Thanks,
Vikash- Marked As Answer by piotrkow Tuesday, December 09, 2008 11:49 AM
-
Monday, December 08, 2008 9:19 AM
Thanks for your reply.
It is very bad news for me, I have some users they work only remotely and never connect directly to the network. I’m really surprised that Microsoft doesn’t provide solution for this. Passwords sometimes expired so I believe it is problem for a lot of companies.
Best Regards
-
Monday, December 08, 2008 6:00 PMOwner Hi,
Although not ideal, one possibility is to setup a VPN to have available to your remote users, so in the cases that their password expires, they can still fall back to VPN to change their password.
Thanks,
Drew- Proposed As Answer by Alex Juschin a.k.a Dr.Conti [MVP]MVP, Moderator Friday, July 10, 2009 2:03 PM
- Marked As Answer by Alex Juschin a.k.a Dr.Conti [MVP]MVP, Moderator Saturday, July 18, 2009 12:00 PM
-
Tuesday, December 09, 2008 11:49 AMThanks for your reply,
unfortunately I'm not able to use VPN in this case, as well as I have no exchange server with web access to provide password changes.
Best Regards -
Tuesday, December 09, 2008 7:25 PMWe have the same problem. we host terminal services 2008 for our clients so they are never on the internal network. I am really suprised microsoft would not have the functionality built in.
thanks
thomas
Thomas Maine, MCP -
Monday, July 06, 2009 3:34 PMNice "feature". So, using terminal services exclusively - as you would with a thin client - I cannot expire passwords effectively. Now, after fighting with Vista all day, then testing a machine for failure all night after deploying yet another round of critical security updates, I get to get woken up early to terminal users that cannot log in. Fabulous. Whoever thought that out should be shot.
Isn't the new RDP 6.whatever that 2008 forced on us without backwards compatibility (you know, the one that MS said you're stuck with, even though none of my terminals would connect without a firmware upgrade, which I had to wait for from the vendor who had to react to yet another change without warning) supposed to be more secure?
Think about this for a second- I dont want user downtime, so I just had to disable the password expiry setting in their GPO's.
Users notoriously dont change passwords until they are forced to (uh, someone told you guys that, right?), so as is when their passwords expire I get a phone call, which leads me to set a simple password that they can hear over the phone without writing it down. Then I can either give them a stern warning to change it themselves (which 99% of the time they dont do) or I can remote control their desktop and walk them through it. Trust me, our operations managers care about security, but not at the expense of productivity. If I didn't remove the GPO setting, I would have been replaced with someone that will.
Or, the geniuses at Microsoft could have done something truly radical- once the counter has expired for days before a password change, ALLOW THEM TO LOG IN AND FORCE PROMPT A PASSWORD CHANGE AFTER THE SESSION STARTS! Wow, what a concept. Not as secure, sure, but what good is security if you have to bypass it for functionality. It could be offered as an option for the admin, who would weigh the security risks and configure appropriately.
Typical. Get your act together MS, this is idiotic. -
Monday, July 06, 2009 3:46 PMModeratorWhat about the notifications your users receive before the password expire - 14 days prior the fact - when they log in?
Group Policy
Computer Configuration -> Windows Settings -> Local Policies -> Security Options
Citrix Technology Professional, PubForum.net Founder , Love Microsoft &its people to bits! -
Friday, July 10, 2009 1:33 PMobviously you didn't read the post you replied to. people ignore the notification and wait until it expires.
we do use a thin client running CE with TS 2008 and roaming profiles. when passwords expire people are allowed to change their password, but after they do, they no longer have their profile settings for outlook or printers. i have to shadow them and set up their outlook accounts and add their printers again. sometimes i have to give them admin privileges and move them out of the domain and group policies so i can access the mail control panel to add a profile. sometimes i have to delete their profile folders and recreate them (this is a problem in itself. all the profiles have a .V2 extension which i can't access even as an admin, i have to take ownership before i can delete or even view the folders).
what is going on here?
'Bashing my head against the wall because Microsoft doesn't test enough before they deploy'- Edited by headbasher Friday, July 10, 2009 2:03 PM
-
Friday, July 10, 2009 1:58 PMModerator
obviously you didn't read the post you replied to. people ignore the notification and wait until it expires.
we do use a thin client running CE with TS 2008 and roaming profiles. when passwords expire people are allowed to change their password, but after they do, they no longer have their profile settings for outlook or printers. i have to shadow them and set up their outlook accounts and add their printers again. sometimes i have to give them admin privileges and move them out of the domain and group policies so i can access the mail control panel to add a profile. sometimes i have to delete their profile folders and recreate them (this is a problem in itself. all the profiles have a .V2 extension which i can't access even as an admin, i have to take ownership before i can delete or even view the folders).
what is going on here?
'Bashing my head because Microsoft doesn't test enough before they deploy'
My bad headbasher I missed the "don’t change passwords until they are forced to ".
It doesn’t have anything to do with Microsoft, but rather with well implemented security policies and users who are
introduced into the security policy, who also have to sign it. Otherwise it’s a breach of security. We have many thousands
users - I mean tenth thousands in fact and we don't have this problem in such a scale - why - because we teach the
user upfront that this is his responsibility. Nor any of my customers has this - because again - employees are strictly advised
not to play with the rules. If one has a chaos in his environment it is not a reason to skip security and it should be your
challenge to fix it or help to do so. It is not a bug nor a proper feature request. Why care about passwords at all? The
users write them down under the keyboards anyway..
I don't get this part:
"but after they do, they no longer have their profile settings for outlook or printers"
how is that?
Citrix Technology Professional, PubForum.net Founder , Love Microsoft &its people to bits! -
Friday, July 10, 2009 2:24 PM
that's what i want to knowI don't get this part:
"but after they do, they no longer have their profile settings for outlook or printers"
how is that?
Citrix Technology Professional, PubForum.net Founder , Love Microsoft &its people to bits! -
Friday, July 10, 2009 2:26 PMModerator
I guess the first thing you will hear will be "Have you installed SP2 on W2008..."
and that is what I would try. Along the latest SP for office.
Citrix Technology Professional, PubForum.net Founder , Love Microsoft &its people to bits! -
Friday, July 10, 2009 3:22 PM
I guess the first thing you will hear will be "Have you installed SP2 on W2008..."
and that is what I would try. Along the latest SP for office.
Citrix Technology Professional, PubForum.net Founder , Love Microsoft &its people to bits!
there's an sp2 out already? you're just making my point about lack of sufficient testing. we've already installed SP1
we're running office 2k (if MS had a more reasonable pricing policy for upgrades maybe we would have done that, but when you're upgrading 100s of people the cost becomes prohibitive). but that still doesn't explain why printers are lost or why temp profiles are sometimes loaded instead. -
Friday, July 10, 2009 3:27 PMModeratorW2008 SP2
http://support.microsoft.com/?kbid=948465
I would give it a try
Citrix Technology Professional, PubForum.net Founder , Love Microsoft &its people to bits! -
Monday, March 01, 2010 6:22 PMFor what its worth, SP2 doesn't resolve this problem. Alex, while a great company policy on security enforcement is nice to have, the reality is, the TS Gateway product should have allowed for users to get connected with an expired password (forcing them to change it, etc).
In Windows 2008 Terminal Server, the process is further hindered by the fact that password expiry warnings are no longer pop-ups in their face with a "Change it now Yes/No" prompt... it is now a balloon message coming out of the tray that tells them to press CTRL-ALT-DEL, which when pressed is now dealing with their local computer account not the Terminal Server account.
We really need to see support for expired passwords in the TS Gateway product. -
Tuesday, May 04, 2010 7:46 AMIs there any update on the issue of when a users password expires their outlook profile needs setting up again? We are now using Server 2008 SP2 and Outlook 2010, with the same issue. When users have PST files and the like, the possibility of setting up Outlook every 40 days (as our password policy is set) is just ridiculous.
-
Monday, May 10, 2010 3:06 PM
May I propose an evil workaround ?:)
I am thinking about creating special change password user with connection permission through TS Gateway permitted to connect to one of the servers (in TS Gateway) but without any other privileges. When user's password has expired user has to logon to gateway using this special username/password (for GW) and use his own credentials for actual logon. Sounds ridiculous but might woark as a last resort. In bigger environment you can specify single change password machine and permit ChangePasswordUser only to connect to this machine through gateway..
I suppose this workaround is much simplier and ... safer ... than VPN. You can manage attack surface with single highly restricted user with well-known password than adding whole VPN infrastructure much more difficult to maintain.
P2ware -
Tuesday, September 21, 2010 3:51 PMI just want to add my two cents, in case anybody from Microsoft is listening, and say that I also think it's ridiculous that the cabability to change an expired password through RD Gateway isn't available.
-
Monday, June 20, 2011 4:24 PM
THAT is NOT an answer. What am I supposed to do when a user who hasn't logged in for the past 30 days, cannot gain access because the password expired?
Even if I do let them log in with a temporary password, how would they change it? They cannot press Ctrl+Alt+Delete. It brings up a screen from the local PC.
How could this go on without a solution for this long?
-
Tuesday, August 02, 2011 7:03 PM Have you tried Ctrl - Alt - End?
- Proposed As Answer by RichardNoel Wednesday, October 19, 2011 6:25 PM
-
Thursday, September 22, 2011 1:47 PM
Hi,
I hvae the same issue.
My solution was to change the password using Exchange OWA (Taking in to account that the user has an Exchange server and Published OWA to the Internet).
here is how it's done
http://technet.microsoft.com/en-us/library/bb684904.aspx - OWA Config
or if using an ISA/TMG server to pulish - http://technet.microsoft.com/en-us/library/cc514301.aspx
Hope this helps anyone reaing this post.
Regards
Gil Gross
Gil Gross | Project Manager & Technical Consultant | G-Net Network Solutions | www.g-net.co.il- Proposed As Answer by Gil Gross Thursday, September 22, 2011 1:47 PM
.png){kind=spacer}
