Windows 2008 Terminal Server "user must change password at next logon" problem with Windows 7 client.
-
Monday, February 08, 2010 3:27 PMHi,
I have a fully patched Windows 2008 SP2 Terminal Server and a fully patched Windows 7 client.
I have logged into the Windows 2008 SP2 Terminal Server server with a test account via RDC before.
When I try to log in via RDC to the 2008 TS with a test account which has been marked with the setting "User must change password at next logon" I get the RDC message "You must change your password before logging on the first time. For assistance, contact your system administrator or technical support." I need to force the user to change their password once it has been issued, any ideas on how this can be done?
Thanks,
Dan
Answers
-
Monday, February 08, 2010 9:53 PMModerator Hi,
Please change your security layer to RDP and see if it resolves the issue. To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.
Thanks.
-TP- Marked As Answer by DanielAnthony Tuesday, February 09, 2010 9:19 AM
All Replies
-
Monday, February 08, 2010 4:37 PMHi Dan,
If set user's settings to "User must change password at next logon"and try to logon locally, is it working ok?
сила в справедливости -
Monday, February 08, 2010 5:01 PMHello,
If I log on locally to the 2008 server with the test account I do get the option to change the password, if I try via terminal services with the RDC I do not get the option to change the password, just the error message "You must change your password before logging on the first time. For assistance, contact your system administrator or technical support."
I dont understand how you can have an option to force the user to change their password on next logon which wont work via terminal services, surely this is a bug or there is a way to get this working which I haven't seen?
We have users who are not members of the same domain as the terminal servers, so changing the password locally on the client wont work for them as it is an account on a different domain. The only option they have is to change the password via terminal services which worked ok in Windows 2003.... -
Monday, February 08, 2010 5:16 PMCould you please explain this part in more details: -"We have users who are not members of the same domain as the terminal servers, so changing the password locally on the client wont work for them as it is an account on a different domain."
Describe your nfrastructure please. You have two domain with trust and people from another domain are trying to logon to the Terminal Server in your domain?
сила в справедливости -
Monday, February 08, 2010 5:38 PMOk,
We host an application for another company, so there are our terminal servers in domain A and the clients from the other company in domain B. All users have separate accounts in domain A and B as there is no trust between A and B; users use their domain B accounts to log into their workstations and their domain A account to access the terminal servers and our hosted applications.
So, if I reset a users password in domain A with a simple password and then require them to change the password on next login (as you could do in 2003) they get the problem I have outlined above as they have to go through terminal services.
Even if I use an account from domain A to log into the servers in domain A via terminal services, with the change password option ticked in ADUC, it is not possible, so it would never work for a user coming in from domain B either.
Thanks,
Dan -
Monday, February 08, 2010 8:27 PMWe have the same problem over here. There exists a tool called myPassword which claims to let the user change their own password based on email or question or something. I must admit I haven't had time to explore. But maybe it's worth a look..Mvg Andre Broers
-
Monday, February 08, 2010 9:53 PMModerator Hi,
Please change your security layer to RDP and see if it resolves the issue. To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.
Thanks.
-TP- Marked As Answer by DanielAnthony Tuesday, February 09, 2010 9:19 AM
-
Tuesday, February 09, 2010 9:20 AM
Hi,
Please change your security layer to RDP and see if it resolves the issue. To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.
Thanks.
-TP
BRILLIANT! This worked without a hitch, thank you very much!
Dan -
Tuesday, February 08, 2011 12:08 PM
This does not resolve my issue all the way. I'm having the same problem; When i'm "deploying" users, i always want the users to set their own passwords. Ok, so I then set the auth mode to "RDP Security layer". It seemed to work fine, and it does for that special purpose.
Just like Daniel, my clients are connecting to our terminal server from several/different "customer-domains" So, they can't logon locally(on their local computer) and change their password, it has to be done THROUGH the terminal server.
But if I turn on RDP Security Layer, users can't use remoteapp through tsgw they only get: "Your Remote Desktop Connection Failed because the remote computer cannot be authenticated" Any ideas?
Also, our terminal servers is round robin based in a farm. So users connect to: tsfarm.domain.com(yes, public a-record which resolves to two internal adresses) This is because, we're using a wilcard *.domain.com as SSL certificate.
But, when i'm using this, our clients sometimes get double auth when they login. I only get the double auth when tsfarm.domain.com resolves to server A, but the session broker wants the user to be on server B.(load balancing)This does not occur when SSL is enforced, any ideas?
-
Tuesday, February 22, 2011 3:20 PMI have the same problem. I agree with JaBean. lower the security layer to RDP Security Layer is not a solution. In our environment, we need to connect to multiple terminal servers. We don't want user to keep typing in passwords so we enable the single sign on feature. The single sign on does not support RDP Security Layer. Is there any other option?
Nigel H. Lin -
Monday, April 11, 2011 7:47 PM
This works for direct RDP to the server... but in our enviroment there is an RD Gateway Server.
"Your computer can't connect to the remote computer because your user account is disabled or your password has expired. Contact your network administrator for assistance."
Thanks.
-
Wednesday, May 11, 2011 12:54 PMThanks , change security layer resolves my problems !
-
Friday, June 17, 2011 7:01 PM
Hi Jayun,
I was just wondering if you could resolve the issue successfully, we are having this issue and we have a RD Gateway configured and changing the RP Connection to RDP Security does not help and we receive the message on your post.
"Your computer can't connect to the remote computer because your user account is disabled or your password has expired. Contact your network administrator for assistance."
Please reply if you have found what could be the cause.
Thanks.
-
Thursday, September 29, 2011 4:15 PM
Hi,
Please change your security layer to RDP and see if it resolves the issue. To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.
Thanks.
-TP
It works with me. Nice, thanks!
Renato Alves -
Wednesday, May 09, 2012 1:25 PM
For this issue are 2 hotfixes:
Take a look at these:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;2648397http://support.microsoft.com/default.aspx?scid=kb;EN-US;2648402
-
Tuesday, May 15, 2012 4:05 PMThese hotfixes merely change the wording of the pop-up, and do not return the ability for users to updated their expired passwords via RDP. :(
.png){kind=spacer}
