none
Windows 2008 Terminal Server "user must change password at next logon" problem with Windows 7 client.

    Question

  • Hi,

    I have a fully patched Windows 2008 SP2 Terminal Server and a fully patched Windows 7 client.

    I have logged into the Windows 2008 SP2 Terminal Server server with a test account via RDC before.

    When I try to log in via RDC to the 2008 TS with a test account which has been marked with the setting "User must change password at next logon" I get the RDC message "You must change your password before logging on the first time.  For assistance, contact your system administrator or technical support."  I need to force the user to change their password once it has been issued, any ideas on how this can be done?

    Thanks,

    Dan

    Monday, February 08, 2010 3:27 PM

Answers

  • Hi,

    Please change your security layer to RDP and see if it resolves the issue.  To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.

    Thanks.

    -TP
    • Marked as answer by DanielAnthony Tuesday, February 09, 2010 9:19 AM
    Monday, February 08, 2010 9:53 PM

All replies

  • Hi Dan,

    If set user's settings to "User must change password at next logon"and try to logon locally, is it working ok?



    сила в справедливости
    Monday, February 08, 2010 4:37 PM
  • Hello,

    If I log on locally to the 2008 server with the test account I do get the option to change the password, if I try via terminal services with the RDC I do not get the option to change the password, just the error message "You must change your password before logging on the first time.  For assistance, contact your system administrator or technical support." 

    I dont understand how you can have an option to force the user to change their password on next logon which wont work via terminal services, surely this is a bug or there is a way to get this working which I haven't seen?

    We have users who are not members of the same domain as the terminal servers, so changing the password locally on the client wont work for them as it is an account on a different domain.  The only option they have is to change the password via terminal services which worked ok in Windows 2003....
    Monday, February 08, 2010 5:01 PM
  • Could you please explain this part in more details: -"We have users who are not members of the same domain as the terminal servers, so changing the password locally on the client wont work for them as it is an account on a different domain."

    Describe your nfrastructure please. You have two domain with trust and people from another domain are trying to logon to the Terminal Server in your domain?

    сила в справедливости
    Monday, February 08, 2010 5:16 PM
  • Ok,

    We host an application for another company, so there are our terminal servers in domain A and the clients from the other company in domain B.  All users have separate accounts in domain A and B as there is no trust between A and B; users use their domain B accounts to log into their workstations and their domain A account to access the terminal servers and our hosted applications.

    So, if I reset a users password in domain A with a simple password and then require them to change the password on next login (as you could do in 2003) they get the problem I have outlined above as they have to go through terminal services.

    Even if I use an account from domain A to log into the servers in domain A via terminal services, with the change password option ticked in ADUC, it is not possible, so it would never work for a user coming in from domain B either.

    Thanks,

    Dan
    Monday, February 08, 2010 5:38 PM
  • We have the same problem over here. There exists a tool called myPassword which claims to let the user change their own password based on email or question or something. I must admit I haven't had time to explore. But maybe it's worth a look..

    Mvg Andre Broers
    Monday, February 08, 2010 8:27 PM
  • Hi,

    Please change your security layer to RDP and see if it resolves the issue.  To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.

    Thanks.

    -TP
    • Marked as answer by DanielAnthony Tuesday, February 09, 2010 9:19 AM
    Monday, February 08, 2010 9:53 PM
  • Hi,

    Please change your security layer to RDP and see if it resolves the issue.  To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.

    Thanks.

    -TP

    BRILLIANT!  This worked without a hitch, thank you very much!


    Dan
    Tuesday, February 09, 2010 9:20 AM
  • This does not resolve my issue all the way. I'm having the same problem; When i'm "deploying" users, i always want the users to set their own passwords. Ok, so I then set the auth mode to "RDP Security layer". It seemed to work fine, and it does for that special purpose.
    Just like Daniel, my clients are connecting to our terminal server from several/different "customer-domains" So, they can't logon locally(on their local computer) and change their password, it has to be done THROUGH the terminal server.
    But if I turn on RDP Security Layer, users can't use remoteapp through tsgw they only get: "Your Remote Desktop Connection Failed because the remote computer cannot be authenticated" Any ideas?

    Also, our terminal servers is round robin based in a farm. So users connect to: tsfarm.domain.com(yes, public a-record which resolves to two internal adresses) This is because, we're using a wilcard *.domain.com as SSL certificate.
    But, when i'm using this, our clients sometimes get double auth when they login. I only get the double auth when tsfarm.domain.com resolves to server A, but the session broker wants the user to be on server B.(load balancing)

    This does not occur when SSL is enforced, any ideas?

    Tuesday, February 08, 2011 12:08 PM
  • I have the same problem. I agree with JaBean. lower the security layer to RDP Security Layer is not a solution. In our environment, we need to connect to multiple terminal servers. We don't want user to keep typing in passwords so we enable the single sign on feature. The single sign on does not support RDP Security Layer. Is there any other option?
    Nigel H. Lin
    Tuesday, February 22, 2011 3:20 PM
  • This works for direct RDP to the server... but in our enviroment there is an RD Gateway Server.

    "Your computer can't connect to the remote computer because your user account is disabled or your password has expired. Contact your network administrator for assistance."

    Thanks.



    Monday, April 11, 2011 7:47 PM
  • Thanks , change security layer resolves my problems !
    Wednesday, May 11, 2011 12:54 PM
  • Hi Jayun,

    I was just wondering if you could resolve the issue successfully, we are having this issue and we have a RD Gateway configured and changing the RP Connection to RDP Security does not help and we receive the message on your post.

    "Your computer can't connect to the remote computer because your user account is disabled or your password has expired. Contact your network administrator for assistance."

    Please reply if you have found what could be the cause.

    Thanks.

    Friday, June 17, 2011 7:01 PM
  • Hi,

    Please change your security layer to RDP and see if it resolves the issue.  To do this, click start--run--tsconfig.msc, double-click RDP-Tcp, change security layer to RDP Security Layer, click ok, then test.

    Thanks.

    -TP

    It works with me. Nice, thanks!
    Renato Alves
    Thursday, September 29, 2011 4:15 PM
  • These hotfixes merely change the wording of the pop-up, and do not return the ability for users to updated their expired passwords via RDP. :(
    Tuesday, May 15, 2012 4:05 PM
  • So try this.   This is easy with a VM perhaps no so much with a physical server unless you can spare the interface. 

    Add a second IP address to another network adapter on one of your terminal servers.  Inside the TSconfig, bind the RDP listener that's set for SSL security to the IP address and NIC that set up in your cluster, the one that users usually use and is set up for the RDP Gateway.   

    Then create a NEW RDP listener, set that for RDP security, and bind it to the new NIC and IP address.  Then set up a DNS A record for something like managemypassword.yourdomain.com.  Then tell uses who need to change their password to browse out to managemypassword.yourdomain.com.  They should get the RDP Security listener, and should be able to do it.   The RDP Gateway stuff will still work. 


    • Edited by LeeBuskey Friday, March 08, 2013 11:27 PM
    Friday, March 08, 2013 11:26 PM
  • Hi ,

    I had the same problem. I tried logging to one of the windows server 2003 box and I had the option to change the password there.

    Can you check and let everyone know if thats helpful.


    Regards, Server Engineer - Server Support

    Wednesday, August 07, 2013 8:46 AM
  • Just found this and it worked for me - thanks for the post.
    Monday, August 19, 2013 5:36 PM