locked
Password Expired Question RRS feed

  • Question

  • I am in the process of enabling NLA for RDP security. I have found out that if NLA is enabled and your account has the " Password must change on next login" set in the Accounts tab in AD for a user , your RDP will fail due to not being able to change the password via RDP with NLA enabled.

    But if the password expires on its own will that work and give the RDP session the ability to change the password ? 

    Finally when a password expires in AD does the check box in the account tab for " password must be changed on next login" get set via an internal windows AD function ?

    I want to enable NLA across the board but I am worried that pure RDP based accounts will have issues resetting their passwords once their passwords  expire if NLA is enabled.



    • Edited by GregDron Thursday, February 22, 2018 10:11 PM
    Thursday, February 22, 2018 10:10 PM

Answers

  • But if the password expires on its own will that work and give the RDP session the ability to change the password ?

    Yes.

    Finally when a password expires in AD does the check box in the account tab for " password must be changed on next login" get set via an internal windows AD function ?

    No.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Richard MuellerMVP Thursday, February 22, 2018 11:06 PM
    • Marked as answer by GregDron Friday, February 23, 2018 9:31 PM
    Thursday, February 22, 2018 10:12 PM
  • 1) Basically if I am on a laptop say at home , and I am not domain joined ( say contractor). And I connect to a VDI environment ( say web based login to a RDP session ) and that connecting server is a Windows 2008 R2 box , and my password expires I would be stuck ? 

    For this particular VDI case, yes. Unless if you apply the workaround described in the link Marcin shared where you redirect your users to a password change portal.

    2) Say you use VMWare VDI and you have the thick client installed on a non-domain joined PC and you connect and get a windows 2008 R2 jump server. Would that interfere , I do notice that the thick client does allow for password changes when it expires.

    If the thick client allows changing the password and the same account is used to connect through RDP then you should not experience this issue.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by GregDron Friday, February 23, 2018 9:31 PM
    Friday, February 23, 2018 7:47 PM
  • This limitation applies to Windows Server 2008 R2. I have not seem the same on Windows 10 or Windows Server 2012 R2 so it should be fine.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by GregDron Friday, February 23, 2018 9:31 PM
    Friday, February 23, 2018 8:51 PM

All replies

  • But if the password expires on its own will that work and give the RDP session the ability to change the password ?

    Yes.

    Finally when a password expires in AD does the check box in the account tab for " password must be changed on next login" get set via an internal windows AD function ?

    No.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Richard MuellerMVP Thursday, February 22, 2018 11:06 PM
    • Marked as answer by GregDron Friday, February 23, 2018 9:31 PM
    Thursday, February 22, 2018 10:12 PM
  • Hi Greg,

    in general, users should be able to change their expired password - however there are "edge" cases where this might not be the case - for more info, refer to https://support.microsoft.com/en-us/help/2648402/you-cannot-change-an-expired-user-account-password-in-a-remote-desktop

    hth
    Marcin

    Thursday, February 22, 2018 11:30 PM
  • Hmm, Good link Only applies to Server 2008 R2 or is this a bigger issue ? 

       Seems like this will only be an issue if you are connecting from a non-domain joined PC's. Also the following comment " 

    • You have a Remote Desktop Session Host (RD Session Host) server that is running Windows Server 2008 R2 in a Virtual Desktop Infrastructure (VDI) environment. Or, you have remote apps that are published through RDWeb. " 

     Here is what might be an issue. So le tme get this right , tell me if I misunderstand this.

    1) Basically if I am on a laptop say at home , and I am not domain joined ( say contractor). And I connect to a VDI environment ( say web based login to a RDP session ) and that connecting server is a Windows 2008 R2 box , and my password expires I would be stuck ? 

    2) Say you use VMWare VDI and you have the thick client installed on a non-domain joined PC and you connect and get a windows 2008 R2 jump server. Would that interfere , I do notice that the thick client does allow for password changes when it expires.

    • Edited by GregDron Friday, February 23, 2018 7:18 PM
    Friday, February 23, 2018 7:10 PM
  • 1) Basically if I am on a laptop say at home , and I am not domain joined ( say contractor). And I connect to a VDI environment ( say web based login to a RDP session ) and that connecting server is a Windows 2008 R2 box , and my password expires I would be stuck ? 

    For this particular VDI case, yes. Unless if you apply the workaround described in the link Marcin shared where you redirect your users to a password change portal.

    2) Say you use VMWare VDI and you have the thick client installed on a non-domain joined PC and you connect and get a windows 2008 R2 jump server. Would that interfere , I do notice that the thick client does allow for password changes when it expires.

    If the thick client allows changing the password and the same account is used to connect through RDP then you should not experience this issue.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by GregDron Friday, February 23, 2018 9:31 PM
    Friday, February 23, 2018 7:47 PM
  • Well I can't see any other issues here where a pure RDP account will have issues when connecting , is this isolated to Windows 2008 R2. If i give a VDI to a win 10 box or Win 2012 R2 box are we good ? 

    Friday, February 23, 2018 7:58 PM
  • This limitation applies to Windows Server 2008 R2. I have not seem the same on Windows 10 or Windows Server 2012 R2 so it should be fine.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by GregDron Friday, February 23, 2018 9:31 PM
    Friday, February 23, 2018 8:51 PM