In this article we’ll show how remote users can change their expired passwords on a Remote Desktop Services (RDS) farm running Windows Server 2016 / 2012 R2.
In Windows Server 2012 R2 / 2016 and Windows 10/ 8.1 the NLA (Network Level Authentication) is enabled for the remote desktop connections by default. NLA doesn’t allow users to connect over RDP if their passwords have expired. You can disable NLA (ref1, ref2), but this is not very good in terms of security. When you try to connect to the RDSH server (Remote Desktop Session Host) under a user account with the expired password, the following error message appears:
The Local Security Authority cannot be contacted
Remote computer: lonSrvRDS1
This could be due to an expired password
Please update your password if it has expired.
Thus, when using NLA, the problem of changing an expired password over RDP can become almost unsolvable for remote users having no other ways to logon to the corporate computer or server. Certainly, you can ask your users to change their passwords directly in the RDP session in advance, but it doesn’t always work due to a common forgetfulness of the users.
In Windows 2012 / R2 and newer an option that allows a remote user to change their password (current or an expired one) using a special web-page on the RD Web Access server appeared. The password will be changed like this: a user logs in to the registration web page on the server with the RD Web Access role and changes his password using a special aspx form.
IISADMPWDfor remote password change in the domain (though not officially supported).
A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but it is disabled by default. To change a password, a script password.aspx is used, which is located in C:\Windows\Web\RDWeb\Pages\en-US.
To enable the password change feature, you need to open the IIS Manager console on the server with the configured RD Web Access role, go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the section Application Settings.
In the right pane, find PasswordChangeEnabled parameter and change its value to true.
Restart IIS from the console or using the
To check the availability of the password change page, go to the following web-page:
After successfully changing the user’s password, the following message should appear:
Your password has been successfully changed.
Click OK and the user will be redirected to the RD Web login page. If the user’s password does not match the domain’s password policy, a warning will appear:
Now when trying to connect to the RD Web Access server with the expired password, the user will be redirected to password.aspx web-page and offered to change his password.
You can add a link to the password change form directly to the registration web-form on the RDWeb server. This will allow users to change their password any time without waiting till it expires.
Let’s add a link to password.aspx to the RDWeb sign-in page (create a backup copy of the password.aspx file before editing).
- On the RDWeb server, find and open the file C:\Windows\Web\RDWeb\Pages\en-US\login.aspx in any text editor (I prefer Notepad++);
- Go to line 583 and paste the following code in it:
<a href="https://lonSrvRDS1/RDWeb/Pages/en-US/password.aspx"> Password Reset Utility</a>
- Save the changes in the login.aspx file, restart the IIS web-site and make sure that a link to the password change page appears on the sign-in page of the RD Web server.
Now remote users can change the expired password on your RDS farm without administrator intervention.