In this article, we’ll show how your remote users can change their expired passwords using a special web form on a Remote Desktop Services (RDS) server with the RD Web Access role on Windows Server 2022/2019/2016/2012 R2.
Can’t Change Expired Password from a Remote Desktop Session
In Windows Server 2012 R2 and newer, the NLA (Network Level Authentication) is enabled for the Remote Desktop connections by default. NLA prevents users from connecting to RDP/RDS hosts if their passwords have expired or who have the “User must change password at first Logon” option enabled in their useraccountcontrol user attribute. You can disable NLA (ref1, ref2), but this is not good in terms of security. When you try to connect to the RDSH server (Remote Desktop Session Host) under a user account with the expired password, the following error message appears:
An authentication error has occurred. The Local Security Authority cannot be contacted Remote computer: lonSrvRDS1 This could be due to an expired password Please update your password if it has expired.
When using NLA, remote RDP users cannot change their expired password if they have no other way to access the corporate network other than RDS infrastructure. Certainly, you can ask your users to change their passwords directly in the RDP session in advance, or by enabling the Interactive logon: Prompt user to change password before expiration GPO option RDS hosts (Computer Configuration -> Windows Settings -> Local Policies -> Security Options), but it doesn’t always work due to a common forgetfulness of the users.
In Windows 2012 R2 and newer, remote users can manually reset their password (current password or expired password) through a special web page on the server with the Remote Desktop Web Access role. To change the password, the user must authenticate via the RDS-WebAccess sign-in web-page and change the password using a special aspx form.
IISADMPWD (though not officially supported).How to Allow Remote User to Reset Expired Password on RDWeb Access Host?
A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but this feature is disabled by default.
If you have an RDS server farm deployed, you can find a server with the RDS-WEB-Access role installed by connecting the deployment configuration on the RD Connection Broker host:
Get-RDServer -ConnectionBroker rdcb1.woshub.com| where {$_.roles -eq "RDS-WEB-ACCESS"}
To change a password, use the script in the password.aspx file located in the C:\Windows\Web\RDWeb\Pages\en-US.
- C:\Windows\Web\RDWeb\Pages\fr-FR – for the French edition of Windows Server
- C:\Windows\Web\RDWeb\Pages\de-DE – for German edition.
To enable the password change option, you need to run the IIS Manager console (inetmgr) on the server with the configured RD Web Access role. Go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the Application Settings section.
In the right pane, find the PasswordChangeEnabled parameter and change its value to true.
The PasswordChangeEnabled parameter allows Active Directory users to change their expired password through the RD Web Access portal. This option does not allow changing the password of local users on RDS hosts in a workgroup environment (without domain).
Restart the IIS web-server from the console or use the command:
iisreset
To check the availability of the password change page, go to the following web page:
https://lonSrvRDS1/RDWeb/Pages/en-US/password.aspx
Enter the username, the old password, and the new password twice.
After successfully changing the user’s password, the following message should appear:
Your password has been successfully changed.
Click OK and the user will be redirected to the RD Web login page. If the user’s password does not match the domain’s password policy, a warning message will appear:
Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.
You can list and change the supported authentication types in the IIS Manager console. Select Sites -> Default Web Sites -> RDWeb -> Pages in the right pane, select Forms Authentication.
Now, when trying to connect to the RD Web Access server with the expired password, the user will be redirected to password.aspx web-page and offered to change his password.
Adding Password Change Link to the RD Web Access Login Form
You can add a link to the password change form directly to the Remote Desktop WebAccess sign-in form. This will allow users to change their password any time without waiting till it expires.
Insert a link to the password.aspx file into the RDWeb sign-in page (create a backup copy of the password.aspx file before editing).
- On the RDWeb server, find and open the file C:\Windows\Web\RDWeb\Pages\en-US\login.aspx in any text editor (I prefer Notepad++);
- Go to line 429 (In Windows Server 2022, it is located after the following HTML block
<tr id="trPasswordExpiredNoChange" <%=strErrorMessageRowStyle%> > … </tr>) and paste the following code: <!-- Begin: Add Change Password Link -->
<tr>
<td align="right"> <a href="password.aspx" title="Change AD User Password">Click here </a>to change your password.
</td>
</tr>
<!-- End: Add Change Password Link -->
- Save the changes in the login.aspx file, restart the IIS website, and make sure that a link to the password change page appears on the sign-in page of the RD Web server.
Remote users can now change the expired password on your RDS server without administrator intervention. Note that if you use domain Cached Credentials to log on to your local computer, they will not be updated after you change your Active Directory password via RDWebAccess.
