How to Change a User Password in a Remote Desktop (RDP) Session

Users can press CTRL+ALT+DEL and select Change Password from the menu that opens to change their password on the Windows workstation. However, this won’t work if you are connected to the remote computer via an RDP session. If you press the CTRL + ALT + DEL key combination, it will not be passed to the Remote Desktop (Terminal) session. Instead, it will take you to the prompt to change a user password on a local computer.

In Windows Server 2016/Windows 10 and later, users can change their password from the Settings app (Settings -> Accounts -> Sign-in options -> Password -> Change). However, it is usually difficult for users to find this option. Therefore, it is convenient to use other methods to open the password change prompt.

Use CTRL + ALT + END to Change User Password in the Remote Desktop Session

To open the Windows Security dialog in an RDP session, use the keyboard shortcut Ctrl + Alt + End. The shortcut is the same as Ctrl + Alt + Delete but only works in an RDP connection window.

This will bring up the Windows Security dialog box, where you can click ‘Change a password‘ to proceed.

Enter the current (old) and new password (twice) in the standard password change dialog.

Changing Password with On-Screen Keyboard in Nested RDP Session

If you are connected to the remote computer through a chain of multiple RDP hosts (jump hosts), you cannot use CTRL+ALT+END to change the user password. This is because pressing this keyboard key will be intercepted by the first RDP session.

In these cases, the user can use the built-in Windows On-Screen Keyboard to change the password in a nested RDP session.

1. Open the On-Screen Keyboard in the most nested RDP session (by typing osk.exe in the Start -> Run);
2. You will see the On-Screen Keyboard;
3. Press CTRL+ALT on your physical (local) keyboard (this should be displayed on the screen) and then click the Del key on the On-Screen keyboard in a nested RDP session;
4. This will send the Ctrl + Alt + Del key combination to the RDP session. This will open the Windows Security window where you can change the password.

Script to Change User Password in RDP Session

The Windows Security dialog for changing the password in an RDP session can be called programmatically using a VBS/PowerShell script or a special shell shortcut.

For example, create a WindowsSecurity.vbs text file with the following VBScript code on a desktop:

set objShell = CreateObject("shell.application")
objshell.WindowsSecurity

Double-click the VBS file to open a password change window.

Place this VBS file on the shared desktop of your RDS host (%SystemDrive%\Users\Public\Desktop\), or copy it to users’ desktops via GPO.

You can call this Windows security prompt to change the password by using PowerShell

(New-Object -COM Shell.Application).WindowsSecurity()

A simple desktop shortcut with the following target will allow users to open a password change prompt.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -nologo -noninteractive -command "(new-object -ComObject shell.application).WindowsSecurity()"

There is an option to create a Windows File Explorer shortcut with the following shell command:

explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

Changing Password Through Remote Desktop Web Access (RDWeb)

If you access your RDP servers through a host with the Remote Desktop Web Access (RDWA) role, you can allow the expired password to be changed on the RDWA login page.

Open the IIS Manager console (InetMgr.exe) on the server with the RD Web Access role and go to the Sites –> Default Web Site –> RDWeb –> Pages. Open the Application Settings.

Set the PasswordChangeEnabled option to true.

Restart IIS:

iiseset

Users can now change expired passwords via the RDS WebAccess web interface by following the link:
https://[RDWEB-HostName]/RDWeb/Pages/en-US/password.aspx

How to Change an Expired Password via RDP with NLA CredSSP Auth Enabled

Network Level Authentication (NLA) with the Credential Security Support Provider (CredSSP) protocol is enabled by default for the RDP protocol in all modern Windows versions. CredSSP with NLA provides additional security by authenticating the user before establishing an RDP session.

If the user’s password has expired, or the AD administrator has enabled the User must change password at next logon option in the userAccountControl attribute (usually enabled for new AD user accounts), the user will receive the following error when attempting to log on via RDP:

Remote Desktop Connection
You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.

As a result, a user cannot connect to the RDP host and change a password.

• Configure an RDWA host with a password change page as described above;
• Disable NLA on the RDP host (not recommended!!! as it significantly reduces RDP security) and use the.RDP file with the enablecredsspsupport:i:0option for connections;
• Create a separate RDP host for password changes only. You don’t need to install the Remote Desktop Session Host role on this host or add users to a local Remote Desktop Users group, but you have to disable NLA. In this case, users can change their password, but cannot log in to that host via RDP;
• Users can change their password remotely using PowerShell (requires direct access from the user’s computer to the domain controller).