This article shows how remote users themselves can change their expired passwords through RDP-connection to the Remote Desktop Services (RDS) farm on Windows 2012/2012 R2.
Windows Server 2012 R2 and Windows 8.1 are enabled using a default authentication mechanism known as NLA or Network Level Authentication that does not allow users with expired password to connect using RDP. When the password has expired, user will receive the following error message during RDP connection attempt:
An authentication error has occurred.
The Local Security Authority cannot be contacted
This could be due to an expired password
Please update your password if it has expired.
Thus, by using NLA, the problem of replacing the expired password via RDP can become almost unsolvable puzzle for remote users who do not have other ways to connect the network. Of course, you can certainly ask advance users to change their password directly in the RDP session; however, it does not always work because of the forgetfulness of the unit members.
Windows 2012 / R2 has a new option, that allows remote users to change their current or expired password by using the special web page on RD Web Access server. The process of changing the password would be: user signs in to the registration web page on the server with the RD Web Access role, and then can change his password using a special form.
Functional remote password change is available on the server with Remote Desktop Web Access role, but by default this feature is not enabled.
password.aspx is used to change the password. You can find it here: C:\Windows\Web\RDWeb\Pages\en-US.
To activate password change function, you need to open IIS (IIS Manager) on the server with RD Web Access role, then go to [Server Name] -> Sites -> Default Web Site -> RDWeb -> Pages and finally open Application Settings.
At the right pane, search for PasswordChangeEnabled parameter and change its value to true.
To test the the password change mechanism, go to the Web page:
https: // [RD-WEB-1] /RDWeb/Pages/en-US/password.aspx
Now when user with expired password will attempt to connect to RD Web Access server, he will be redirected to password.aspx page, where he can change his password.
Note: After installing KB 2648402 special patch, you can get a similar functionality in Windows Server 2008 R2.
You can add a link to password change form directly into the registration form on the RDWeb server. This will allow users to change their password on their own at any time (users don`t have to wait until their password expires).
Let`s add a link to password.aspx on the login page.
Locate and open this file on the RDWeb server using any text editor:
Go to the 538 line and then insert the following code:
<a href=”https://[RD-WEB-1]/RDWeb/Pages/en-US/password.aspx”> Password Reset Utility</a>
Save login.aspx, restart the IIS website, and then check that the link to the password change page appeared at the terminal server registration page.