{"id":1154,"date":"2015-10-16T14:43:21","date_gmt":"2015-10-16T20:43:21","guid":{"rendered":"http:\/\/www.RiptideHosting.com\/blog\/?p=1154"},"modified":"2022-06-28T16:32:40","modified_gmt":"2022-06-28T22:32:40","slug":"issue-in-windows-2012-r2-when-setting-rdp-users-to-change-password-upon-login","status":"publish","type":"post","link":"https:\/\/www.RiptideHosting.com\/blog\/issue-in-windows-2012-r2-when-setting-rdp-users-to-change-password-upon-login\/","title":{"rendered":"Issue in Windows 2012 R2 when setting RDP users to change password upon login"},"content":{"rendered":"

We have had issues where RDP users haven\u2019t been able to login on a remote desktop terminal server when the \u201cuser much change password at next logon\u201d button has been checked in user properties \u2013 see screenshot #1 below. Various comments and posts online indicate that changes in the windows authentication process in recent OS versions don\u2019t allow this change if Network Level Authentication or Credential Security Support Provider (CredSSP) \u00a0is enabled.\u00a0 This is only an issue trying to force users to change their password on a RDP session – it works fine from a console session if you are local to the machine.\u00a0 Here is a workaround as well as alternatives you may consider:<\/p>\n

    \n
  1. Don\u2019t use this option to force users to change their password. Instead, have them manually change it upon logon by pressing control-alt-end and following the change password prompts. Another option is to create a complex, strong password for them without having them change it upon first logon (may be safest route in certain situations) or have them select their own password but enter it with the Administrator while on the admin session and not select the change at next logon option.<\/li>\n
  2. NOT RECOMMENDED IN GENERAL – If you still want to use this option to force password change, you could turn off NLA and change RDP security layer to the RDP native security. See screenshot #2 below on turning off NLA. See screenshot #3 below on enabling a group policy to select the RDP security layer instead of negotiate (typically the default) or SSL\/TLS. Using NLA and the higher security layers are usually recommended on your server for security reasons.<\/li>\n
  3. Note: if you are having issues logging in to the server from RDP and getting errors about domain validation (when in workgroup mode and there is no domain) and often from the MAC remote desktop client, make sure you are logging in with the full name which is \u201cmachinename\\username\u201d instead of just username. Machinename is the name given to the server, which you can see under computer properties.<\/li>\n<\/ol>\n

    SCREENSHOT #1<\/p>\n

    \"User_Properties_General_Tab\"<\/a><\/p>\n

    SCREENSHOT #2<\/p>\n

    \"Turn_off_NLA\"<\/a><\/p>\n

    SCREENSHOT #3<\/p>\n

    \"Change_RDP_Security_Layer\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    We have had issues where RDP users haven\u2019t been able to login on a remote desktop terminal server when the \u201cuser much change password at next logon\u201d button has been checked in user properties \u2013 see screenshot #1 below. Various comments and posts online indicate that changes in the windows authentication process in recent OS […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,7,13,16],"tags":[69,80,83],"class_list":["post-1154","post","type-post","status-publish","format-standard","hentry","category-all-posts","category-remote-desktop-hosting","category-windows-2012-r2","category-wordpress","tag-terminal-server-hosting","tag-windows-server-2012r2","tag-windows-server-hosting"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/comments?post=1154"}],"version-history":[{"count":2,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1154\/revisions"}],"predecessor-version":[{"id":2081,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/posts\/1154\/revisions\/2081"}],"wp:attachment":[{"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/media?parent=1154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/categories?post=1154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.RiptideHosting.com\/blog\/wp-json\/wp\/v2\/tags?post=1154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}