Enforcing users to change password in AD error

C

carnagelan

Senior Member
Joined
Jul 4, 2015
Messages
562
Reaction score
146
Hello

I’ve added a new password policy via GPO on our domain. The policy requires that all passwords must be at least 12 characters long and include numbers as well as special characters.

To support this, I created a PowerShell script that sets the “User must change password at next logon” option on all user accounts.
  • For users whose existing passwords did not meet the new policy, this works as expected. When they log in to the RDS cluster, they are prompted with the password change dialog and can successfully update their credentials.
  • However, users whose passwords already met the policy are experiencing an issue. When they attempt to log in to the RDS cluster, they receive the message: “Password has expired, please contact your system administrator.” Unfortunately, they are not given the option to update their password.

Regards
 
PCWARITM said:
Check Network Level Authentication (NLA) on your RDS cluster.
With NLA enabled:
  • Users with non-compliant passwords: Their authentication fails early, which triggers the password change dialog
  • Users with compliant passwords: NLA authenticates them successfully, but when Windows checks the "must change password at next logon" flag, it blocks the session without showing the password change prom
NLA authenticates users before establishing the full RDP session, so users can't access the password change dialog.
  1. Temporarily disable NLA on your RDS hosts to allow all users to change passwords (probably the best approach)
    • Group Policy: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security
    • Uncheck "Require user authentication for remote connections by using Network Level Authentication"
  2. Have users change passwords elsewhere first:
    • Ctrl+Alt+Del at a workstation
    • Password change portal if you have one
    • net user <username> <newpassword> /domain (as admin)
  3. Selectively clear the flag for users with compliant passwords:
    powershell:
    Set-ADUser -Identity username -ChangePasswordAtLogon $false
Click to expand...
Thanks man, Will keep this is mind for any future changes as i have already sorted this customer out.
Much appreciated
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X