Disabling Network Level Authentication works on some domains but not others?!

So what i want to achieve is the ability to change my password when it expires. I want to do this via an RDP session to a server, so that it prompts me to change, and i can carry on with my day. I know that NLA restricts this and that it is by design. Fair enough. I have read that disabling NLA (which i know isn't recommended) removes this restriction and should enable me to change password via an RDP session.

So...

I have an environment with multiple domains that i need to apply this 'fix' to. In the first domain i disable NLA via group policy it works. Great! I can RDP to the server and then it asks me to update my password. I am disabling this on the Default Domain Policy in all domains.

My domain controllers are all Windows 2012 R2 and patched to the same level. When i disable the same option in group policy on a different domain, it doesn't work!? I still get the same problem where i am told i cant RDP to the server until i update my password..

Any idea what could be causing this? Could there be another policy over riding NLA being disabled? Is there anywhere in the event log on the domain controllers that may shed some more light on this?

Thanks in advance!

January 22nd, 2015 7:29pm

Hi,

According to your description, I understand that you want to notify the password expiry for RDP users and change the expired password via an RDP session.

Generally, users can change password from the terminal session, when the password will expire they will be prompted to change their password just like in the normal environment. Users can also press Ctrl+Alt+End, click Change a password to change it.

For your reference, here are some similar thread about changing password via RDP session:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/50bac455-07ea-4d49-93f1-63e7f7e85618/rds-web-ts-web-in-win2008-r2-change-password-expired-password-change-password-at-next-logon?forum=winserverTS

https://social.technet.microsoft.com/Forums/windowsserver/en-US/c45d8f1d-13f9-490c-9911-7ed9e7859276/windows-2008-terminal-server-user-must-change-password-at-next-logon-problem-with-windows-7?forum=winserverTS

Additionally, this forum focuses on general discussion for Outlook. If there is any further question about your issue, I suggest we can ask a question in Remote Desktop Services forum for more information:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS

Thanks for your understanding.

Regards,

Free Windows Admin Tool Kit Click here and download it now
January 25th, 2015 12:28pm

Hi Winnie,

Thanks for your reply. The problem is actually with RDP itself. When i use another application (Remote Desktop Manager) to connect to 2012 Servers in the domain i get prompted that my account has expired and i need to reset the password. With RDP it just errors and says my account is expired and i need an admin to reset it.

Kind regards,

Jay

February 13th, 2015 4:05am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics