I'm going to posit that you can't do this. With NLA (network-level authentication) enforced, a user cannot log in remotely and change his or her password.
You can use tsconfig.msc on the Remote Desktop server, right-click the RDP-Tcp connection and choose Properties, and change the security layer drop-down menu to 'RDP Security Layer,' but then you lose NLA. Unfortunately the two settings are mutually exclusive.
If you must have NLA, then you need to establish an alternate method for users to change expired passwords, such as through Outlook Anywhere, or RDWeb Access, or a physical console of a domain-joined workstation, etc.
This is sort of a catch-22 situation, because by design, NLA will not even allocate the system resources necessary to create a Remote Desktop session for you until after your credentials have been verified to be valid. But you would have to connect to a full session, have a desktop created, LogonUI.exe spawned for you, etc., in order to change your password. But you can't have a session because your password is expired. Allowing this would, I believe, open a hole in NLA where a user could bypass NLA and get a session anyway, even though they don't have a good (i.e. not expired) password.
http://support.microsoft.com/kb/2648402 says:
In the protocol specification for CredSSP, there is no reference to the ability to change the user's password while NLA is running. Therefore, the observed behavior can be considered "by design."
CredSSP is the underlying technology that enables NLA, and it does not support password changes. Therefore, password changes are not enabled in MSTSC. Other RD clients that support NLA should be unable to change the user’s password.
AD will not let you change the date a password was last reset, except to 0 (which will force a password change at next login). To do that, you can't set the PwdLastSet manually, you have to use something like the following snippet:
Set-ADUser -Identity JoeBlow -ChangePasswordAtNextLogon $true
Best Answer
No, there's no way to do that. All you can do is try to "copy" an existing user, maybe it will inherit the setting.