I am running a Windows Server 2012 R2 server that admins and users can access via Remote Desktop Connection. I have set up the users and Local Security Policy so that on each user's first login, and every 90 days thereafter, they will be prompted to change their password.
However, whenever the user's account is in a state where the password must be reset, as soon as they try to connect using RDP they get the following error message from the Remote Desktop Connection client (v10.0):
You must change your password before logging on the first time. Please
update your password or contact your system administrator or technical
support.
When using the Remote Desktop Connection Manger client (v2.7) instead, the same happens, though the error is slightly different:
The user password must be changed before logging on for the first time
The server is stand alone, not on a domain. Network Level Authentication is required to be enabled because of security compliance requirements. The server has no console access as it's a cloud virtual machine.
I have been unsuccessful in finding any way workaround for this whatsoever, without compromising on the NLA security configuration. Have I missed something obvious? Any answers or comments would be gratefully received. Thank you.
Best Answer
It cannot be done via RDP itself! (without disabling NLA)
Source: https://support.microsoft.com/en-us/help/2648402/you-cannot-change-an-expired-user-account-password-in-a-remote-desktop
As they suggest, enable changing the password via RDWeb is an option. Another option i have seen is changing the password via Exchange webmail.