Credssp blocking expired and "change on next login" passwords

No matter what I've tried we run into an issue where if a user is trying to log into a Terminal Server it will ask them for a long before connect. Problem is, if the password expired or has "change at next log in" checked it just errors out and says contact administrator. NLA is turned off. I can manually turn off all enable credssp on each computer .rdp file but that's not really practical. Is there anyway around this? Thanks! Mainly seems to affect Windows 2012 servers
LVL 8
Seth_zinAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
add a routine that informs the user PRIOR to the password expiring to change their password

i.e. run this powershell script on logon
http://blogs.msdn.com/b/adpowershell/archive/2010/02/26/find-out-when-your-password-expires.aspx
0
David Johnson, CD, MVPOwnerCommented:
Get-XADUserPasswordExpirationDate.ps1
<#
.Synopsis
   Find out When your Password Expires
.DESCRIPTION
   This function will display when a users password expires
.EXAMPLE
   Get-XADUserPasswordExpirationDate testuser1
Password of account: testuser1 already expired!
.EXAMPLE
   Get-XADUserPasswordExpirationDate JohnDoe
Password of account: John Doe expires on: 02/25/2010 13:03:20
#>
function Get-XADUserPasswordExpirationDate()
{
    [CmdletBinding()]
    [OutputType([int])]
    Param ([Parameter(Mandatory=$true,  Position=0,  ValueFromPipeline=$true, HelpMessage="Identity of the Account")]
    [Object] $accountIdentity)
    PROCESS {
      try{
        $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet
        if ($accountObj.PasswordExpired) {
            echo ("Password of account: " + $accountObj.Name + " already expired!")
        } else { 
            if ($accountObj.PasswordNeverExpires) {
                echo ("Password of account: " + $accountObj.Name + " is set to never expires!")
            } else {
                $passwordSetDate = $accountObj.PasswordLastSet
                if ($passwordSetDate -eq $null) {
                    echo ("Password of account: " + $accountObj.Name + " has never been set!")
                }  else {
                    $maxPasswordAgeTimeSpan = $null
                    $dfl = (get-addomain).DomainMode
                    if ($dfl -ge 3) { 
                        ## Greater than Windows2008 domain functional level
                        $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj
                        if ($accountFGPP -ne $null) {
                            $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge
                        } else {
                            $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                        }
                        } else {
                        $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                    }
                    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0) {
                        echo ("MaxPasswordAge is not set for the domain or is set to zero!")
                    } else {
                        echo ("Password of account: " + $accountObj.Name + " expires on: " + ($passwordSetDate + $maxPasswordAgeTimeSpan))
                    }

                }

            }

        }

    }
      catch  {
      Write-Host("An Error Has Occurred. Please inform your Administrator")
 Write-Host $_.Exception.ToString()
}
 
}
 End
    {
    }
}

Open in new window

Run this as a scheduled task on user logon. Feel free to modify the code i.e. $date=get-date
$passwordexpirydate = $PasswordSetDate + $MaxPasswordAgeTimeSpan
$daysleft = ($date - passwordexpirydate).Days
if ($daysleft -le 7) {
write-output("Your Password Expires in $daysleft Days. Please change your password")
read-host ("Press Enter to acknowledge")
}

}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth_zinAuthor Commented:
Thanks for the reply, sorry for the delay but I wasn't in the office for the weekend. Is there anyway around beyond that? The issue here is people ignore that still so they still get that message without editing the rdp file. Which can bypass that.
0
Seth_zinAuthor Commented:
Basically I am looking for a way to make the computer stop asking for a log in to a terminal server on the client. When I open RDP and connect I want it to go to the server and ask for a login which will allow me to change the password. Otherwise, if I enter the info in the pop up it will just say it expired and to contact administrators.
0
Seth_zinAuthor Commented:
I think I asked this question wrong, however your soultion may work for some so I am going to reask but I will accept your solution. Thanks for taking your time to write that up for me! :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.