• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 115
  • Last Modified:

Credssp blocking expired and "change on next login" passwords

No matter what I've tried we run into an issue where if a user is trying to log into a Terminal Server it will ask them for a long before connect. Problem is, if the password expired or has "change at next log in" checked it just errors out and says contact administrator. NLA is turned off. I can manually turn off all enable credssp on each computer .rdp file but that's not really practical. Is there anyway around this? Thanks! Mainly seems to affect Windows 2012 servers
0
Seth_zin
Asked:
Seth_zin
  • 3
  • 2
2 Solutions
 
David Johnson, CD, MVPOwnerCommented:
add a routine that informs the user PRIOR to the password expiring to change their password

i.e. run this powershell script on logon
http://blogs.msdn.com/b/adpowershell/archive/2010/02/26/find-out-when-your-password-expires.aspx
0
 
David Johnson, CD, MVPOwnerCommented:
Get-XADUserPasswordExpirationDate.ps1
<#
.Synopsis
   Find out When your Password Expires
.DESCRIPTION
   This function will display when a users password expires
.EXAMPLE
   Get-XADUserPasswordExpirationDate testuser1
Password of account: testuser1 already expired!
.EXAMPLE
   Get-XADUserPasswordExpirationDate JohnDoe
Password of account: John Doe expires on: 02/25/2010 13:03:20
#>
function Get-XADUserPasswordExpirationDate()
{
    [CmdletBinding()]
    [OutputType([int])]
    Param ([Parameter(Mandatory=$true,  Position=0,  ValueFromPipeline=$true, HelpMessage="Identity of the Account")]
    [Object] $accountIdentity)
    PROCESS {
      try{
        $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet
        if ($accountObj.PasswordExpired) {
            echo ("Password of account: " + $accountObj.Name + " already expired!")
        } else { 
            if ($accountObj.PasswordNeverExpires) {
                echo ("Password of account: " + $accountObj.Name + " is set to never expires!")
            } else {
                $passwordSetDate = $accountObj.PasswordLastSet
                if ($passwordSetDate -eq $null) {
                    echo ("Password of account: " + $accountObj.Name + " has never been set!")
                }  else {
                    $maxPasswordAgeTimeSpan = $null
                    $dfl = (get-addomain).DomainMode
                    if ($dfl -ge 3) { 
                        ## Greater than Windows2008 domain functional level
                        $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj
                        if ($accountFGPP -ne $null) {
                            $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge
                        } else {
                            $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                        }
                        } else {
                        $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                    }
                    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0) {
                        echo ("MaxPasswordAge is not set for the domain or is set to zero!")
                    } else {
                        echo ("Password of account: " + $accountObj.Name + " expires on: " + ($passwordSetDate + $maxPasswordAgeTimeSpan))
                    }

                }

            }

        }

    }
      catch  {
      Write-Host("An Error Has Occurred. Please inform your Administrator")
 Write-Host $_.Exception.ToString()
}
 
}
 End
    {
    }
}

Open in new window

Run this as a scheduled task on user logon. Feel free to modify the code i.e. $date=get-date
$passwordexpirydate = $PasswordSetDate + $MaxPasswordAgeTimeSpan
$daysleft = ($date - passwordexpirydate).Days
if ($daysleft -le 7) {
write-output("Your Password Expires in $daysleft Days. Please change your password")
read-host ("Press Enter to acknowledge")
}

}
0
 
Seth_zinAuthor Commented:
Thanks for the reply, sorry for the delay but I wasn't in the office for the weekend. Is there anyway around beyond that? The issue here is people ignore that still so they still get that message without editing the rdp file. Which can bypass that.
0
 
Seth_zinAuthor Commented:
Basically I am looking for a way to make the computer stop asking for a log in to a terminal server on the client. When I open RDP and connect I want it to go to the server and ask for a login which will allow me to change the password. Otherwise, if I enter the info in the pop up it will just say it expired and to contact administrators.
0
 
Seth_zinAuthor Commented:
I think I asked this question wrong, however your soultion may work for some so I am going to reask but I will accept your solution. Thanks for taking your time to write that up for me! :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now