Unable to change expired user domain password on Windows 2012 R2 TS server

Hi guys

We have an environment where the Active Directory servers are Windows 2003. However, we have built some 2012 R2 Terminal servers that use those Windows 2003 servers to authenticate with.  Unfortunately, when a user's password has expired, the 2012 R2 server comes up with a message that I have included in the attachment. We don't know what to do either. I know the AD controllers need to be upgraded, but is there no solution but an ugprade?

Cheers
Yashy
Passwordexpiry.jpg
LVL 1
YashyAsked:
Who is Participating?
 
Cliff GaliherCommented:
Well, a vast majority of RDP users have a domain and their users log into the local domain first.  Which prompts for a password change, which means by the time they log into an RDS server, they've changed their expired password and so they don't have the problem.

People that only log in remotely *tend* to (again generalizing here) use Citrix for various reasons.

But just enough people use RDS and *only* use it remotely that, yes, this question comes up occasionally.  It isn't totally unheard of.

With that said, RDWA doesn't replace RDP.  It is a web front-end that published .rdp files for remote desktops and/or remoteapps.  The user logs into the web page, and it only displays the resources THEY have permissions to (so different users see different apps.)  Then they click on the app, and it opens the RDP client with all the settings already configured.  So no, RDWA isn't an "instead of" ...it is just a different way of making sure users get the right information at the right time...instead of memorizing, mistyping, or misconfiguring RDP directly.

As for the password thing, as I said, it is a web page that users log into.  There is an *optional* setting (disabled by default) that prompts a user to change their password if they try to log in and their password is expired.  By default, the page just throws an error. But if you enable this settting, it prompts for a password change like many other web pages work.  This has security implications and means you are also investing in securing a website, such as SSL, etc.  But it does work.
0
 
Cliff GaliherCommented:
First, yes, upgrade those domain controllers. Having 2003 domain controllers this late after 2003 left support is 100% unacceptable. There is no excuse.

With that said, upgrading your DCs won't solve this problem.  The issue is that RDS authenticates *before* presenting the GUI, and therefore offers no mechanism to change a password.   In *most* setups, the user would be logging into a domain-joined workstation or thin client to initiate the RDS session, so they'd be prompted to change their password during *THAT* login, before RDS is even in play.

But in heavily leveraged BYOD (or home OS) environments, you need to put another system in place.  RDWA can do this with an edit, or a 3rd party self-service solution can be implemented.  Azure AD P1 plans offer such a solution, for example.  Combined with password write-back, users can change or reset their password from any location.
1
 
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Great answer by Cliff. Just one additional thought... In active directory, are the user accounts set to allow them to change their password?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
YashyAuthor Commented:
Cliff, I appreciate your input on this.  I agree with you that 2003 is obsolete and must go. This is all cost related and we're working on that now.  Our terminal services server is joined to the domain. I mean, our current terminal services server 2003 (which we're getting rid of) does prompt people to change their passwords.  Which is why I thought it has to be related to the fact that it is a 2012 R2 server joined to a 2003 domain?
0
 
Cliff GaliherCommented:
Nope.  It'd do this with a 2012 domain as well.  It was a change in the RDP protocol, not in the domain functionality.
0
 
YashyAuthor Commented:
Ah, so you mean if we got rid of our Domain 2003 and went to 2012 R2 domain controllers, this would resolve the issue?
0
 
Cliff GaliherCommented:
No, that's the opposite of what I said.  No version of windows domain controllers will "solve" this issue.  It isn't a bug.  It was a change in how RDS works.  You could go back to 2003 terminal servers...which of course is a terrible idea.  Or you can implement a 3rd-party solution as previously commented.
0
 
YashyAuthor Commented:
My bad Cliff, sorry for the confusions here. Not a good day today. But then that would mean thousands of people would be having similar issues out there.  That's crazy!

At the moment, I won't be able to head down the Azure AD P1 route. So it would have to either be a third party solution. Either that or for us to set up a 2008 R2 TS.


So we could set up Remote Desktop Web Access somehow instead of using the RDP protocol? Does that not affect the refresh rate and slower than using RDP?

Thanks again for your help on this, I appreciate it.
0
 
Cliff GaliherCommented:
Note that *much* of this is changing.  I recommend finding and watching the "remote desktop modern infrastructure" presentation from Ignite 2017.  While not released yet, Microsoft is doing a lot to tie RDS to Azure to increase security, and could fundamentally change plans.  We'll be learning a lot more as beta releases continue to flow into the insider program.
0
 
YashyAuthor Commented:
Hi Cliff,

I understand now. Unfortunately this domain is not local and is always used a terminal services server. What if we created a Windows 2008 R2 server that was a jump box that they hopped onto, that should prompt them for the password change and that way the RDS version is older. And then from there, they can hop onto the 2012 R2 server? Would something like that work?

Cheers
Yash
0
 
Cliff GaliherCommented:
Nope. The change happened between 2003 and 2008. So 2008 R2 will behave the same way 2012 R2 is. Like I said the only workaround of that kind would be to keep using 2003...which is not a real solution as far as I am concerned.
0
 
YashyAuthor Commented:
Most of those points were supposed to go to you Cliff. I'm just going to speak with the site administrators about it.
0
 
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
With the new system, you can edit point distribution any more. http://support.experts-exchange.com/customer/portal/articles/2527982-how-do-i-close-my-question-
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.