How to Change Expired Password via Remote Desktop Web Access on Windows Server | Windows OS Hub (2024)

In this article, we’ll show how your remote users can change their expired passwords using a special web form on a Remote Desktop Services (RDS) server with the RD Web Access role on Windows Server 2022/2019/2016/2012 R2.

Contents:

  • Can’t Change Expired Password from a Remote Desktop Session
  • How to Allow Remote User to Reset Expired Password on RDWeb Access Host?
  • Adding Password Change Link to the RD Web Access Login Form

Can’t Change Expired Password from a Remote Desktop Session

In Windows Server 2012 R2 and newer, the NLA (Network Level Authentication) is enabled for the Remote Desktop connections by default. NLA prevents users from connecting to RDP/RDS hosts if their passwords have expired or who have the “User must change password at first Logon” option enabled in their useraccountcontrol user attribute. You can disable NLA (ref1, ref2), but this is not good in terms of security. When you try to connect to the RDSH server (Remote Desktop Session Host) under a user account with the expired password, the following error message appears:

An authentication error has occurred.The Local Security Authority cannot be contactedRemote computer: lonSrvRDS1This could be due to an expired passwordPlease update your password if it has expired.

When using NLA, remote RDP users cannot change their expired password if they have no other way to access the corporate network other than RDS infrastructure. Certainly, you can ask your users to change their passwords directly in the RDP session in advance, or by enabling the Interactive logon: Prompt user to change password before expiration GPO option RDS hosts (Computer Configuration -> Windows Settings -> Local Policies -> Security Options), but it doesn’t always work due to a common forgetfulness of the users.

In Windows 2012 R2 and newer, remote users can manually reset their password (current password or expired password) through a special web page on the server with the Remote Desktop Web Access role. To change the password, the user must authenticate via the RDS-WebAccess sign-in web-page and change the password using a special aspx form.

Note. In Windows Server 2003, domain users could change their expired passwords usinga small web application IISADMPWD(though not officially supported).

How to Allow Remote User to Reset Expired Password on RDWeb Access Host?

A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but this feature is disabled by default.

If you have an RDS server farm deployed, you can find a server with the RDS-WEB-Access role installed by connecting the deployment configuration on the RD Connection Broker host:

Get-RDServer -ConnectionBroker rdcb1.woshub.com| where {$_.roles -eq "RDS-WEB-ACCESS"}

To change a password, use the script in the password.aspx file located in the C:\Windows\Web\RDWeb\Pages\en-US.

If you are using a localized version of Windows Server (without language pack) the path to the password.aspx file will be different and look like this:

  • C:\Windows\Web\RDWeb\Pages\fr-FR – for the French edition of Windows Server
  • C:\Windows\Web\RDWeb\Pages\de-DE – for German edition.

To enable the password change option, you need to run the IIS Manager console (inetmgr) on the server with the configured RD Web Access role. Go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the Application Settings section.

In the right pane, find the PasswordChangeEnabled parameter and change its value to true.

Also, you can set the PasswordChangeEnabled parameter to True in the IIS config file C:\Windows\Web\RDWeb\Pages\Web.config.

The PasswordChangeEnabled parameter allows Active Directory users to change their expired password through the RD Web Access portal. This option does not allow changing the password of local users on RDS hosts in a workgroup environment (without domain).

Restart the IIS web-server from the console or use the command:

iisreset

To check the availability of the password change page, go to the following web page:

https://lonSrvRDS1/RDWeb/Pages/en-US/password.aspx

RD Web Access must have a valid SSL certificate installed. You can use the free Let’s Encrypt certificate in IIS.

Enter the username, the old password, and the new password twice.

After successfully changing the user’s password, the following message should appear:

Your password has been successfully changed.

Click OK and the user will be redirected to the RD Web login page. If the user’s password does not match the domain’s password policy, a warning message will appear:

Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.

You can use this password change way on the Remote Desktop Web Access server only if Forms Authentication is enabled on the IIS on RDWA server. You won’t be able to change the password through the RD web form if the Windows Authentication method is used.

You can list and change the supported authentication types in the IIS Manager console. Select Sites -> Default Web Sites -> RDWeb -> Pages in the right pane, select Forms Authentication.

Now, when trying to connect to the RD Web Access server with the expired password, the user will be redirected to password.aspx web-page and offered to change his password.

Tip. You can change an expired password on Windows Server 2008 R2 with the RD Web Access Role after installing the special update KB2648402.

Adding Password Change Link to the RD Web Access Login Form

You can add a link to the password change form directly to the Remote Desktop WebAccess sign-in form. This will allow users to change their password any time without waiting till it expires.

Insert a link to the password.aspx file into the RDWeb sign-in page (create a backup copy of the password.aspx file before editing).

  1. On the RDWeb server, find and openthe file C:\Windows\Web\RDWeb\Pages\en-US\login.aspx in any text editor (I prefer Notepad++);
  2. Go to line 429 (In Windows Server 2022, it is located after the following HTML block <tr id="trPasswordExpiredNoChange" <%=strErrorMessageRowStyle%> > … </tr> ) and paste the following code:
  3. <!-- Begin: Add Change Password Link -->
    <tr>
    <td align="right"> <a href="password.aspx" title="Change AD User Password">Click here </a>to change your password.
    </td>
    </tr>
    <!-- End: Add Change Password Link -->
  4. Save the changes in the login.aspx file, restart the IIS website, and make sure that a link to the password change page appears on the sign-in page of the RD Web server.

Remote users can now change the expired password on your RDS server without administrator intervention. Note that if you use domain Cached Credentials to log on to your local computer, they will not be updated after you change your Active Directory password via RDWebAccess.

As an AI language model, I have a wide range of knowledge on various topics, including remote desktop services (RDS) and password management. I can provide information and insights on how remote users can change their expired passwords using a special web form on an RDS server with the RD Web Access role on Windows Server 2022/2019/2016/2012 R2.

Can't Change Expired Password from a Remote Desktop Session

In Windows Server 2012 R2 and newer, the Network Level Authentication (NLA) is enabled for Remote Desktop connections by default. NLA prevents users from connecting to RDP/RDS hosts if their passwords have expired or if they have the "User must change password at first Logon" option enabled in their user account control attribute When users with expired passwords try to connect to the RDSH server (Remote Desktop Session Host), they receive an authentication error message stating that the Local Security Authority cannot be contacted and that the password may have expired.

How to Allow Remote Users to Reset Expired Password on RDWeb Access Host?

To allow remote users to reset their expired passwords on an RDWeb Access host, you can enable the password change option on the server with the Remote Desktop Web Access (RD Web Access) role. By default, this feature is disabled.

To enable the password change option, you need to perform the following steps:

  1. Open the IIS Manager console (inetmgr) on the server with the configured RD Web Access role.
  2. Navigate to [Server Name] -> Sites -> Default Web Site -> RDWeb -> Pages.
  3. Open the Application Settings section.
  4. In the right pane, find the PasswordChangeEnabled parameter and change its value to true.
  5. Alternatively, you can set the PasswordChangeEnabled parameter to True in the IIS config file located at C:\Windows\Web\RDWeb\Pages\Web.config.
  6. Restart the IIS web server either from the console or by using the command iisreset.

After enabling the password change option, Active Directory users can change their expired passwords through the RD Web Access portal. However, please note that this option does not allow changing the password of local users on RDS hosts in a workgroup environment (without a domain) .

Adding Password Change Link to the RD Web Access Login Form

If you want to provide a direct link to the password change form on the RD Web Access login page, you can modify the login.aspx file. Here are the steps:

  1. Open the file C:\Windows\Web\RDWeb\Pages\en-US\login.aspx (or the corresponding file for your language) in a text editor.
  2. Locate line 429 (in Windows Server 2022, it is located after the HTML block <tr id="trPasswordExpiredNoChange" <%=strErrorMessageRowStyle%> > … </tr>).
  3. Paste the following code at line 429:
    <!-- Begin: Add Change Password Link -->
    <tr>
     <td align="right">
       <a href="password.aspx" title="Change AD User Password">Click here</a> to change your password.
     </td>
    </tr>
    <!-- End: Add Change Password Link -->
  4. Save the changes to the login.aspx file.
  5. Restart the IIS website.

After making these changes, a link to the password change page will appear on the RD Web Access sign-in page, allowing users to change their passwords without waiting for them to expire.

Please note that the ability to change an expired password via RD Web Access is only available if Forms Authentication is enabled on the IIS on the RDWA server. If the Windows Authentication method is used, users won't be able to change their passwords through the RD web form.

I hope this information helps! Let me know if you have any further questions.

How to Change Expired Password via Remote Desktop Web Access on Windows Server | Windows OS Hub (2024)

FAQs

How to change expired password via remote desktop web access on Windows server? ›

You'll need an admin to change it. Before it expires, once you're on the remote desktop session you can always use CTRL+ALT+END to send the CTRL+ALT+DEL to the remote computer and then choose the Change a Password option.

How do I change my password on my remote desktop? ›

You can change password remote desktop from control panel with this straightforward process:
  1. Step 1: Connect to the Remote Computer. ...
  2. Step 2: Open Control Panel. ...
  3. Step 3: Navigate to User Accounts. ...
  4. Step 4: Change Your Password. ...
  5. Step 5: Enter Current and New Password. ...
  6. Step 6: Save Changes.
Feb 21, 2024

How to change Windows password after it has expired? ›

Windows 11
  1. Select the Reset password link on the sign-in screen. If you use a PIN instead, see PIN sign-in issues. If you are using a work device that is on a network, you may not see an option to reset your password or PIN. ...
  2. Answer your security questions.
  3. Enter a new password.
  4. Sign in as usual with a new password.

How to permit remote users to reset their passwords using remote desktop web access in Windows? ›

First expand the chevrons until you get to RDWeb, then one more time and click Pages. Next double click “Application Settings” and set the “PasswordChangeEnabled” attribute to True. Restart IIS by opening an elevated PowerShell or CMD console and running IISRESET (add /Force to end sessions immediately).

How to send Ctrl+Alt+Del to remote desktop? ›

Ensure your active window is the open remote device session (for example by clicking on the remote desktop screen). Press Ctrl+Alt+End simultaneously to send the “Ctrl+Alt+Del” command to the remote session.

Where is the password for remote desktop Connection? ›

Q: How can I find my RDP password? A: You can find your RDP password by accessing ‌the‍ “User Accounts” settings‌ on your computer. From here, you can locate the “Remote Desktop Password” option and ‌enter your password. If you have forgotten your password, you may need to reset it.

What password do I use to connect to remote desktop? ›

The email address and password connected to the Microsoft account. Just a note that if you normally use a PIN to log into the machine you're connecting to, you'll need to log in to it with the Microsoft account password at least once.

How to remove saved password from remote desktop Connection? ›

Remove Cached Credentials From Microsoft Remote Desktop Client
  1. Right-click the RDP file for the terminal server, and select Edit. ...
  2. Select the Advanced tab, and then Settings...
  3. Click delete under the Logon settings section, and then OK.
  4. Click back to the General tab and click the delete option under the username.
Jan 19, 2024

What happens when a Windows server password expires? ›

Any other accounts with an expired password that are members of the Administrators group or any built-in local groups, or that have the "Allow Logon Locally" user right aren't allowed to log on and are forced to change their password at the logon screen before getting access to the console.

What happens if the password expires? ›

If a password expires, users will remain logged in as long as they are active. Once they become inactive, such as when the device goes to sleep, the user will be locked out of their account and will need to change their expired password to log in.

How do I change the expiration password in Windows Server 2016? ›

Under Local Group Policy Editor, navigate to Computer Configuration -> Windows Settings -> Security Settings. Now, on the right pane, double click on Password Policy. Lastly, double-click on Maximum password age and Minimum password age to edit password expiration time in the Windows server.

How do I enable Remote Desktop without password? ›

How to connect using Remote Desktop without a password ?
  1. Start the Windows Registry editor (type regedit in the "Start > Run" dialog)
  2. Navigate to: ...
  3. Change LimitBlankPasswordUse to 0 (zero) to enable the use of blank passwords, 1 to prevent blank passwords over the network.

How do I authorize a user for remote login on Windows Server? ›

Manually grant RDP access to an Active Directory user
  1. Log in to the server.
  2. Right-click the Windows® icon and select System.
  3. Select the remote settings depending on your Windows version: ...
  4. Click on Select Users.
  5. Click Add.
  6. Type the username you wish to add.
  7. Click Check Names. ...
  8. After you add the user, click Apply and OK.

How to remove old credentials from Remote Desktop Connection Manager? ›

To delete the credentials, the best option is to access Credential Manager and from there under the Windows Credentials section, tap Windows Credentials, click TERMSRV and click Remove link.

How do I reset my Windows Virtual desktop password? ›

Press Alt + Ctrl + End it will show you change password option on your remote desktop. If you are using a remote desktop application. You could use CTRL + ALT + END . Another option is to use the desktop app: "On-screen Keyboard" inside your virtual machine and click together CTRL + ALT + DELETE .

How to remove saved password from Remote Desktop Connection? ›

Remove Cached Credentials From Microsoft Remote Desktop Client
  1. Right-click the RDP file for the terminal server, and select Edit. ...
  2. Select the Advanced tab, and then Settings...
  3. Click delete under the Logon settings section, and then OK.
  4. Click back to the General tab and click the delete option under the username.
Jan 19, 2024

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Lakeisha Bayer VM

Last Updated:

Views: 5871

Rating: 4.9 / 5 (69 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Lakeisha Bayer VM

Birthday: 1997-10-17

Address: Suite 835 34136 Adrian Mountains, Floydton, UT 81036

Phone: +3571527672278

Job: Manufacturing Agent

Hobby: Skimboarding, Photography, Roller skating, Knife making, Paintball, Embroidery, Gunsmithing

Introduction: My name is Lakeisha Bayer VM, I am a brainy, kind, enchanting, healthy, lovely, clean, witty person who loves writing and wants to share my knowledge and understanding with you.