Options
Users cant change passwords in win2k8 ts box?
We only have one win2k8 server in our domain and it is a terminal server. If I set a users account to require password change after first logon, the user gets a "username or password is incorrect" error if they try to change it from this terminal server. The user has no problem changing their password from an xp workstation. I've checked the common gpo's and I cant see anything that is preventing them from changing passwords while rdp'd in terminal server. Thoughts?
Comments
-
Options
RobertKaucher
Member Posts: 4,299 ■■■■■■■■■■
Can they change it without being forced to do so?
If they log on and press ctrl+alt+end are they able to change it that way? -
Options
phoeneous
Member Posts: 2,333 ■■■■■■■□□□
RobertKaucher wrote: »Can they change it without being forced to do so?
If they log on and press ctrl+alt+end are they able to change it that way?
Same error when they try that. And its only this server too. I checked secpol.msc and didnt see anything out of the ordinary. -
OptionsRobertKaucher
Member Posts: 4,299 ■■■■■■■■■■
Ok, so let me make sure I understand this.Same error when they try that. And its only this server too. I checked secpol.msc and didnt see anything out of the ordinary.
1. Users can neither change their passwords before completing the login nor after thay have completed the login by pressing ctrl+alt+end.
2. Users are able to change their passwords while logged on to client machines on the LAN.
Next questions:
Can users running Vista or 7 change their passwords via TS when attempting to login from a client PC on the LAN?
Can a domain admin change their password off site using TS?
What I am trying to get at is that this is probably not GPO related but has to do more with the security enhancements added to RDP. -
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
RobertKaucher wrote: »Ok, so let me make sure I understand this.
1. Users can neither change their passwords before completing the login nor after thay have completed the login by pressing ctrl+alt+end.
2. Users are able to change their passwords while logged on to client machines on the LAN.
Correct.RobertKaucher wrote: »Next questions:
Can users running Vista or 7 change their passwords via TS when attempting to login from a client PC on the LAN?
We only have xp users.RobertKaucher wrote: »Can a domain admin change their password off site using TS?
Havent tried it yet. Im the only admin so Ill try it tonight.RobertKaucher wrote: »What I am trying to get at is that this is probably not GPO related but has to do more with the security enhancements added to RDP.
Ive tried multiple versions of the rdp client including 6.17600. -
OptionsRobertKaucher
Member Posts: 4,299 ■■■■■■■■■■
Correct.
Ive tried multiple versions of the rdp client including 6.17600.
Yes, but if NLA is expected, I do not believe the terminal server will allow you to change the password if it does not get the NLA.
Can users chage their password via RDP if they are connecting to a TS session from a client joined to the domain that is on the LAN? This is what I am really trying to get at.
EDIT: Ok, I was wrong but I was going the direction.
http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/93a51be2-b999-4efb-b110-6d22292830a1
http://www.webhostingtalk.com/showthread.php?t=711525
RDC with NLA does not allow you to change your password at logon. -
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
RobertKaucher wrote: »RDC with NLA does not allow you to change your password at logon.
Got it. I'll look into it after the holiday since the office is closed.
I also wasnt aware of this:in the System Remote Settings dialog, the remote desktop options can be set to allow computers with Remote Desktop that support Network Level Authentication. -
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
RobertKaucher wrote: »Yes, but if NLA is expected, I do not believe the terminal server will allow you to change the password if it does not get the NLA.
Can users chage their password via RDP if they are connecting to a TS session from a client joined to the domain that is on the LAN? This is what I am really trying to get at.
EDIT: Ok, I was wrong but I was going the direction.
New users can't login from outside world if they must change password upon first logging in (other, older users, have no problem
Windows Server 2008 Logon Process and Some Security Concerns : Hosting Security and Technology : Web Hosting Talk
RDC with NLA does not allow you to change your password at logon.
I'm still stumped on this problem. We are not using NLA for the TS. When any user, even domain admins, is prompted to change their password while rdp'd into this win2k8 box it gives the same error of "the username or password are incorrect".
I check the remote settings to make sure that "Allow connections from computers running any version of Remote Desktop" is selected. I also verified in TS Configuration that "Allow connections onlu from computers running Remote Desktop with Network Level Authentication" is unchecked.
And I just found out that users cannot change passwords when they login from the console... yikes.
Thoughts? -
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
Ugh...
The time for this TS box and the DC were off by 3 minutes...
Problem solved, lesson learned
-
OptionsRobertKaucher
Member Posts: 4,299 ■■■■■■■■■■
You have got to be friggin kidding me!?!?!?
I have actually had this cause so many issues with TS in the past I am suprised that it did not occur to me as a candidate. But the issue I was faced with I could not log on at all to the TS box. 3 flipping minutes!?!?
