Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2019 / How to Change Expired Password via Remote Desktop Web Access on Windows Server

June 8, 2023 Windows Server 2016Windows Server 2019

How to Change Expired Password via Remote Desktop Web Access on Windows Server

In this article, we’ll show how your remote users can change their expired passwords using a special web form on a Remote Desktop Services (RDS) server with the RD Web Access role on Windows Server 2022/2019/2016/2012 R2.

Contents:
  • Can’t Change Expired Password from a Remote Desktop Session
  • How to Allow Remote User to Reset Expired Password on RDWeb Access Host?
  • Adding Password Change Link to the RD Web Access Login Form

Can’t Change Expired Password from a Remote Desktop Session

In Windows Server 2012 R2 and newer, the NLA (Network Level Authentication) is enabled for the Remote Desktop connections by default. NLA prevents users from connecting to RDP/RDS hosts if their passwords have expired or who have the “User must change password at first Logon” option enabled in their useraccountcontrol user attribute. You can disable NLA (ref1, ref2), but this is not good in terms of security. When you try to connect to the RDSH server (Remote Desktop Session Host) under a user account with the expired password, the following error message appears:

An authentication error has occurred.
The Local Security Authority cannot be contacted
Remote computer: lonSrvRDS1
This could be due to an expired password
Please update your password if it has expired.

The Local Security Authority cannot be contacted This could be due to an expired password

When using NLA, remote RDP users cannot change their expired password if they have no other way to access the corporate network other than RDS infrastructure. Certainly, you can ask your users to change their passwords directly in the RDP session in advance, or by enabling the Interactive logon: Prompt user to change password before expiration GPO option  RDS hosts (Computer Configuration -> Windows Settings -> Local Policies -> Security Options), but it doesn’t always work due to a common forgetfulness of the users.

In Windows 2012 R2 and newer, remote users can manually reset their password (current password or expired password) through a special web page on the server with the Remote Desktop Web Access role. To change the password, the user must authenticate via the RDS-WebAccess sign-in web-page and change the password using a special aspx form.

Note. In Windows Server 2003, domain users could change their expired passwords using a small web application IISADMPWD (though not officially supported).

How to Allow Remote User to Reset Expired Password on RDWeb Access Host?

A remote password change option is available on the server with the Remote Desktop Web Access (RD Web Access) role, but this feature is disabled by default.

If you have an RDS server farm deployed, you can find a server with the RDS-WEB-Access role installed by connecting the deployment configuration on the RD Connection Broker host:

Get-RDServer -ConnectionBroker rdcb1.woshub.com| where {$_.roles -eq "RDS-WEB-ACCESS"}

powershell: get-rdserver find rd webaccess host

To change a password, use the script in the password.aspx file located in the C:\Windows\Web\RDWeb\Pages\en-US.

If you are using a localized version of Windows Server (without language pack) the path to the password.aspx file will be different and look like this:

  • C:\Windows\Web\RDWeb\Pages\fr-FR – for the French edition of Windows Server
  • C:\Windows\Web\RDWeb\Pages\de-DE – for German edition.

To enable the password change option, you need to run the IIS Manager console (inetmgr) on the server with the configured RD Web Access role. Go to [Server Name] –> Sites –> Default Web Site –> RDWeb –> Pages and open the Application Settings section.

IIS->Sites->DefaultWeSite-> RDWEB ->Pages

In the right pane, find the PasswordChangeEnabled parameter and change its value to true.

PasswordChangeEnabled password reset option in RD WebAccess on Windows Server 2016

Also, you can set the PasswordChangeEnabled parameter to True in the IIS config file C:\Windows\Web\RDWeb\Pages\Web.config.

rd webaccess web.config: enable password change option

The PasswordChangeEnabled parameter allows Active Directory users to change their expired password through the RD Web Access portal. This option does not allow changing the password of local users on RDS hosts in a workgroup environment (without domain).

Restart the IIS web-server from the console or use the command:

iisreset 

iisreset command

To check the availability of the password change page, go to the following web page:

https://lonSrvRDS1/RDWeb/Pages/en-US/password.aspx

RD Web Access must have a valid SSL certificate installed. You can use the free Let’s Encrypt certificate in IIS.

Enter the username, the old password, and the new password twice.

RDWeb - change password page

After successfully changing the user’s password, the following message should appear:

Your password has been successfully changed.

RDWeb - Your password has been successfully changed

Click OK and the user will be redirected to the RD Web login page. If the user’s password does not match the domain’s password policy, a warning message will appear:

Your new password does not meet the length, complexity, or history requirements of your domain. Try choosing a different new password.

domain password policy when set new password on remote desktop web access

You can use this password change way on the Remote Desktop Web Access server only if Forms Authentication is enabled on the IIS on RDWA server. You won’t be able to change the password through the RD web form if the Windows Authentication method is used.

You can list and change the supported authentication types in the IIS Manager console. Select Sites -> Default Web Sites -> RDWeb -> Pages in the right pane, select Forms Authentication.

rdwebaccess enable form authentication in iis

Now, when trying to connect to the RD Web Access server with the expired password, the user will be redirected to password.aspx web-page and offered to change his password.

rdweb login web page - Your password is expired

Tip. You can change an expired password on Windows Server 2008 R2 with the RD Web Access Role after installing the special update KB2648402. 

Adding Password Change Link to the RD Web Access Login Form

You can add a link to the password change form directly to the Remote Desktop WebAccess sign-in form. This will allow users to change their password any time without waiting till it expires.

Insert a link to the password.aspx file into the RDWeb sign-in page (create a backup copy of the password.aspx file before editing).

  1. On the RDWeb server, find and open the file C:\Windows\Web\RDWeb\Pages\en-US\login.aspx in any text editor (I prefer Notepad++);
  2. Go to line 429 (In Windows Server 2022, it is located after the following HTML block <tr id="trPasswordExpiredNoChange" <%=strErrorMessageRowStyle%> > … </tr> ) and paste the following code:
  3. <!-- Begin: Add Change Password Link -->
    <tr>
    <td align="right"> <a href="password.aspx" title="Change AD User Password">Click here </a>to change your password.
    </td>
    </tr>
    <!-- End: Add Change Password Link -->
    add change password link to RDWA login.aspx
  4. Save the changes in the login.aspx file, restart the IIS website, and make sure that a link to the password change page appears on the sign-in page of the RD Web server.

allow remote users to chage password on rd web access

Remote users can now change the expired password on your RDS server without administrator intervention. Note that if you use domain Cached Credentials to log on to your local computer, they will not be updated after you change your Active Directory password via RDWebAccess.

14 comments
3
Facebook Twitter Google + Pinterest
previous post
Configuring RDS Connection Broker High Availability on Windows Server
next post
Installing MS Office Group Policy Administrative Templates (ADMX)

Related Reading

Using WPAD (Web Proxy Auto-Discovery Protocol) on Windows

November 7, 2023

Zabbix: How to Get Data from PowerShell Scripts

October 27, 2023

Tracking Printer Usage with Windows Event Viewer Logs

October 19, 2023

How to Use Ansible to Manage Windows Machines

September 25, 2023

How to View and Change BIOS (UEFI) Settings...

September 13, 2023

14 comments

Nishant September 11, 2015 - 4:04 pm

Thank you so much for the guide; however on step two you mentioned going to line 583 yet the image shows line538.

Reply
Eber Perez September 3, 2019 - 7:42 pm

Genio!

Reply
Josue September 13, 2019 - 5:20 pm

Do you know if this can be implemented with the on-premise option of Azure Password Protection? I would like to be able to use this and have dictionary/blacklist verification also.

Reply
TrixM August 18, 2020 - 12:17 pm

Yes, it’s simply performing a password change in AD, so if AD accepts the new pword based on whatever policies (including Azure PP), then it works fine

Reply
K April 27, 2020 - 4:14 pm

Go to line 583 is wrong it is 538

Reply
Scott April 28, 2020 - 4:46 pm

I’ve added the above text to Line 538 and have restarted the IIS Server that running on my Windows Server 2016 RDWEB Server and the change password option is not showing up.. Any thought on what I’m doing wrong? Thanks

Reply
Frank May 14, 2020 - 3:49 am

How do I restrict this password reset to a certain number of users and not all? Also, is there a way to restrict based on the OU?

Reply
admin May 15, 2020 - 6:14 am

I’m not sure, but you can try to change NTFS permissions to password.aspx file. Remove all user read access and grant read/execute permissions to the “allow reset password rdwa users” group

Reply
Levd September 21, 2020 - 3:36 pm

For me its not working. Any idea if this should work when the rd deployment is on another domain the the users are? Any idea if the domain functional level should be the same? Technet does not have the answer..

Reply
Hamed May 11, 2021 - 10:02 am

Hi,
Thank you for the guide, I have a question: Can I have log file that who changed password ?it’s vital for me

Reply
elias Idris May 17, 2021 - 8:33 am

Hi,
Thank you very much for such nice guide. what about the cached password on windows 10 device for a remote worker. how do we update that.????? thanks.

Reply
Ben May 30, 2021 - 7:53 pm

This doesn’t seem to work on Server 2019 and local (ie. non-AD ) standalone users

Reply
survietamine October 15, 2021 - 2:20 pm

yes, I agree with BEN, I failed to set this on Windows 2019 standalone (no AD).

Reply
Brandyn December 21, 2022 - 11:18 pm

My experience is that the RDWeb password change form only works if the domain user’s password has expired or the “User must change password at next logon” flag is set. Has anyone experienced the same? I don’t know if it is the nature of RDWeb or the domain that restricts users from resetting a healthy password in this manner. Anyone know how to make the password change available at all times? Thanks.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • How to Connect VPN Before Windows Logon

    November 14, 2023
  • Removing Azure Arc Setup Feature on Windows Server 2022

    November 9, 2023
  • Using WPAD (Web Proxy Auto-Discovery Protocol) on Windows

    November 7, 2023
  • Send Emails with Microsoft Graph API and PowerShell

    November 6, 2023
  • Zabbix: How to Get Data from PowerShell Scripts

    October 27, 2023
  • Tracking Printer Usage with Windows Event Viewer Logs

    October 19, 2023
  • PowerShell: Configure Certificate-Based Authentication for Exchange Online (Azure)

    October 15, 2023
  • Reset Root Password in VMware ESXi

    October 12, 2023
  • How to Query and Change Teams User Presence Status with PowerShell

    October 8, 2023
  • How to Increase Size of Disk Partition in Ubuntu

    October 5, 2023

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • How to Downgrade Windows Server Edition or License
  • How to Sign an Unsigned Device Driver in Windows
  • Fix: Remote Desktop Licensing Mode is not Configured
  • Configuring Port Forwarding in Windows
  • How to Convert (Upgrade) Windows Server 2019/2016 Evaluation to Full Version?
  • How to Clean Up Large System Volume Information Folder on Windows?
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top