RDP — Can’t log in unless you change the password???

8

In something that probably makes sense only to Microsoft, why is it that if I try to do a remote desktop session onto a domain computer and my password has expired that it doesn’t let me change it remotely? I used to be able to with Windows 7 and I believe Server 2012, but it seems that since upgrading to Windows 10, I get a message saying that my password has expired and that I need to log in or ask an administrator for assistance.

Now, if I were actually at a physical computer on the domain, I could log in at that point and change it, but since I work remotely, I always end up having to have to contact a domain admin to reset and unlock my password before I can remote onto the domain again.

However, if I remote onto a domain computer running Windows 7 using a system account and then RDP onto a computer on that domain, THEN I can change it when I log in.

This is a really annoying change to the login procedure and a definite conundrum considering that the message tells me to change my password but I can’t because it won’t let me over a remote connection.

Comments (8)

8 responses to “RDP — Can’t log in unless you change the password???”

  1. evox81

    Can you change the password remotely before it expires? I know it's not an actual solution to the real problem, but could you set yourself a recurring reminder for the future to change the password before it expires?

    • Lauren Glenn

      In reply to evox81:

      Yes but that's not the point. I have about a dozen systems I have to log into and all have different expiration dates. The fact I have to log in and change each one even though I don't actually have to go into their system that frequently is just cumbersome. Basically, this tells me that if I still used Windows 7, I wouldn't have to go through this as the OS would actually let me change the password when establishing an RDP session. If I just had one system to monitor, I'd have no really issue with doing it.

      • evox81

        In reply to alissa914g:

        For the record, grouchy, I wasn't suggesting that you just suck it up and live with it.  I was simply offering you a workaround to a situation that is undoubtedly frustrating to deal with, based on the information I had available at the time. (I, for example, didn't know you were talking about a dozen systems.)


        I would be frustrated with this scenario as well and I'd submit feedback and voice my concerns in an appropriate forum to ensure I was heard.

        • Lauren Glenn

          In reply to evox81:

          Wow. Resorting to name calling. How professional.


          Obviously that's a solution but not an ideal one.


          It's along the same lines of when I have an IT admin reset my password on the domain and then the domain doesn't let me change the password for 24 hours or it doesn't let me log in from a Windows 10 machine if they have a force password change turned on my account.


          It's making something that worked fairly decently harder and more difficult for what purpose? I'm trying to understand how this actually benefits someone with something that makes sense to me.


          I have posted this to Microsoft and asked. Still no response. So I asked it here to maybe get some response from people who may know.

  2. TExpatinFL

    Microsoft designed it this way. If you have Exchange/Outlook Web Access, the administrator may have enabled the ability to reset your password when it is expired within that facility.

    • Lauren Glenn

      In reply to TExpatinFL:

      I'm not sure how that applies though. These are domain accounts, not web accounts that use domain credentials to authenticate to the email server. You can change your password IF you're logged in and it's about to expire. But once it expires, you can't RDP onto a machine unless you use a non-Windows 10 system.

  3. jimchamplin

    I think it's designed to keep people from exploiting recently-expired accounts. Imagine a brute-force attack that tries myriad username credentials. If it happens upon one with an expired password, all the malicious actor has to do is then break that password and generate a new one to have fully authentic credentials.

    • Lauren Glenn

      In reply to jimchamplin:

      Yes except for the fact that you'd have to know the password of the account you were trying to use first. These systems lock out accounts after 3 bad attempts so a brute force attack wouldn't be a factor unless that were the case. It just seems like an example of a bit too much security that only inconveniences normal users. Chances are if someone has a list of usernames and passwords that it would have one good username and password on that list where this would be a limited deterrent.

Leave a Reply