+ Reply to Thread
Results 1 to 11 of 11
  1. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #1

    Question SOLVED: Users cant change passwords in win2k8 ts box?

    We only have one win2k8 server in our domain and it is a terminal server. If I set a users account to require password change after first logon, the user gets a "username or password is incorrect" error if they try to change it from this terminal server. The user has no problem changing their password from an xp workstation. I've checked the common gpo's and I cant see anything that is preventing them from changing passwords while rdp'd in terminal server. Thoughts?
    Last edited by phoeneous; 01-13-2010 at 05:13 PM. Reason: Solved
    Reply With Quote Quote  

  2. SS -->
  3. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #2
    Can they change it without being forced to do so?

    If they log on and press ctrl+alt+end are they able to change it that way?
    Reply With Quote Quote  

  4. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #3
    Quote Originally Posted by RobertKaucher View Post
    Can they change it without being forced to do so?

    If they log on and press ctrl+alt+end are they able to change it that way?
    Same error when they try that. And its only this server too. I checked secpol.msc and didnt see anything out of the ordinary.
    Reply With Quote Quote  

  5. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #4
    Quote Originally Posted by phoeneous View Post
    Same error when they try that. And its only this server too. I checked secpol.msc and didnt see anything out of the ordinary.
    Ok, so let me make sure I understand this.

    1. Users can neither change their passwords before completing the login nor after thay have completed the login by pressing ctrl+alt+end.

    2. Users are able to change their passwords while logged on to client machines on the LAN.

    Next questions:
    Can users running Vista or 7 change their passwords via TS when attempting to login from a client PC on the LAN?
    Can a domain admin change their password off site using TS?

    What I am trying to get at is that this is probably not GPO related but has to do more with the security enhancements added to RDP.
    Reply With Quote Quote  

  6. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #5
    Quote Originally Posted by RobertKaucher View Post
    Ok, so let me make sure I understand this.

    1. Users can neither change their passwords before completing the login nor after thay have completed the login by pressing ctrl+alt+end.

    2. Users are able to change their passwords while logged on to client machines on the LAN.
    Correct.

    Quote Originally Posted by RobertKaucher View Post
    Next questions:
    Can users running Vista or 7 change their passwords via TS when attempting to login from a client PC on the LAN?
    We only have xp users.

    Quote Originally Posted by RobertKaucher View Post
    Can a domain admin change their password off site using TS?
    Havent tried it yet. Im the only admin so Ill try it tonight.

    Quote Originally Posted by RobertKaucher View Post
    What I am trying to get at is that this is probably not GPO related but has to do more with the security enhancements added to RDP.
    Ive tried multiple versions of the rdp client including 6.17600.
    Reply With Quote Quote  

  7. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #6
    Quote Originally Posted by phoeneous View Post
    Correct.

    Ive tried multiple versions of the rdp client including 6.17600.
    Yes, but if NLA is expected, I do not believe the terminal server will allow you to change the password if it does not get the NLA.

    Can users chage their password via RDP if they are connecting to a TS session from a client joined to the domain that is on the LAN? This is what I am really trying to get at.

    EDIT: Ok, I was wrong but I was going the direction.
    http://social.technet.microsoft.com/...0-6d22292830a1
    http://www.webhostingtalk.com/showthread.php?t=711525

    RDC with NLA does not allow you to change your password at logon.
    Last edited by RobertKaucher; 12-24-2009 at 07:12 PM.
    Reply With Quote Quote  

  8. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #7
    Quote Originally Posted by RobertKaucher View Post
    RDC with NLA does not allow you to change your password at logon.
    Got it. I'll look into it after the holiday since the office is closed.

    I also wasnt aware of this:

    in the System Remote Settings dialog, the remote desktop options can be set to allow computers with Remote Desktop that support Network Level Authentication.
    Reply With Quote Quote  

  9. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #8
    Quote Originally Posted by RobertKaucher View Post
    Yes, but if NLA is expected, I do not believe the terminal server will allow you to change the password if it does not get the NLA.

    Can users chage their password via RDP if they are connecting to a TS session from a client joined to the domain that is on the LAN? This is what I am really trying to get at.

    EDIT: Ok, I was wrong but I was going the direction.
    New users can't login from outside world if they must change password upon first logging in (other, older users, have no problem
    Windows Server 2008 Logon Process and Some Security Concerns : Hosting Security and Technology : Web Hosting Talk

    RDC with NLA does not allow you to change your password at logon.
    I'm still stumped on this problem. We are not using NLA for the TS. When any user, even domain admins, is prompted to change their password while rdp'd into this win2k8 box it gives the same error of "the username or password are incorrect".

    I check the remote settings to make sure that "Allow connections from computers running any version of Remote Desktop" is selected. I also verified in TS Configuration that "Allow connections onlu from computers running Remote Desktop with Network Level Authentication" is unchecked.

    And I just found out that users cannot change passwords when they login from the console... yikes.

    Thoughts?
    Reply With Quote Quote  

  10. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #9
    Ugh...

    The time for this TS box and the DC were off by 3 minutes...

    Problem solved, lesson learned
    Reply With Quote Quote  

  11. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #10
    You have got to be friggin kidding me!?!?!?

    I have actually had this cause so many issues with TS in the past I am suprised that it did not occur to me as a candidate. But the issue I was faced with I could not log on at all to the TS box. 3 flipping minutes!?!?
    Reply With Quote Quote  

  12. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Console.WriteLine("Yo");
    Posts
    2,316

    Certifications
    Pimp status
    #11
    Can you believe it?! 3 lousy minutes...
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks