Lately I’ve been doing some experiments with Active Directory and of course I’m running my lab environment in Azure. It works great, until after 42 days the password of the one and only user account (mine) in the domain expires. Azure only provides remote desktop access to virtual machines, and in a default setup it’s impossible to change the password over rdp once the password has expired.
In all modern incarnations of remote desktop, the user authentication is done during the connection phase. This is called NLA: Network Level Authentication. It means the user name and password is entered in the Rdp client, as part of the connection setup. Not like in the old days where the remote desktop would show up and present the same user name and password prompt as if one were actually sitting at the physical console. In the old days, the remote server could show a password expired message and force a password reset before the logon was accepted. With NLA, that just doesn’t work. So what we need to do is to disable NLA, without logging on to the remote machine.
Disable Client NLA
To disable NLA, we need to do that on both the client and the server. On the client, it’s fairly straight forward, although it can’t be done in the UI.
- Open the remote desktop client, fill in the host name and save the connection settings.
- Open the rdp file in a text editor and add a line
enablecredsspsupport:i:0
at the top - Save the file and double click it to open the remote desktop client.
If you try to connect now, you’ll get an error message that the server requires NLA. So to continue, we need to disable that on the server.
Disable Server NLA
Thanks Russel Smith for the details on how to use WMI to do this.
Disabling the NLA requirement on the server is normally just an unchecked checkbox in the system properties. But that won’t work when we’re already locked out of the machine. So we need to access the machine and somehow change the setting. It turns out that can be done with WMI. When I did this, I used another VM on the same virtual network. But I assume it would work straight from the Internet if the required ports are opened in the Network Security Group associated with the VM.
From the other VM, run the following commands in a powershell Window, with the IP number being the internal IP of the server you’re locked out of and DOMAIN\USERNAME being the domain/user info (set the computer name as domain if it is not a domain joined computer).
$wmi = (Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName 10.0.1.5 -Filter "TerminalName='RDP-tcp'" -Credential DOMAIN\USERNAME) $wmi $wmi.SetUserAuthenticationRequired(0) |
The second line, $wmi
just prints out the current settings before altering them.
Log on and Change Password
Now you can use the prepared rdp file and log on to the server. Note how there is no password prompt before the Rdp session is being launched, instead the log in prompt is displayed inside the Rdp session. From this place, the reset password prompt works.
Clean Up
Finally it’s time to re-enable security. On the client, just delete the created rdp file. On the server, you can do that by going back to the powershell window on the other VM:
$wmi.SetUserAuthenticationRequired(1) |
Hi Anders
I do not understand how this would/should work when I’m unable to connect with expired password ?
One thing is NLA, but I’m not able to connect through wmi with an expired password. Or am I missing something ?
Thanks
Hénrik
When I tried this, I was able to connect via WMI despite the password being expired.
OR if you have much chances and another VM in your domain, you can manually disable NLA from its settings and connect to it via RDP in order to reset your domain user password…
It may be necesary to save and edit the RDP file in order to Client NLA as you suggested…
Thanks again for sharing
Many thanks Anders! I just used your method and it worked great! My domain admin account has expired and I couldn’t connect. After following steps you described I managed to change password. Thanks again. Maciej
Lifesaver. Much appreciated. In my case I was able to RDP into another VM that is joined to the Domain. I had to use a non-admin set of credentials for this as that is all that was available. Interestingly, even though my credentials were expired, I was able to use them when permissions needed to be elevated. OS was Server 2016 on both machines.
Legend! (connected to WMI with the password even though expired)
Thanks a lot. U are really a lifesaver here.
Good job.
Hi Anders, When I run the powershell command from another computer on the same subnet, it is requiring me to login to the locked out VM. Since it is locked out, I can’t log on and the command won’t run. Seems to be a catch 22 situation. If I could log on, I wouldn’t need to use WMI to disable NLA so I could use the modified RDP configuration.
When I did this (which is now a few years ago) the idea is that the WMI login worked, even though the account was locked out. The lock-out check didn’t apply to WMI access. That’s how all of this worked.