Windows 2008 Terminal Server "user must change password at next logon" problem with Windows 7 client.

Similar Messages

• Exchange 2013 OWA user must change password at next logon not working

  Hi,
  I have installed Exchange 2013 on Windows 2012 Server. I create users in ECP and select "user must change password at next logon" option. When newly created user logs in, the OWA page doesn't prompt for password change and just throws error "The
  user name or password you entered isn't correct. Try entering it again"
  I have enabled Change Password feature in CAS server, but still not working.
  Any answers, suggestions would be great help
  Regards
  Sunil

  Hi Sunil,
  Have you tried as Martina said and does it work?
  If not, please try to set the Minimum Password Age to 1 according to link below. I found some threads which are similar to yours and were solved by this way in Exchange 2013 environment.
  http://support.microsoft.com/kb/827614
  And for further troubleshooting, please create a new user with "user must change password at next logon" option checked and see if he can log on domain-joined PC.
  In addition, please check the event log to see if there is any related error message.
  Regards,
  Rebecca

• OIM AD Integration - 'User must change password at next logon'

  Hi,
  These are the issues in OIM AD integration that we are stuck up on:
  Issue:
  1. When OIM Admin resets the password for User1 in OIM, the password is propagated to AD but the ‘User must change password at next logon’ attribute is not updated in AD. As a result, if the User1 logs into AD account (i.e. computer), there is no prompt to change the password.
  2. When AD Admin resets the password for User1 in AD and checks the ‘User must change password at next logon’ flag, the password is propagated to OIM but the ‘obpasswordchangeflag’ attribute (of oblixPersonPwdPolicy class) is not updated in OID. As a result, if the User1 logs into OIM account, there is no prompt to change the password.
  Research:
  1. For case 1 above: When OIM Admin resets the password for User1, the ‘User must change password at next logon’ attribute on the AD process form itself is not getting updated. So the AD Connector doesn’t propagate the attribute to AD.
  2. For case 2 above: When the AD Admin resets the password for User1 in AD, the AD Password Sync connector only sends the password to OIM and not other attribute. So, there is no way to fetch the ‘User must change password at next logon’ attribute and then copy it into ‘obpasswordchangeflag’ attribute in OID.
  Environment Details:
  1. OIM-OAM-OAAM 11.1.1.5 BP02 integrated using OVD-OID 11.1.1.5
  2. AD on WIN 2008 R2.
  3. OIM AD Connector 9.1.1.7.2
  4. AD Password Sync Connector 9.1.1.5
  Any help would be highly appreciated!
  Thanks,
  Kulesh...

  Thanks for your reply again.
  I did not get you completely here. Can you please elaborate on the "process task on the AD Process which passes along the USR_PWD_MUST_CHANGE and immediately sets it to 0 this should work". How many total additional tasks would be needed here?
  what all targets are you provisioning the password to?
  - AD and OID (through LDAPSYNC)
  where are end users allowed to change their passwords on (OIM,AD....??)
  - Both OIM and AD.
  Where can admins change the passwords?
  - Currently they use ARS for such purposes but this is something we need to clearly define. The thing is, they use ARS for whole lot of purposes and we can't dictate/restrict them to use OIM only for password resets. So they may use ARS or OIM.
  What do you suggest?
  Edited by: Kulesh Kane on Nov 8, 2012 11:43 AM

• "user must change password at next logon" flag for multiple users

  2008 R2 domain with a couple of 2012 R2 DCs.
  john.user is in the Users OU. if I right-click john.user, choose properties, go to the account tab, and check "user must change password at next logon," the next time john.user tries to log in, he gets prompted to change his password. also the
  powershell command
  get-aduser -filter * -Properties * | ? name -like "*john.user*" | select name,pwdlastset
  shows that john.user's pwdlastset is 0. all of this is as expected.
  but if I  highlight every account in the Users OU, right-click, properties, Account, "user must change password at next logon," it appears that nothing whatsoever happens. john.user doesn't get prompted to change his password at his next
  logon, and his pwdlastset is something like 130622757432306111.
  is this the expected behavior? why are the Account tab and/or the "change password at next logon" box available to me when selecting multiple users if they aren't meant to work?

  ah. thank you sir. *two* checkboxes. *two.* of course.
  I had enough OUs under my Users OU that I just used powershell to catch them all at once:
  $enabledusers = get-aduser -filter * -SearchBase "ou=users,dc=domain,dc=local" -Properties distinguishedname,pwdlastset |
      where {$_.enabled -eq "true" -and $_.distinguishedname -notlike "*ou=service accounts*"}
  foreach($enableduser in $enabledusers) {
      $enableduser.pwdlastset = 0
      Set-ADUser -instance $enableduser

• User must change password at next logon?

  Hello,
  We have an XMII / LDAP connection to AD. (Both read and write). But when ever we set a user in our AD to change password at next logon, they get block from logging into Xmii.
  The funny part about this is if we do the following:
  1: User login into Xmii
  2: Administratator on AD controller, sets the flag  "User must change password on next logon"
  3: User selects Logout.
  Now the user gets promt of changing his/her password.
  Anyway to fix this?

  Well we have some clients that doesn't use the same login to MII and for their workstation.
  Basicly i want so whenever i set the flag "User must change password at nextlogon" in AD, I want MII to see that and make the user change his or her password in the portal.

• Network account - Having "user must change password at nex logon checked" - does not allow user to login

  Hi,
  We have several SharePoint 2013 sites which, when the option called "User must change password at next logon" is checked on a user's Active Directory account, the user is not allowed to login to the SharePoint site. Is this something that needs
  to be changed on the SharePoint end to resolve?
  thanks,
  Sherazad.
  Sherazad

  You need to look at a different solution that allows this, e.g. home-grown solution, 3rd party, and I believe Forefront Identity Manager can also accomplish this task. There are quite a few self-service password management solutions out there. Search on
  that term, and you should be able to find something that works for you.
  Trevor Seward
  Follow or contact me at...
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• TMG 2010 publishing Exchange 2010 OWA cannot change password if user must change password at first logon is set

  Hi,
   I have an odd issue whereby if I set "user must change password" on an AD account, the end user cannot logon, they're simply taken back to the OWA login page as if their password is incorrect.
  My setup is as follows:
  outer TMG -- uses a listener for email.contoso.com and is configured for no authentication.This uses a publishing rule to publish the inner TMG server. This server is not a domain member.
  inner TMG - uses a listener for email.contoso.com and is configured for NLTM\kerberos negotiation with forms authentication (Windows Active Directory). This server is a domain member and use a publishing rule to publish the internal CAS. Allow users to change
  password is selected in the publishing rules.
  Exchange 2010 SP1 - uses integrated windows and basic authentication. Has the appropriate registry key configured to allow users to change their AD password on first logon.
  I've registered an snp for "http/email.contoso.com mailserver-dc1", all SSL certificates being used are valid and my configuration used to allow users to login and change their password with "user must change password on first login"
  set in AD.
  If I launch a web browser on an internal server and point it to email.contoso.com I'm immediately presented with a generic Windows authentication request (similar to what's seen in ADFS) rather than the standard OWA page. No matter what I do, I cannot login
  and change my password using the correct URL. However if I point my browser at
  http://192.168.4.10/owa I'm prompted to login and I can change my password using the sam credentials.
  The only recent changes made are:
  - Disabling SSL 3.0 and enabling TLS  (http://www.isaserver.org/articles-tutorials/configuration-security/improving-ssl-security-forefront-threat-management-gateway-tmg-2010-published-web-sites.html)
  - Replacing the TMG listener certificates so that they now use SHA2 rather than SHA2 (certificates are trusted on each TMG server)
  Looking on the outer TMG and the DC logs I can see schannel errors which I believe are related to the problem. TMG monitoring also shows "Failed connection attempt: 1907 The user'spassword must be changed before logging on for the first time"
  I've checked that my inner TMG and DC are using the same certificate for server authentication and gone through this guide:
  http://blogs.technet.com/b/keithab/archive/2012/02/29/setting-up-and-troubleshooting-ldaps-authentication-in-forefront-tmg-2010.aspx
  If I try to use ldp.exe on the inner TMG, I get the error in the pic below
  Thanks
  IT Support/Everything

  Hi,
  You could try to analyze the TMG tracing and try the troubleshoot steps in the blog below.
  TMG 2010 – FBA, troubleshooting the change password feature 
  http://blogs.technet.com/b/isablog/archive/2012/05/07/tmg-2010-fba-troubleshooting-the-change-password-feature.aspx
  Best Regards,
  Joyce

• Reconciliation of "change password on next logon" from AD fails in OIM 11g

  Hello,
  We have a use case on our OIM 11g project where we create a user in Active Directory and check *"User must change password at next logon"* box in AD.
  We have setup AD as Trusted and Target resource (using connector 9.1.1.7), where users coming from AD will be created in OIM and password changes in OIM will be sent to AD. Also we use the password synchronization module (9.1.1.5) to synchronize the passwords from AD to OIM when they are changed in AD.
  What we noticed is the "User must change password at next logon" is synchronized to the "AD Resource", but unlike the regular attributes it is not accessible normally because it's a system attribute.
  What we expect is the user logging in to OIM will be prompted to change the password, but nothing happens when the newly reconciled user logs in (i.e. normal self-service page is shown). Same thing applies when we set the flag on an existing user also.
  Did anyone get this working properly?
  P.S. In a previous version it used to be the opposite where the user was constantly prompted for the password, even though it was changed in AD already, after changing the password using Alt+Crtl+Delete the user was still prompted to change when logging in to OIM. Oracle suggested we upgrade to 11.1.1.5.1 (most recent patch set) but now the reverse happens - we never get change password prompt now.
  Thanks,
  -JP
  Edited by: JacekP on Oct 17, 2011 8:10 AM

  Yeah, you're right, unfortunately we have dual authorative password model, where a user can change the password from OIM when he is accessing a OIM through a web interface or from his Windows machine through the domain controller. We need the use case to work fully both ways ideally.
  A plan-B solution is to use a directory synchronization mechanism outside of OIM that would connect OID and AD, but we would prefer not to.

• Acrobat 9 Reader with Windows 2008 Terminal Server

  I am setting up a Windows 2008 Terminal Server and i need to have the Adobe Acrobat Reader installed. I downloaded and installed the Vista version and it worked from the console but when i try to access it via a terminal server session the application just crashes. If i try and run it as administrator in the same terminal server session it launches fine.
  Any suggestions????
  Jason
  p.s The associated event log error is:
  Log Name:      Application
  Source:        Application Error
  Date:          7/31/2008 1:17:57 PM
  Event ID:      1000
  Task Category: (100)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Comet.invera.com
  Description:
  Faulting application AcroRd32.exe, version 9.0.0.332, time stamp 0x4850f0a3, faulting module Annots.api, version 9.0.0.332, time stamp 0x4850e57f, exception code 0xc0000005, fault offset 0x001bd9e0, process id 0x1458, application start time 0x01c8f3316002e3b7.
  Event Xml:
      1000
      2
      100
      0x80000000000000
      3663
      Application
      Comet.invera.com
      AcroRd32.exe
      9.0.0.332
      4850f0a3
      Annots.api
      9.0.0.332
      4850e57f
      c0000005
      001bd9e0
      1458
      01c8f3316002e3b7

  Jason...
  Make Certain that you Had the Server In "TS-Install" Mode When you Installed Acrobat. It Is In your Control Panel. I Have Pasted the MS Help File Below.
  Install Programs on a Terminal Server
  You should install the Terminal Server role service on the computer before you install any programs that you want to make available to users. If you install the Terminal Server role service on a computer that already has programs installed, some of the existing programs may not work correctly in a multiple user environment. Uninstalling and then reinstalling the affected programs may resolve these issues.
  To ensure that an application is installed correctly to work in a multiple user environment, you must put the terminal server into a special installation mode before you install the application on the terminal server. This special installation mode ensures that the correct registry entries and .ini files that are needed to support running the application in a multiple user environment are created during the installation process.
  You can put a terminal server into this special installation mode by using either of the following:
  Install Application on Terminal Server tool under Programs in Control Panel. This tool will run a wizard to help install the application.
  Change user /install command at a command prompt. You will have to start the installation of the application manually.
  After the application is installed, you must put the terminal server into execution mode before remote users begin using the application. The Install Application on Terminal Server tool will automatically put the terminal server into execution mode when it is finished running. To put the terminal server into execution mode from a command prompt, use the change user /execute command.
  Additional considerations
  Some programs may require minor setup modifications to run correctly on a terminal server.
  If you have programs that are related to each other or have dependencies on each other, you should install the programs on the same terminal server. For example, you should install Microsoft Office as a suite on the same terminal server instead of installing individual Office programs on separate terminal servers.
  You should consider installing individual programs on separate terminal servers in the following circumstances:
  The program has compatibility issues that may affect other programs.
  A single program and the number of associated users may fill server capacity.
  For more information about the change user command-line tool, see the Terminal Services Command Reference (http://go.microsoft.com/fwlink/?LinkId=89674).
  For more information about deploying programs on a terminal server, see the Terminal Server page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=79608).

• User must change password after reset?

  I am looking at the password policy settings and am wondering what "User must change password after reset� actually does. I turned it on. I tried changing some passwords in an ldap client and didnt get any messages or errors after authn again. And I didnt see a special attribute in the persons entry. Any clues?

  When the flag is enabled and the password is changed by "cn=directory manager", the next time the user authenticate, the server returns the Password Expired Control (with a Success code) and all requests other than modify of userPassword are rejected.

• Windows 2008 Terminal Server issue after swapping modem/router

  Hi, I have a problem I just can't crack.
  Windows 2008 Terminal Server, all patched and up to date. The IP Address is 192.168.1.11 (on a teamed intel controller). Terminal services enabled and working ok.
  TP-Link Modem 192.168.1.1, RDP Port forwarded ok.
  Set the Windows gateway to 192.168.1.1 and external access to RDP is not a problem.
  We had some modem speed issues, so we got a much faster connection, but it can't be used for incoming RDP, so left the TP-Link in place. So added a 3G modem at 192.168.1.5 and set that as the gateway.
  External RDP access still works perfectly, and now users have much faster internet.
  The TP-Link is giving some reliability issues, so I swapped it over for another modem, a Billion modem. Same 192.168.1.1 IP address, same port forwarding. External RDP access is no longer possible.
  Swap back to the TP-Link and everything is fine. Test the modem on another site, everything works as expected.
  If I set the gateway on the terminal server to 192.168.1.1 with the Billion attached then external RDP access is no problem. If I set it to 192.168.1.5 then it stops working again.
  I tried with a new TP-Link modem of the same model with exactly the same settings and this also had the same problem. External RDP access will only work the existing TP-Link modem, which is a problem as the modem appears to be faulty.
  It's almost like it hasn't worked out that it's a new network, and when Windows does that it seems to lock down RDP. That is only my assumption from experience of moving computers to new networks and RDP won't work until windows prompts you with the new
  network screen to select home, office or public.
  Has anyone experienced anything like this before or can shed some light on the problem?
  Thanks.

  Hi,
  How is the issue going now? Is there any update?
  Thanks.
  Jeremy Wu
  TechNet Community Support

• Number of days before user must change password.

  Hi,
  I understand how does this Essbase server setting work:
  Essbase Server Properties - Security Tab
  "Number of days before user must change password"
  But my question is:
  Does anyone know how "to mark" certain group of Users (mainly system admin accounts) - that this setting will not force periodical passoword change for "marked" users ?
  Any ideas ?
  Br, ripasso

  There are a couple of things you could do to circumnavigate this all or nothing option.
  You could write a maxl statement that would update the user profile to force the user to change their password e.g.
  alter user Fiona set password_reset_days immediate;
  I would write a program using the API that lists all users in the group and then dynamically create the maxl script that uses the statement above.
  If you can not use the API then I guess you could do a maxl only solution (using display user command) and do some text file manipulation in perl (or another scripting language).
  There are probably more solutions/ideas out there.

• Add Windows 2008 Terminal Server to RWW/RWA

  I would like to add our Windows 2008 Terminal Server (not R2) to RWW in Windows 2012R2 Essentials.  The connect computer wizard did not work on the Windows 2008 server, returning Win32 error.  
  How do I add the 2008 TS to the devices listing in RWW without using the connector wizard (as it does not work).   The Windows 2008 server has been join to the same domain manually.

  You cant add it as a tile device in the way you could in SBS 2011 Standard.
  You can create an RDP file, and save that so it is accessible via the RWA then add a link to the RWA to that file.
  You may need to tweak IIS to allow .rdp files.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• Windows 2008 Terminal Server, Acrobat 7, 9

  Hello,
  I have Acrobat 7 installed on a Windows 2008 terminal server.  Anyone with a terminal session that has Acrobat 7 installed on the local workstation is able to create Acrobat documents.  Why is it that anyone with a  terminal session that has Acrobat 9 installed on the workstation is not able to create Acrobat documents?
  Thank you,
  techctzn808

  I replied to your other message
  http://forums.adobe.com/thread/536492?tstart=0

• Create a user through the API and "Prompt user to change password after next login".

  Using the Adobe Connect Interface, I can create a user and check the checkbox to "Prompt user to change password after next login".
  Can I achieve the same result using the API? The principal-update action doesn't offer such an option and, as far as I can tell, there isn't another action to do so either.
  Thank you.

  You can achieve it as part of your application functionality, but not as a configuration option on WLS.