Forced password change at next logon and RDP

If your AD account has the “User must change password at next logon” option enabled:


and you try to logon to a RDP session (with correct credentials):


you might encounter this error message:

“You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.”

This is a classic catch 22 issue: You have to logon to change you password, but you cannot logon until you’ve changed you password.

If you have access to a “normal” network connected Windows client you can change the password that way, but what if you only have RDP access?

Client side

Well, if the server allows it, you can temporary disable “Credential Security Support Provider (CredSSP)” in the RPD client. This disables Network Layer Authentication, the pre-RPD-connection authentication, and therefore enables you to change your password via RDP. CredSSP is enabled by default in the RDP client on Windows Vista and forward.

There is no option to disable CredSSP in the RDP client, so here is how you have to do it:

  • Start mstsc.exe
  • Click Show Options
  • Click Save As


  • Call it ChangePassword.rpd (or anything you’d like, but avoid the name Default.rdp)
  • Open the saved ChangePassword.rpd in Notepad
  • Add a new row at the end with the following text:


  • Save the rdp file
  • Double-click the rdp file
  • Enter the name/IP of a domain connected computer with RDP enabled

Instead of the local Windows Security prompt (the second image in the blog post) you should see a Windows Logon screen on the remote computer (if not, read on anyway):


If the account you log on with at this point has the “User must change password at next logon” option enabled, you get notified about that:


By clicking OK you get the possibility to change the password (yay!):


After changing the password you get confirmation about the change:


Clicking OK logs you in.

In fact, you do not need to have access to sign in through RDP, in that case this shows up, but only after you successfully changed your password:


Delete the ChangePassword.rdp file when you are done (or at least do not use it until you are forced to change your password again), since disabling CredSSP lowers the security of RDP connections.

If the server requires CredSSP

If the server does not allow you to disable Credential Security Support Provider, you get this error message when connecting:


In that case, try connecting using the FQDN ( and not only DC01) or connect to other servers that might allow you to disable CredSSP. As I mentioned above, you don’t have to have access to actually logon to the server.

Server side

You can also disable CredSSP on the server side, but since that lowers the security on all RDP connections to that server it is not recommended.

If you chose to do this anyway, you do it either by de-selecting “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)” in System Properties:


Or if you run the Terminal Server Role:

  • Open Terminal Server Configuration
  • Open RDP-Tcp configuration page
  • On the General tab, set the Security Layer to RDP Security Layer


Note that if you already have an existing access to a server (with the account you need to change the password with) you could just change your password in that session by pressing Ctrl-Alt-Del (or Ctrl-Alt-End in an RDP connection) and choosing Change a password:


I hope this post helped.

About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in Okategoriserade. Bookmark the permalink.

64 Responses to Forced password change at next logon and RDP

  1. Anonymous says:

    I have attempted the server side solution you described and am still experiencing the exact same issue. I’m connecting from a Windows 10 device to a Windows Server 2012 R2 VM. Any suggestions?

    • Tom Aafloen says:

      Did you also disable CredSSP on the client side? Enabling the server side solution only allows it to be disabled.

  2. Magfar Uddin says:

    Thanks mate 🙂

  3. Just what I needed, thank you 🙂

  4. Jan says:

    You saved me a lot of trouble, thank you for this excellent post.

  5. Michael M says:

    This was extremely helpful!!! thanks very much! Screenshots really helped illustrate the issue as well as the solution. A++++

  6. Dev Dutta says:

    thanks very much

  7. AJ says:

    Excellent article. Thanks for the post.

  8. doofer mcdooferberry says:

    saved me. thanks!

  9. That helped me out. Awesome solution 😉

  10. ozbeanz says:

    Quick solution, thanks

  11. Baha says:

    love your buddy 🙂 this was long pending issue

  12. Kristina T says:


    Is this a problem only on Windows Server 2012 R2? I am comparing my new environment (Windows Server R2) with my old (Windows Server 2012) and on the old one this works without any changing of the .rdp file. Do you have any information about this difference between the versions?

    Beside this the post is very helpful.
    Thank you a lot.

  13. Steve Han says:

    Great article!!! it really works

  14. P SAMPATH KUMAR says:

    Great one, it really helped me 🙂

  15. Shawn says:

    This worked perfectly for me. Thanks!

  16. Dan says:

    Excellent. It worked great.

  17. Rune says:

    Thank you very much! THis has been bugging me for 2 weeks!!!!!

  18. Raphael says:

    Hi mate, great article. I had trouble getting this going due to some other constraints this end, but found that an ‘mstsc /admin’ actually got me into the locked server change password prompt, so all’s well that ends well. I’m sure we’ll run into this somewhere else and will give your solution a go.

  19. Vazha Gelashvili says:

    So helpful.Thanks!!!!!!!!!1

  20. cepefernando says:


  21. isopropanol says:

    Another way to do the same thing:
    VPN in (if you need to) so that you can reach the server
    click Start – person icon – Switch Account (what used to be called Switch User)
    click Other User
    put the domain\user name
    put the password
    It will say you need to change the password, change it
    Then you’ll get the same “You can’t sign into this machine” message (the picture above with the yellow text)
    Switch back to your regular user
    Then you can RDP
    Note: this only works if your machine can find the domain controller for that domain

    • LucidObscurity says:

      !!!! DO THIS !!!!
      This works even if the machine you’re on is not a member of the domain in question or is joined to another domain.
      Disabling NLA is a huge vector for ransomware.

  22. Etienne Booysen says:

    Thank you very much.

  23. CK says:

    Thanks, This worked for me!

  24. technostar says:

    Outstanding! you rock…

  25. sapc says:


  26. marshahlynn says:

    This has save my life! Thank you!

  27. rovernutt says:

    Thanks for the excellent post. Works as advertised (on Win10)

  28. Harvey Jacobs says:

    Thanks for this but can you help with this issue? I have a 2016 RD Farm setup with 1 RD Connection Broker and 2 RD Session Hosts for load balancing. All works perfect if i use NLA except for password resets. If i disable CredSSP Server Side and turn off NLA on Client side (Using Linux Thin Clients) it allow password resets i can get to the RD Connection Broker but after entering username and password if i’m being moved from the server running the connection broker my connection is disconnected.

  29. Jai says:

    Well illustrated. Thanks. Came here just to understand why and how. Will check your other posts.

  30. Simon Gadsby says:

    Thanks Tom, well written and still useful – got me out of trouble today!

  31. This article was GREAT HELP!!! Very beautifully written and amazing to-the-point description. Thanks!!!

  32. Niklas says:

    Thanks man, really helped! Tis a proper catch 22 for sure! 🙂

  33. KJ says:

    Thanks! Helpful. Saved me from bothering a colleague who must be unknowingly grateful.

  34. Brij says:

    Thanks a lot

  35. adminsecurityseedcom says:

    Thanks a lot for the tip!

  36. Ali Sanan says:

    Thanks for helping…

  37. Nibin says:

    Thank you very much … it works for me

  38. Eric Davelaar says:

    Very helpful article, thank you!
    In my case the clients are overseas – so I will have to just clear the ‘must change password at next login’ if/when I have to reset a forgotten or expired password until the catch 22 is fixed, in our lifetime hopefully 🙂

  39. C says:

    Perfect, thank you!

  40. Gökay says:

    This is life saver! Thanks.

  41. User says:

    First solution worked for me, thanks for your help

  42. Khalid Mehmood says:

    Thanks. It helped.

  43. Martin says:

    Worked like a charm, thank you so much.

  44. GDW says:

    Brilliant, saved me from having to log a ticket. Much appreciated.

  45. Raju George says:

    Thanks , it helped me. i was trying to RDP from Windows 10 to 2008 server. Appreciate your help
    God bless

  46. The other thing you might want to do if you get the message that RDP cannot find a domain controller (especially when you are using a standalone server), is to use the format for the username: .\username (prepend it with a dot backslash). This fixed our issue along with the credssp.

  47. Mahipal says:

    How do I edit this file in the Mac (remote desktop Manager) from Devolutions?

  48. Nicole says:

    Thank you so much!! It was driving me crazy. Now I finally managed to change the password. Thank you, thank you, thank you!

Leave a Reply to CK Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s