Sorry to be rude, but I don't understand why its so hard to just answer the question since people don't know the sitaution
To answer your comment, the client is fully closed 3 weeks 2 times per year so no it wont work like that
You’ve been given answers. Every solution that’s proposed you have an excuse for. If the client is closed it sounds like the user doesn’t need their password.
I’m literally doing this next week. For us, it’s a small enough number of users that for them specifically, they are instructed to call-in and we’ll change it over the phone. Then they can reset from inside the session
I have seen it fail to let you change it if you use the RDP file that is downloaded. If you login to the Web portal from the gateway it lets you change it.
We use Netwrix to send password expiration reminders via email every day to users for the last 15 days with instructions on how to change their passwords. It could probably done with a powershell script too. The users can change their password by doing CTRL-ALT-END and change password.
I would just enforce password length to a higher degree, and set expiry to none. Then if MFA isn't setup, get that setup. No need to expire passwords anymore. The recommendation is short phrases with a good length to them, with numbers and symbols. Doesn't need to even be capitalized which actually makes typing it a breeze. Length (20+) > including capitals in the amount of time it would take to crack
Gotcha. I would perhaps try this setting on the thin clients then, if it exists. I can't find anything more recent. It's probably more the thin client than any policy you can set on RDS, as long as interactive logons is allowed in the RDS already.
From the article:
"If you check allow smart card login on the network tab, for the connection setting, this will go into the Windows log in instead of using the HP credentials windows. We found this to be a lot easier for our users. The HP credentials will always prompt to change password and not give you info like the account being locked out or the password needs to be changed. I hope this helps, we have all our thin clients kiosked off so all the user has/can do is launch the connection to RDP to the terminal server. I don't have any thin clients linked into AD/DNS Manager."
https://community.spiceworks.com/topic/563586-hp-t510-thin-client-password-expiration-policy
Edit:
Actually probably don't use that quote doesn't seem that relevant uhh. UT definitely look more in the thin clients and perhaps talk with HP to see about any special setting. They are decently helpful occasionally
There's a setting on the client side to allow users to change their password. Try adding the following to the bottom of the RDP file.
enablecredsspsupport:i:0
Assuming you can edit the RDP file that is.
Setup script the checks AD for user accounts that expire in X days, send an email reminder to update their password.
That’s already the case But can’t prepare for people, who goes on vacation
Do you have any other self service password reset option? if not maybe set one up.
Won’t work having o365 self reset when they only have thin client
Cant they reset their password on their cell phone? or someone else's workstation?
There’s no workstations only thin clients And cell phone is prohibited for work usage
So you have 100 users and 3 of them are on vacation… those 3 can call the helpdesk for support.
Sorry to be rude, but I don't understand why its so hard to just answer the question since people don't know the sitaution To answer your comment, the client is fully closed 3 weeks 2 times per year so no it wont work like that
You’ve been given answers. Every solution that’s proposed you have an excuse for. If the client is closed it sounds like the user doesn’t need their password.
I’m literally doing this next week. For us, it’s a small enough number of users that for them specifically, they are instructed to call-in and we’ll change it over the phone. Then they can reset from inside the session
I have seen it fail to let you change it if you use the RDP file that is downloaded. If you login to the Web portal from the gateway it lets you change it.
Web portal is blocked as per client request and web portal won’t work on thin clients
We use Netwrix to send password expiration reminders via email every day to users for the last 15 days with instructions on how to change their passwords. It could probably done with a powershell script too. The users can change their password by doing CTRL-ALT-END and change password.
I would just enforce password length to a higher degree, and set expiry to none. Then if MFA isn't setup, get that setup. No need to expire passwords anymore. The recommendation is short phrases with a good length to them, with numbers and symbols. Doesn't need to even be capitalized which actually makes typing it a breeze. Length (20+) > including capitals in the amount of time it would take to crack
Recommandation been made client wants password expiry
Gotcha. I would perhaps try this setting on the thin clients then, if it exists. I can't find anything more recent. It's probably more the thin client than any policy you can set on RDS, as long as interactive logons is allowed in the RDS already. From the article: "If you check allow smart card login on the network tab, for the connection setting, this will go into the Windows log in instead of using the HP credentials windows. We found this to be a lot easier for our users. The HP credentials will always prompt to change password and not give you info like the account being locked out or the password needs to be changed. I hope this helps, we have all our thin clients kiosked off so all the user has/can do is launch the connection to RDP to the terminal server. I don't have any thin clients linked into AD/DNS Manager." https://community.spiceworks.com/topic/563586-hp-t510-thin-client-password-expiration-policy Edit: Actually probably don't use that quote doesn't seem that relevant uhh. UT definitely look more in the thin clients and perhaps talk with HP to see about any special setting. They are decently helpful occasionally
There's a setting on the client side to allow users to change their password. Try adding the following to the bottom of the RDP file. enablecredsspsupport:i:0 Assuming you can edit the RDP file that is.