Lately I’ve been doing a little experiments with Active Directory and naturally I’m working my lab setting in Azure. It works nice, till after 42 days the password of the one and solely person account (mine) within the area expires. Azure solely gives distant desktop entry to digital machines, and in a default setup it’s unimaginable to alter the password over rdp as soon as the password has expired.
In all fashionable incarnations of distant desktop, the person authentication is completed in the course of the connection section. This is known as NLA: Network Level Authentication. It means the person title and password is entered within the Rdp consumer, as a part of the connection setup. Not like within the outdated days the place the distant desktop would present up and current the identical person title and password immediate as if one have been really sitting on the bodily console. In the outdated days, the distant server might present a password expired message and drive a password reset earlier than the logon was accepted. With NLA, that simply doesn’t work. So what we have to do is to disable NLA, with out logging on to the distant machine.
To disable NLA, we have to try this on each the consumer and the server. On the consumer, it’s pretty straight ahead, though it could’t be performed within the UI.
- Open the distant desktop consumer, fill within the host title and save the connection settings.
- Open the rdp file in a textual content editor and add a line
enablecredsspsupport:i:0on the high
- Save the file and double click on it to open the distant desktop consumer.
If you attempt to join now, you’ll get an error message that the server requires NLA. So to proceed, we have to disable that on the server.
Thanks Russel Smith for the small print on find out how to use WMI to do that.
Disabling the NLA requirement on the server is generally simply an unchecked checkbox within the system properties. But that received’t work after we’re already locked out of the machine. So we have to entry the machine and one way or the other change the setting. It seems that may be performed with WMI. When I did this, I used one other VM on the identical digital community. But I assume it could work straight from the Internet if the required ports are opened within the Network Security Group related to the VM.
From the opposite VM, run the next instructions in a powershell Window, with the IP quantity being the inner IP of the server you’re locked out of and DOMAINUSERNAME being the area/person data (set the pc title as area if it isn’t a website joined pc).
$wmi = (Get-WmiObject -class Win32_TSGeneralSetting -Namespace rootcimv2terminalservices -ComputerName 10.0.1.5 -Filter "TerminalName="RDP-tcp"" -Credential DOMAINUSERNAME) $wmi $wmi.SetUserAuthenticationRequired(0)
The second line,
$wmi simply prints out the present settings earlier than altering them.
Now you need to use the ready rdp file and go online to the server. Note how there isn’t any password immediate earlier than the Rdp session is being launched, as an alternative the log in immediate is displayed contained in the Rdp session. From this place, the reset password immediate works.
Finally it’s time to re-enable safety. On the consumer, simply delete the created rdp file. On the server, you are able to do that by going again to the powershell window on the opposite VM: