Accéder au contenu principal

WS 2016 Forced password change at next logon le mot de passe de l'utilisateur doit être modifié avant la première connexion

https://mssec.wordpress.com/2015/12/26/forced-password-change-at-next-logon-and-rdp/












Forced password change at next logon and RDP

Posted on 26 December, 2015by 
If your AD account has the “User must change password at next logon” option enabled:
clip_image001
and you try to logon to a RDP session (with correct credentials):
image
you might encounter this error message:
image
“You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.”
This is a classic catch 22 issue: You have to logon to change you password, but you cannot logon until you’ve changed you password.
If you have access to a “normal” network connected Windows client you can change the password that way, but what if you only have RDP access?

Client side

Well, if the server allows it, you can temporary disable “Credential Security Support Provider (CredSSP)” in the RPD client. This disables Network Layer Authentication, the pre-RPD-connection authentication, and therefore enables you to change your password via RDP. CredSSP is enabled by default in the RDP client on Windows Vista and forward.
There is no option to disable CredSSP in the RDP client, so here is how you have to do it:
  • Start mstsc.exe
  • Click Show Options
  • Click Save As
image
  • Call it ChangePassword.rpd (or anything you’d like, but avoid the name Default.rdp)
  • Open the saved ChangePassword.rpd in Notepad
  • Add a new row at the end with the following text:
    enablecredsspsupport:i:0
clip_image003
  • Save the rdp file
  • Double-click the rdp file
  • Enter the name/IP of a domain connected computer with RDP enabled
Instead of the local Windows Security prompt (the second image in the blog post) you should see a Windows Logon screen on the remote computer (if not, read on anyway):
image
If the account you log on with at this point has the “User must change password at next logon” option enabled, you get notified about that:
image
By clicking OK you get the possibility to change the password (yay!):
image
After changing the password you get confirmation about the change:
image´
Clicking OK logs you in.
In fact, you do not need to have access to sign in through RDP, in that case this shows up, but only after you successfully changed your password:
image
Delete the ChangePassword.rdp file when you are done (or at least do not use it until you are forced to change your password again), since disabling CredSSP lowers the security of RDP connections.

If the server requires CredSSP

If the server does not allow you to disable Credential Security Support Provider, you get this error message when connecting:
image
In that case, try connecting using the FQDN (DC01.tomdemo.se and not only DC01) or connect to other servers that might allow you to disable CredSSP. As I mentioned above, you don’t have to have access to actually logon to the server.

Server side

You can also disable CredSSP on the server side, but since that lowers the security on all RDP connections to that server it is not recommended.
If you chose to do this anyway, you do it either by de-selecting “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)” in System Properties:
image
Or if you run the Terminal Server Role:
  • Open Terminal Server Configuration
  • Open RDP-Tcp configuration page
  • On the General tab, set the Security Layer to RDP Security Layer
image
Note that if you already have an existing access to a server (with the account you need to change the password with) you could just change your password in that session by pressing Ctrl-Alt-Del (or Ctrl-Alt-End in an RDP connection) and choosing Change a password:
image
I hope this post helped.

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

cPanel DDOS attack - Mitigate Slowloris Attacks - mod_qos

Apache mod_evasive Mod_evasive is a module available for the Apache HTTP server that can automatically block attacks by rate-limiting any IP that sends too many requests in a short time. Start by installing the module from WHM’s  EasyApache 4  interface. Select the  Currently Installed Packages  profile, search for  mod_evasive  in the  Apache Modules  section, and then install it. The default settings are good for most servers, but you can tweak them further by editing the configuration file  /etc/apache2/conf.d/300-mod_evasive.conf . You can also whitelist specific IP addresses or classes, so legitimate requests are not blocked. Configure CSF to block attacks While  mod_evasive  works very well, it only protects the Apache webserver. In order to harden other services as well, you can install the free  ConfigServer Security & Firewall  (CSF), which also includes a WHM plugin. As the  root  user, install CSF with these terminal commands: cd /usr/src rm -fv csf.tgz wget https://down
Enregistrer un commentaire
Lire la suite

Spool file is locked (another process is handling this message)

LOG: MAIN cwd=/usr/local/cpanel/whostmgr/docroot 4 args: /usr/sbin/exim -v -Mrm 1dUoey-0006YJ-3A Message 1dUoey-0006YJ-3A is locked LOG: skip_delivery MAIN Spool file is locked (another process is handling this message) To do this you can run the following commands. |exim -Mt 1dUoey-0006YJ-3A |exim -Mrm 1dUoey-0006YJ-3A I am also providing the following page in case you want more information regarding the exim command options. http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html
Enregistrer un commentaire
Lire la suite

Open Media Vault NAS change password

Known Root Password Login to the OMV using the root user and the current password via SSH or Console enter the following command passwd root The new password is now active. Unknown Root Password, but Admin Access to OMV GUI is Available In this scenario we still can help ourselves with the GUI. The method we use is, that we create a cron job for the root user which then resets the password. Navigate to System -> Cron Jobs Press the +Add button UN-tick the enabled box, so that the cronjob does not run automatically. put into the command field the following line, replace newpasswd with your password: echo "root:newpasswd" | chpasswd press okay select the newly created cron job Click the run button. in the opening window click the start button. It will shortly deactivate and activate again. open ssh or console and login as root with your new password. Root and Admin Password Unknown If you do not know the root password, you need to boot with a Li
Enregistrer un commentaire
Lire la suite