Failed logons due to expired passwords: Password change functionality in RD Web Access

  • Comments 6

One of the questions that some customers have asked us is “How can users change their expired passwords when connecting to Windows Server 2012 (including R2) and Windows 8/8.1?”

As you might already know,  with Network Level Authentication (NLA) enabled in Windows Server 2012 R2 and Windows 8.1,  RDP connections from users with expired passwords fail with a logon error similar to the following error.


To resolve this problem, you can enable the password change functionality in RD Web Access. With password change functionality enabled, users are able to change their expired password.

To enable password change functionality in RD Web Access in Windows Server 2012 and Windows Server 2012 R2, refer to this TechNet Wiki page. For RD Web Access in Windows Server 2008 R2, refer to this excellent post by Freek Berson.

Leave a Comment
  • Please add 5 and 1 and type the answer here:
  • Post
  • You can add the password reset feature by followng the guide below.

  • It's funny that Ryan's recipe was pasted a year ago....

  • And the TechNet Wiki that the blog post refers to was created 2 years ago :) But that's not the point, Ryan's blog provides great information to the community. The post does not claim to contain new content or features. Many people still didn't know this feature exists (and is even possible in 2008 R2), so it's good thing to drive some attention to this via RDS blog.

  • Hello. I use Remote Desktop to connect with a server in which I am working. The password expired and I don't know how to change it. I have Windows 8.1

    Can someone help me please?

    Thank you !

  • I am getting this same error on a server 2012 r2 box without the RD web access role enabled, any idea why?

  • The problem above is what if you don’t have RDS Roles installed and you still want to make that change for SERVER 2012… to the REGISTRY!

    You can very easily change the NLA setting without having to have the RDS Session Host Configuration, Web Server, and Connection Broker Roles installed.

    All you have to do is open REGEDIT and go to: (always backup registry folders before making changes)

    HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

    Change the DWORD value for ‘UserAuthentication’ from a value of ‘1’ (meaning Enabled) to ‘0’ (meaning disabled)

    That will make the change for you without having to have the RDS roles installed in order to configure the RDP-Tcp NLA settings

    You can also change the security levels by modifying the ‘SecurityLayer’ DWORD value:

    0 = ‘RDP Security Layer’

    1 = ‘Negotiate’

    2 = ‘SSL (TLS 1.0)’

    and if you disable TLS 1.0 for PCI compliance you must change this setting to use the RDP Security Layer as TLS will no longer function and you will lose RDP Access to your server

Page 1 of 1 (6 items)

Failed logons due to expired passwords: Password change functionality in RD Web Access