Alleviate the headaches associated with manual password resets by providing this Windows-based Active Directory solution for Remote Desktop Services.
Remote Desktop Service is a common way to permit users to access resources, particularly from a remote location. Many of us who now work from home full time depend on it to do our jobs. My organization has several of these implementations across various environments, and they offer a great solution for users to be able to log into a shared desktop environment and run applications.
SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)
This access is based on Windows Active Directory accounts and passwords, and password changes are a necessary way of life in most organizations as security guidelines generally mandate their periodic rotation.
That doesn't change the fact that manual password reset requests can be a source of massive inconvenience for end users and system administrators alike. End users may have to wait in a problem queue or submit request tickets, and system administrators may be too busy with project work to handle these requests right away. And, frankly, repeat offenders can grow cumbersome.
If you're using Network Level Authentication (NLA) on Windows 2012 or 2016, which many organizations are as it's enabled by default, users with expired passwords will see this error upon trying to log in to Remote Desktop Services:
"An authentication error has occurred.
The Local Security Authority cannot be contacted
Remote computer: lonSrvRDS1
This could be due to an expired password
Please update your password if it has expired."
The problem here is NLA prohibits users from logging in to the very Windows system that might permit them to change their password.
A better option is to permit users to change their own Active Directory passwords using a Remote Desktop Services (RDS) Web Access portal, which will let them reset their passwords at almost any time, expired or not (depending on your "minimum password age" setting).
To allow password change, you must be using Remote Desktop Services. This article assumes you're using US English as your language standard.
Of course it also requires the users to know their current passwords, which is why I've recommended storing passwords securely via a password manager for years. Users who forgot their passwords will be out of luck, so it behooves smart IT departments to promote password management utilities.
To set up the password reset portal, open Server Manager on the Windows 2016 server you'd like to use for this role (the steps apply for Windows 2012 as well).
Click Add Roles and Features (Figure A).
Click Next twice (Figure B).
Leave the server name highlighted and click Next (Figure C).
A list of available roles will appear. Scroll down and expand Remote Desktop Services then click Remote Desktop Web Access and Next (Figure D).
Click Add Features (Figure E).
Click Next (Figure F).
Click Install. (Figure G).
Once the role finishes installing, you must make a minor change in IIS to permit password changes.
Open IIS Manager and expand Sites / Default Web Site / RDWeb and select Pages (Figure H).
Double-click Application Settings (Figure I).
Select PasswordChangeEnabled (Figure J).
Change this setting to True and click OK.
Open C:\Windows\Web\RDWeb\ Pages\ us-US\login.aspx file with a text editor.
Find this code:
<table width="300″ border="0″ cellpadding="0″ cellspacing="0″>
<td width="130″ align="right"><%=L_PasswordLabel_Text%></td>
<label><input id="UserPass" name="UserPass" type="password" runat="server" size="25″ autocomplete="off" /></label>
Add this code directly beneath it:
<a href="password.aspx" target="_blank">Click Here</a> to reset your password.
Reset IIS using the iisreset command.
Test that the password reset portal works by accessing:
You will see a screen similar to the following (Figure K):
Users must log in as domain\user name (leave out the domain suffix; rather than using company.com(user), for example, just use company\(user), enter the current password then pick a new password.
Document and send out the link to the actual fully qualified server name and password reset portal path (e.g. https://passwordreset.company.com/RDWeb/Pages/en-US/password.aspx) and urge users to bookmark the link. Also provide them instructions on how to use a password manager to store passwords securely, and remind them that if they do so they need never be inconvenienced by a forgotten password requiring a manual password reset.
Then enjoy having more time to focus on business priorities.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)