Search Our Database

How to fix “User Must Change Password” at next logon when connecting via RDP

Last updated on |
by

When you try to logon to a RDP session (with correct credentials) you might encounter this error message:

“You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.”

This is a classic catch 22 issue: You have to logon to change your password, but you cannot logon until you’ve changed your password.
If you have access to a “normal” network connected Windows client you can change the password that way, but what if you only have RDP access?

Client side

Well, if the server allows it, you can temporary disable “Credential Security Support Provider (CredSSP)” in the RPD client. This disables Network Layer Authentication, the pre-RPD-connection authentication, and therefore enables you to change your password via RDP. CredSSP is enabled by default in the RDP client on Windows Vista and forward.

There is no option to disable CredSSP in the RDP client, so here is how you have to do it:

Start mstsc.exe
Click Show Options
Click Save As

– Call it ChangePassword.rdp (or anything you’d like, but avoid the name Default.rdp)
– Open the saved ChangePassword.rdp in Notepad
– Add a new row at the end with the following text: enablecredsspsupport:i:0

– Save the rdp file
– Double-click the rdp file
– Enter the name/IP of a domain connected computer with RDP enabled

Instead of the local Windows Security prompt you should see a Windows Logon screen on the remote computer (if not, read on anyway):

RDP

If the account you log on with at this point has the “User must change password at next logon” option enabled, you get notified about that:

By clicking OK you get the possibility to change the password.

After changing the password you get confirmation about the change:

Clicking OK logs you in.

Delete the ChangePassword.rdp file when you are done (or at least do not use it until you are forced to change your password again), since disabling CredSSP lowers the security of RDP connections.