Ever wondered how to configure when you get prompted for user credentials when logging onto a remote system via Remote Desktop (Terminal Services)?
Well, chances are that this might come in handy – especially fi you encounter issues which stem from an expired password (hence, the title of this article). I was prompted with a pre-connection Authentication challenge/response dialog, when I entered the correct details, it simply displayed a dialog with an “OK” and “Cancel” button and the text “"You must change your password before logging on the first time.".
Trawling the Internet for some hints, I came across a thread on the MSDN Forums suggesting that the Security setting be changed to “RDP Security Layer” from “Negotiate”. Do do this you need to open the Terminal Services configuration, which can be done by executing the tsconfig.msc console.
Double click on the Connection:
..and you can change the default Security Layer (as shown).
This seems to only apply to Windows Server 2008, as I could not locate a similar application on Windows 7. It may be possible to run this console on Windows 7
In the end, it didn’t help my specific scenario (sorry), but I did like that it changed the authentication process. For my situation, I had someone clear the password change setting on the domain account in question, then happily logged on and changed the password manually.
2 thoughts on “Changing the Remote Desktop Security Layer”
A simple and effective solution for the warning “You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.”
I made a VBscript which solved the problem which is executed after user Log on. To know how to make a Scheduled Task go here -> https://superuser.com/questions/15596/automatically-run-a-script-when-i-log-on-to-windows
[This script is executed once the user has changed the password and to remove the warning in his next login]
Things to do.
1. You are on the Windows server 2016/2012 and logged in.
2. Tick “User must change password at next login”.
3. Open Regedit and set the following value to ‘0’,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer4. Open a notepad and create a script.vbs file(The icon of the file will change from text file to vbs script) and paste the following code.
//copy from next line
Set objShell = WScript.CreateObject("WScript.Shell")
If WScript.Arguments.Length = 0 Then
Set ObjShell = CreateObject("Shell.Application")
ObjShell.ShellExecute "wscript.exe" _
, """" & WScript.ScriptFullName & """ RunAsAdministrator", , "runas", 1
WScript.Quit
End if
Set WshShell = CreateObject("WScript.Shell")
myKey = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer"
WshShell.RegWrite myKey,2,"REG_DWORD"
//copy till above line end
5. Create a Windows after Log on Task which should be executed after the user has changed the password and logged in for the first time to the server.
6. Set the script path to the After Log on task and don’t forget to set Name, Trigger & Action in the Scheduled task settings.
7.Reboot PC.
8. Connect the server with IP and a window screen will pop up ‘without’ the warning “You must change your password before logging on the first time.Please update your password or contact your system administrator or technical support.”
9. Enter default login credentials and set up new password and login to the server within that window.
10.Now the script will automatically execute and set the Security Layer value to 2 in the registry.
11. Reboot the server.
12. Connect to the server with IP and you will be asked to enter your username and password without the window session.
13. You should be logged on to your server now after successful authentication.
Thanks, that’s awesome!