On an AD environment, if I set ChangePasswordAtLogon users cannot login even with their old password. When they try to connect, their Remote Desktop client (mstsc) says:
(translated to English)
Authentication error.
Local security authority cannot be contacted.
The problem might be an expired password.
Change your password if it's the case.
So they don't even have the chance to change their password. Setting ChangePasswordAtLogon is then completely useless. :-( What can I do about it?
Note: PasswordNeverExpires is False. CannotChangePassword is False.
Thanks
You've run into a classic issue with Remote Desktop and expired passwords. The ChangePasswordAtLogon flag isn't the problem; the culprit is Network Level Authentication (NLA).
NLA is a security feature that authenticates a user before it spins up a full remote session on the server. When a user's password has expired, they can't pass this initial NLA check. The connection is dropped with the "Local Security Authority cannot be contacted" error before the user ever gets to the login screen where they would normally be prompted to change their password. It's a security catch-22.
The most direct solution is to disable NLA on the Remote Desktop server. This allows the user to connect and reach the actual Windows logon screen, where they will be prompted to enter a new password.
On the RD Session Host server, open System Properties (sysdm.cpl).
Go to the Remote tab.
Uncheck the box that says "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".
Click Apply, then OK.
⚠️ Note: This slightly lowers the security of your RDP endpoint because it has to dedicate resources to a session before authenticating the user, making it more vulnerable to potential Denial of Service (DoS) attacks.
A more secure and user-friendly solution is to provide your users with the RD Web Access portal. This feature includes a dedicated web page for changing expired passwords without needing to log in via RDP first.
Users navigate to https://your_rd_web_server/RDWeb/Pages/en-US/password.aspx.
They can then enter their username, old password, and new password.
This method is more secure because you can keep NLA enabled on your session hosts. It's the standard, enterprise-grade way to handle this problem.
While it doesn't fix the immediate issue for an already-expired password, you can prevent it from happening as often by using a Group Policy Object (GPO) to warn users their password is about to expire.
Open the Group Policy Management Console.
Edit a relevant GPO and navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Find the policy Interactive logon: Prompt user to change password before expiration.
Set it to a reasonable number, like 14 days.
This gives users ample warning to change their password before it expires, avoiding the NLA lockout entirely.