Change expired password windows

I must admit that it was a bit embarrassing to see my Administrator password expired when I tried to log in as Domain Admin to Domain Controller. I got this little message saying

This user account’s password has expired. The password must change in order to logon. Please update the password or contact your system administrator or technical support.

Everything would be relatively OK (and admittedly less embarrassing) if I weren’t the system administrator and if I wouldn’t tell guys working in Service Desk and similar technical positions as myself (you know Domain Admins who remember their passwords) to remember to change their passwords on Client domain before they expire. And now I am supposed to go to them and tell them to change my password because I forgot it myself. Well, that’s not gonna happen!

If you’ve not enabled NLA (Network Level Authentication) on your servers/computers that you’re trying to log in via RDP, there’s one little trick you can do if it doesn’t let you in instantly. Open up Remote Desktop Connection and instead of pressing connect use Save As, and save your connection file to a safe place.

Open up a saved RDP file which should look more or less like this:

Add this line to the end of the file

Now when you try to login with the saved session file, it should let you in. However, in my case that didn’t work. Surely enough I always enable NLA. Bummer.

Fortunately, in my case, PowerShell is my friend. While it does not exactly change your expired password via RDP that you were looking for it allows you to change the expired password before you have to log in to RDP and in turn saves you from having an embarrassing moment.

This little function does magic trick of changing password remotely even if you don’t have a domain-joined computer (like me). Usage is straightforward

You will be asked a series of 3 questions that you need to fill in, and your password will be changed (or not if any errors will occur in the meantime). You can also provide parameters directly not to get any prompts. If you’re on a Domain joined computer, you can skip the DomainController parameter, and it will be autodetected based on the currently logged-in user. If you’re planning to change passwords for different domains, please make sure to provide the Domain Controller name or IP address. Otherwise, a password change will fail.

The method above is actually based on NetUserChangePassword function. It requires TCP port 445 open (SMB) to Domain Controller. While you may be thinking that there is a simple PowerShell way to do it such as this (as suggested on Reddit)

You should aware that it will only work on non-expired passwords. LDAP will verify password prior to change.

So all you need to do is save this function for later and simply use it. Alternatively, this function is added as part of my PowerShell (I have it all) Module called PSSharedGoods where you can simply do

PSSharedGoods module actually has lots of different, sometimes weird functions that I use over and over in my modules. Feel free to explore on GitHub.

Change or reset your Windows password

If you forgot or lost your password for Windows 10, Windows 8.1, or Windows 7, you may be able to change or reset it. To get started, choose your version of Windows from the Select Product Version drop-down menu.

If you already know your current password and want to change it

Select Start > Settings > Accounts > Sign-in options . Under Password, select the Change button and follow the steps.

Reset your Windows 10 local account password

If you’ve forgotten or lost your Windows 10 password for a local account and need to sign back in to your device, the below options might help you get up and running. For more info on local standard vs. administrative accounts, see Create a local user or administrator account in Windows 10.

Windows 10 version 1803 and later

If you added security questions when you set up your local account for Windows 10, then you have at least version 1803 and you can answer security questions to sign back in.

After you’ve entered an incorrect password:

Select the Reset password link on the sign-in screen. If you use a PIN instead, see PIN sign-in issues. If you’re using a work device that’s on a network, you may not see an option to reset your password or PIN. In that case, contact your administrator.

Note: If you don’t see security questions after you select the Reset password link, make sure your device name isn’t the same as your local user account name (the name you see when you sign in). To see your device name, right-click Start in the taskbar, select System, andscroll to the Device specifications section. If the device name is the same as your account name, you can create a new administrator account, sign in as an administrator, and then rename your PC (when you view your device name, you can also rename it).

Answer your security questions.

Enter a new password.

Sign in as usual with the new password.

Windows 10 before version 1803

For versions of Windows 10 earlier than 1803, local account passwords can’t be reset because there are no security questions. You can reset your device to choose a new password, however this option will permanently delete your data, programs, and settings. If you’ve backed up your files you’ll be able to restore your deleted files. For more information, see Recovery options in Windows 10.
To reset your device, which will delete data, programs, and settings:

Press the Shift key while you select the Power button > Restart in the lower-right corner of the screen.

On the Choose an option screen, select Troubleshoot > Reset this PC.

Select Remove everything.

Warning: Resetting your device will permanently delete data, programs, and settings.

Reset your Microsoft account password you use to sign in to your computer

On the sign-in screen, type your Microsoft account name if it’s not already displayed. If there are multiple accounts on the computer, choose the one you want to reset. Below the password text box, select I forgot my password. Follow the steps to reset your password.

Troubleshoot problems signing in

If you’re still having trouble signing to your account, see more solutions in Troubleshoot problems signing in.

Reset your password

Note: If you’ve forgotten your Windows 10 password, see Reset your Windows 10 local account password.

If you’ve forgotten your Windows 8.1 password, there are several ways to retrieve or reset it:

If your PC is on a domain, your system administrator must reset your password.

If you’re using a Microsoft account, you can reset your password online. For more info, see How to reset your Microsoft account password.

If you’re using a local account, use your password hint as a reminder.

If you still can’t sign in, you must reinstall Windows. For Windows RT 8.1, contact your PC manufacturer.

More help with passwords in Windows 8.1

If you forget or lose your password, see Reset your password above to reset or recover it.

If you think your Microsoft account password has been compromised or stolen by someone with malicious intent, we can help. For more info, see When you can’t sign in to your Microsoft account.

If you’re signing in to only your local PC, yes. However, we recommend that you keep your PC more secure by using a strong password. When you use a password, only someone who knows it can sign in. If you want to sign in to Windows with a Microsoft account, a password is required. For more info, see Can I sign in to Windows without a password? To learn more about Microsoft accounts and local accounts, see Create a user account.

Stronger passwords contain a variety of characters, including uppercase and lowercase letters, numbers, and symbols or spaces. A strong password should also be something that is difficult for a stranger to guess or crack. It shouldn’t contain a complete word, or easy-to-find details like your real name, your user name, or your birth date.

If you’re signing in to a Microsoft account, your password is limited to 16 characters. For more info about Microsoft accounts, see Create a user account.

You can update your password regularly to keep it more secure. If your PC isn’t connected to a domain, follow these steps:

Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings.
(If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, click Settings, and then click Change PC settings.)

Tap or click Accounts, and then tap or click Sign-in options.

Tap or click Change your password and follow the instructions.

If your PC is connected to a domain, your system administrator might manage how frequently you must change your password. To do so, choose one of the following:

If you’re using a keyboard, press Ctrl+Alt+Delete, tap or click Change a password, and follow the instructions.

If you’re using a tablet, press and hold the Windows button, press the power button, and then tap or click Change a password and follow the instructions.

It depends on whether you’re using a third-party email address. If your email address ends in outlook.com, hotmail.com, live.com, or another Microsoft service, changing the password for your Microsoft account also changes it for that email service.

But you can use any email address for your Microsoft account, even an email address from a third-party web-based mail service like Google Mail or Yahoo! Mail. When you choose a password for your Microsoft account, it doesn’t change the password you might need to use to sign in to web mail on a third-party site.

Create a picture password to sign in with gestures instead of by entering characters.

Swipe in from the right edge of the screen, tap Settings, and then tap Change PC settings.
(If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, click Settings, and then click Change PC settings.)

Tap or click Accounts, and then tap or click Sign-in options.

Under Picture password, tap or click Add, and then follow the instructions.

When you choose a password for your user account, it’s important to pick something you can remember. You’re going to need it again later!

Of course, you can also write your password down and keep it in a safe place. Taped to the underside of your laptop or the inside of your desk drawer is probably not a good idea, however. If you do write your password down, be sure to keep it separate from your PC.

For added security, use different passwords for different purposes. For example, it’s a good idea to keep distinctly different passwords for a social networking account and your online bank account.

If you do forget or lose your password, there are still several things you can try to reset or recover it. For more info, see Reset your password above to reset or recover it.

Reset your password

My computer is on a domain

Select the Start button , select Control Panel, select User Accounts, select User Accounts, and then select Manage User Accounts. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.

On the Users tab, under Users for this computer, select the user account name, and then select Reset Password.

Type the new password, confirm the new password, and then select OK.

My computer is in a workgroup

If you type the wrong password when you attempt to log on, Windows displays a message that the password is incorrect. Select OK to close the message.

Select Reset password, and then insert your password reset disk or USB flash drive.

Follow the steps in the Password Reset wizard to create a new password.

Log on with the new password. If you forget your password again, you can use the same password reset disk. You don’t need to make a new one.

Note: If an administrator resets your password, you might lose access to some of your files.

Change your password

Press Ctrl+ Alt+ Delete, and then select Change a password.

Type your old password followed by a new password as indicated, and then type the new password again to confirm it.

Note: If you are logged on as an administrator, you can create and change passwords for all user accounts on the computer.

Warning: If you use an administrator account to change a password for another account, any encrypted files or e mail messages for that other account will no longer be accessible to the person who was using that account.

Password change for expired password failing for workgroup scenario

This article helps fix an error that occurs when processing the password change for a user where the password is expired or set to change at next logon.

Original product version: В Windows Server 2012 R2
Original KB number: В 2879424

Symptoms

You have a server in a DMZ that’s not member of a domain. For administration, you have a series of local users that are administrators.

When you add a new user on the server for administration, you set an initial password and set «User must change password at next logon». The user logs on to the server through Remote Desktop Services. The user is prompted to change the password, and after entering it, the user receives an error message «Not enough storage is available to process this command»:

If the RDS server has NLA enabled the attempt to log on to the server fails with the expired password showing the error:

[Window Title]
Remote Desktop Connection[Content]

An authentication error has occured.
The Local Security Authority cannot be contacted

Remote computer: win-go9uqjhk1ic
This could be due to an expired password.
Please update your password if it has expired.
For assistance, contact your administrator or technical support.

The error dialog looks like this:

Cause

When processing the password change for a user where the password is expired or set to change at next logon, Winlogon uses an anonymous token to process the password change request.

The password change dialog allows changing passwords against remote computers as well, so the API calls use remotable interfaces through RPC over Named Pipes over SMB. For this protocol sequence, the RPC runtime reads a policy setting «Server2003NegotiateDisable» from the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc .

This fails in the context of the anonymous token as the default permissions allow only authenticated users, administrators, and LocalSystem to read the key.

When NLA is enabled, the user session request doesn’t validate and thus fails.

Resolution

The approaches to avoid this problem are:

1. Change the password remotely. Note that currently the user in the context you run the remote password change needs to be able to log on to the target server with the default credentials (or already connected using SMB to the server at the time of the password change already).
2. Change the permissions of the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc to allow anonymous to read the key. If the key doesn’t exist, you may create it and then add the read permissions for the anonymous account.

For approach 2, in an attempt to recover from an error, it might happen that the group policy service deletes the keys and recreates them using default permissions. In this case, you have to reapply the permissions.

You can automate setting the permissions on using Registry Security Policy when the machine is member of the domain. For workgroup machines you can import this text as rpc-pol.inf file:

You can apply it using:

secedit /configure /db C:\Windows\security\database\rpc-pol.sdb/cfg rpc-pol.inf /log rpc-pol.log Note the key must exist so this is successful.

More information

The functionality to change workgroup or remote member machine passwords needs to take a number of compatibility requirements into account. The scenario is very much a borderline topic by today.

For RDS sessions secured with NLA, it’s not allowing starting a remote session with an expired password to begin with. If you want to use NLA, you have to change the password remotely up-front in a session authenticated with another user.