Password change for expired password failing for workgroup scenario

This article helps fix an error that occurs when processing the password change for a user where the password is expired or set to change at next logon.

Original product version: В Windows Server 2012 R2
Original KB number: В 2879424

Symptoms

You have a server in a DMZ that’s not member of a domain. For administration, you have a series of local users that are administrators.

When you add a new user on the server for administration, you set an initial password and set «User must change password at next logon». The user logs on to the server through Remote Desktop Services. The user is prompted to change the password, and after entering it, the user receives an error message «Not enough storage is available to process this command»:

If the RDS server has NLA enabled the attempt to log on to the server fails with the expired password showing the error:

[Window Title]
Remote Desktop Connection[Content]

An authentication error has occured.
The Local Security Authority cannot be contacted

Remote computer: win-go9uqjhk1ic
This could be due to an expired password.
Please update your password if it has expired.
For assistance, contact your administrator or technical support.

The error dialog looks like this:

Cause

When processing the password change for a user where the password is expired or set to change at next logon, Winlogon uses an anonymous token to process the password change request.

The password change dialog allows changing passwords against remote computers as well, so the API calls use remotable interfaces through RPC over Named Pipes over SMB. For this protocol sequence, the RPC runtime reads a policy setting «Server2003NegotiateDisable» from the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc .

This fails in the context of the anonymous token as the default permissions allow only authenticated users, administrators, and LocalSystem to read the key.

When NLA is enabled, the user session request doesn’t validate and thus fails.

Resolution

The approaches to avoid this problem are:

1. Change the password remotely. Note that currently the user in the context you run the remote password change needs to be able to log on to the target server with the default credentials (or already connected using SMB to the server at the time of the password change already).
2. Change the permissions of the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc to allow anonymous to read the key. If the key doesn’t exist, you may create it and then add the read permissions for the anonymous account.

For approach 2, in an attempt to recover from an error, it might happen that the group policy service deletes the keys and recreates them using default permissions. In this case, you have to reapply the permissions.

You can automate setting the permissions on using Registry Security Policy when the machine is member of the domain. For workgroup machines you can import this text as rpc-pol.inf file:

You can apply it using:

secedit /configure /db C:\Windows\security\database\rpc-pol.sdb/cfg rpc-pol.inf /log rpc-pol.log Note the key must exist so this is successful.

More information

The functionality to change workgroup or remote member machine passwords needs to take a number of compatibility requirements into account. The scenario is very much a borderline topic by today.

For RDS sessions secured with NLA, it’s not allowing starting a remote session with an expired password to begin with. If you want to use NLA, you have to change the password remotely up-front in a session authenticated with another user.

2 Ways to Disable Password Expiration in Windows 10

The password expiration is one of the properties for user accounts on Windows. This property is disabled by default on Windows 10/8/7. But occasionally, this property might be changed by somebody else without knowing. If the password expiration is enabled, once the deadline is up, Windows will alert that your password has expired and must be changed. However, constantly changing password may be annoying and make it easy to forget your password. Now in this post, we will show you how to disable password expiration in Windows 10. Two ways are as follows.

Way 1: Disable password expiration by Local Users and Groups

Step 2: Click on the Users folder on the left-side panel to show all user accounts on the right-side pane. Select the user whose password expiration you want to disable, right-click on it, and select Properties.

Step 3: After the user’s Properties dialog opens, select the General tab, check the «Password never expires» checkbox, and click Apply followed by OK.

Way 2: Disable password expiration in Windows 10 with Command Prompt

Step 2: Type wmic UserAccount where Name=’username’ set PasswordExpires=False, and press Enter key. Replace the username with your user name. When it shows «Property(s) update successful», the user’s password expiration is disabled.

False = Disabled

True = Enabled

If you want to disable password expiration for all user accounts at once, type wmic UserAccount set PasswordExpires=False, and press the Enter key.

Windows 10: Your Password Has Expired and Must Be Changed

Today I opened my computer as usual, but when I typed the password to sign in, my Windows 10 says «Your password has expired and must be changed«. Why is that and what should I do?

That is because password expiration has been enabled on your Windows 10. Once your password is expired, it is invalid and Windows 10 gets locked. You have to change your password before you can get back into Windows 10. Here in this post, we will show you two options to change the expired password on Windows 10.

Option 1: Change expired password from Windows 10 sign-in screen

Step 1: When you see the message: «Your password has expired and must be changed», click the OK button under the message.

Step 2: Type your old password (leave this field blank if you haven’t set any password), new password, and confirmation password, and then click the right arrow key next to the «Confirm password» field.

Step 3: When it says «Your password has been changed», click OK. Then you will be logged onto Windows 10. From now on, you need to use the new password to sign into Windows 10.

If you forgot your old password, or if you receive an error: «Access is denied» or «You do not have permission to change your password», or some other errors on the screen, change your expired password with the Option 2.

Option 2: Change expired Windows 10 password with a disk

You will need to use another working computer and one USB or CD flash drive.

Step 1: Create a bootable disk with another working computer

Use another working computer to download and install the Windows Password Refixer software. Launch the software and follow its screen to burn it into a USB or CD flash drive, so that you can get a bootable disk.

Step 2: Boot your Windows 10 computer from the disk

Connect the USB or CD flash drive into your locked Windows 10 computer, and access the computer’s boot menu or BIOS/UEFI screen to set the computer to boot from the USB or CD drive.

Step 3: Change expired Windows 10 password

1) After the «Windows Password Refixer» screen appears, select the user whose password has expired, and then click the «Reset Password» button.

2) When asked if you are sure to reset the password, click «Yes». Password will then be changed to blank.

3) Click the «Reboot» button.

4) When asked to eject the disk, click «Yes» and quickly remove the USB or CD drive from the computer. Then the computer will restart.

5) You can sign into Windows 10 without password required.

After your password is changed with either option above, you can disable password expiration in Windows 10 to prevent your password from expiring again. Then your password will never expire.

My windows 10 local account password has expired and I can’t access my PC

Replies (5) 

Thank you for being part of Microsoft Community.

I would request you to boot to safe mode and then try to enable the built-in admin account and then check if it helps.

You may also try enabling the built in admin account and check if you get an error there.

1. Right click on the start icon and select Command Prompt (Admin)
2. Type «net user Administrator /active:yes«
3. Hit Enter.

Please revert if you face any issues with Windows in future.

2 people found this reply helpful

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

thanks for your quick response. i tried your suggestion, but even in safe mode I don’t get a start icon.it still asks me for my password and the only other option I have is to shut down or restart.

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thank you for posting your response.

We appreciate the time and effort that you have invested in to fix the issue.

I would like to inform that if you have created a Windows Password Recovery Drive, you can use this tool to recover your User Password. If not, then you will have to re-install the OS, this is because any troubleshooting steps advised will lead to a prompt requesting for the Admin Password which you have lost access to.

To learn how to create a Media Creation tool for reinstalling Windows click on the link below

Refer to the section » Installing Windows 10 using the media creation tool » in the above article for creating the tool.

Hope this helps

Was this reply helpful?

Sorry this didn’t help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Password Recovery

My password has expired and now I am completely locked out of my computer? When you log into Windows, you might receive a message that says “Your password has expired and must be changed“. What to do if you forgot your old password or you get the access denied error when you try to change the password? In this tutorial we’ll show you 5 ways to set password to never expired for Windows local account.

Method 1: Set Windows Password to Never Expire Using Computer Management

Right-click the My Computer (This PC) icon on your desktop and then select Management from the pop-up menu.

When the Computer Management console launches, go to System Tools -> Local Users and Groups -> Users. Right-click on the user with an expired password in the middle pane and select Properties.

Check the “Password never expires” box and click OK.

When done, close the Computer Management and you can determine when the password of your Windows account will expire. Open a Command Prompt and type:

net user account_name

The output of this command will give you a lot of information about account. Just look for the line beginning with “Password expires” and you can see the password expiration date. In our example, it showed that the password of my account “pcunlocker” will never expire.

Method 2: Set Windows Password to Never Expire from Command Line

Open the Command Prompt as Administrator. Type the following command and press Enter. Replace “pcunlocker” with the name of your local account:

wmic useraccount where «Name=’pcunlocker'» set PasswordExpires=false

Method 3: Set Windows Password to Never Expire Using PowerShell

Open the PowerShell as Administrator. You can use the Set-LocalUser cmdlet to modify a local user account and set its password to never expire:

Set-LocalUser -Name «pcunlocker» -PasswordNeverExpires 1

Method 4: Set Password to Never Expire for All Accounts Using Group Policy

Press the WIN + R keys to open the Run command box. Type secpol.msc and press Enter to open the Local Security Policy Editor. Go to Account Policies -> Password Policy, ensure the Maximum password age is set to 0, meaning that passwords never expire.

You can also apply the password expiration policy using command line. Follow these steps:
Open the Command Prompt as Administrator. Type the following command and hit Enter.

net accounts /maxpwage:unlimited

This will set password to never expire for all your Windows local accounts.

Method 5: Set Windows Password to Never Expire Using a Boot CD

If your Windows password is expired and unable to change password on the login screen, you’re completely locked out of your computer and all of the methods above won’t work for your case. Then you have to use a password utility called PCUnlocker, which can reset your forgotten Windows password, as well as setting your password to never expire.

To start, you need to make a PCUnlocker Live CD (or USB drive) from an accessible PC. Next boot your locked computer from the CD. Select the account with an expired password and click on “Reset Password” button. The program will remove your Windows password and disable password expiration for your account.

Reboot and eject the CD, you can then log into your Windows account with no warning of user password’s about to expire. That’s it!