Environment: Primarily Windows Server 2012 R2 servers and Windows 8.1 clients, with some older versions of Windows Server and Windows client
I understand that if a user's password has expired and they attempt to make a remote desktop connection (RDP) to a computer running Windows Server 2012 R2 or Windows 8.1, and if Network Level Authentication is enabled on the remote computer, then the user is not allowed to change their expired password. Instead, they receive this prompt:
"This user account's password has expired. The password must change in order to logon. Please update the password or contact your system administrator or technical support."
However, even when Network Level Authentication has been disabled on all computers in our domain, users whose passwords have expired still get the above prompt when connecting via RDP to Windows Server 2012 R2 or Windows 8.1. I do not understand why we still receive this prompt even when NLA is disabled. Older versions of Windows still allow users to change their expired passwords in the RDP logon session.
I also understand that RD Web Access can be enabled as a workaround for this issue, but I first want to understand why users cannot change their expired passwords even when Network Level Authentication is disabled. Reference: http://blogs.msdn.com/b/rds/archive/2014/06/04/failed-logons-due-to-expired-passwords-password-change-functionality-in-rd-web-access.aspx
-Taylorbox