我们用作终端服务器并通过 RDP 登录的公司服务器行为怪异 - 当您的密码过期时,它会告诉您密码已过期,需要更改。但是没有窗口对话框来更改密码!最后会显示密码错误。密码过期后用户如何更改密码?
答案1
如果会话中的密码已过期,则需要用户使用新的凭证重新登录才能获得有效的令牌。
如果他们使用 CTRL-ALT-DEL->更改密码选项来更改密码,那么他们也需要重新登录。
我曾经为我的 RDS 场做过的最好的建议是强制更改用户密码登录到 TS。
我如何做到的;
- 我每天午夜运行一项计划任务,当用户接近到期日时强制 Active Directory 中的用户到期。
喜欢;
# This PowerShell Script will query Active Directory and return the user accounts with passwords
# set to expire before the end of the next day, export a list of the affected accounts, and require
# a password change at the next logon. The script is configured to ingore accounts which have been
# configured with passwords that never expire, and to ignore accounts who do not have permission to
# change their own password. Any other account would be affected, so be warned before running this
# script, as you could experience unintended consequences. Either modify the script to reduce the
# scope of user accounts, or ensure that accounts that shouldn't be affected are either flaged with
# a non-expiring password or are flagged with "cannot change password. When ready to run/schedule
# in production, remove the -WhatIf from the last line.
#
# - MWT, 10/11/13
# The 89 is based upon your environment. If passwords expire every X (90) days, and you run the script
# in the early morning, you can set it to -1*(X-1) (-89), if you run the script late at night, set it to
# -1*(X-2) (-88).
Import-Module ActiveDirectory # Required for PowerShell 2.0 only
$a = (Get-Date).Date.AddDays(-88)
# The following line will build the variable based upon the noted criteria
$b = Get-ADUser -SearchBase "OU=Contonso,DC=com" -Property Name,SamAccountName,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -Filter {(PasswordLastSet -lt $a) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} | Where-Object {$_.CannotChangePassword -eq $false}
# The following line will display/export the data logging the accounts to be changed; please note the
# Out-File path and change to suit your needs.
$b | Format-Table Name,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -AutoSize
# The following line will actually flag the accounts to require a password change (after -WhatIf is removed)
$b | ForEach-Object {Set-ADUser -Identity $_ -ChangePasswordAtLogon $true}
如果您的用户仅登录终端服务器,您可以将密码过期警告从 14 天更改为 1 天。我粘贴的脚本会在 -2 天时(从 90 天过期)使帐户过期,因此用户永远不会看到过期警告,因此永远不会在 TS 会话中收到更改密码的提醒。
注意,如果不确定,您可以在最后一行使用 -WhatIf 测试脚本,它将显示用户帐户,它将重置帐户而不会使其过期。
答案2
临时解决方案是在 Active Directory 域服务中为用户更改密码。
除上述内容外,还请应用以下链接中引用的政策。
www.sevenforums.com/tutorials/74548-password-expiration-warning-change-time.html
答案3
据我所知,您不能。如果密码已过期,他们就无法通过 RDS 服务器更改密码。
其他一些选项包括:
- 通过 OWA 更改
- 让服务台进行更改
- 配置自助密码系统
自从终端服务以来,这一直是一个基于会话的 RDS 问题。
当我们运行 RDS 时,我实施了一个密码通知应用程序,该应用程序在密码到期前 7 天每天发送电子邮件两次,在密码到期前 2 天每天发送电子邮件 4 次。如果用户到那时还没有更改密码并记录帮助台工单,则会在会议中提及此事(点名批评哈哈)。