How to change the password of an RDP session

Why would you need to change a password in an RDP session?

The first reason is that the remote desktop protocol (RDP) session prompts an end user to change the password. Windows checks the domain credentials during sign-in and determines how long these credentials are valid. Domain credentials are often set with a password expiration data policy that comes with Windows notifications when the password is set to expire. This usually means that the end user needs to change their password every certain number of days.

Other reasons for changing a password are, of course, that an end user wants to change their password or is forced to change it. Domain credentials can be configured so that the first time the user signs into the RDP session, they immediately need to change their password. This is often done during the onboarding of new employees.

When the end user only accesses company resources with domain credentials, the only way to change these credentials might be in an RDP session. This also means it's vital for the business to have an easy way of changing end users' passwords in RDP sessions. An end user must type in the correct credentials when connecting to an RDP session before they can change their password. They must have a session on the machine to change their password.

Local user credentials are another reason to change a password in an RDP session. RDP sessions do not always connect to a Remote Desktop Session Host with domain credentials. In some situations, an end user connects to a desktop computer with local credentials. For example, a computer is connected to a machine on a factory floor to control production. In these cases, changing the password of a local user on that computer will also be done within the RDP session.

How to make it easy for users to change their password

Normally, when end users want to change their password, they hit CTRL+ALT+DELETE on their keyboard and choose Change a password. In most cases, this will not work within an RDP session because the CTRL+ALT+DELETE shortcut will not be sent to the remote desktop session but will most likely be sent to the local computer. When the local computer is domain joined and an end user tries to reset their domain credentials, this will also work. However, when thin clients, Macs or non-domain joined clients are used, this will not work, and only the local user password will be reset.

So, what will work? The end user can use the command CTRL+ALT+END. This will have the same effect as CTRL+ALT+DELETE in an RDP session and prompts the user with a screen that allows them to lock the computer, change the password or sign out. Here, they can choose to change their password. This is a good fix, but it only works in some situations. For example, this will not work when the RDP session is started on a Mac computer, and there are cases where it doesn't work with Linux thin clients.

A better method is to create a shortcut for all users to the following path:

C:\Windows\explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

By clicking on the shortcut, the user will be prompted by the same screen as if they press CTRL+ALT+DELETE, and here they can click on Change password. This will work for domain and local credentials if it's a non-domain joined RDP session. You can create a shortcut to this path with PowerShell for all users. This script must be run with administrator credentials.

# Define the path for the Shortcut on the desktop for all users
$AllUsersDesktop = [System.Environment]::GetFolderPath("CommonDesktopDirectory")
$ShortcutPath = Join-Path -Path $AllUsersDesktop -ChildPath "Change Password.lnk"

# Define the target and arguments for the Shortcut
$TargetPath = "C:\\Windows\\explorer.exe"
$Arguments = "shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"

# Define the icon location for the Shortcut
$IconPath = "C:\\Windows\\System32\\shell32.dll"
$IconIndex = 47  # The key icon in the default Windows icon set

# Create the COM object for creating the Shortcut
$WScriptShell = New-Object -ComObject WScript.Shell
$Shortcut = $WScriptShell.CreateShortcut($ShortcutPath)

# Set the properties of the Shortcut
$ Shortcut.TargetPath = $TargetPath
$ Shortcut.Arguments = $Arguments
$ Shortcut.IconLocation = "$IconPath,$IconIndex"
$ Shortcut.Save()

Write-Output "Shortcut 'Change Password' created on the desktop for all users."

After running the script, all users on the RDP server or computer will see the Change Password icon on their desktops, which will have a lock icon.

Another way users can change their passwords in the RDP session is to search for "change password" in the start menu search bar. This works best in modern Windows versions.

This will open the accounts setting page. Clicking on Change under the passwords option will start an interface that allows the end user to change their password (Figure 1).

If the end users sign into the RDP session with Azure credentials -- Entra ID -- it is better to change their password online. End users can go to Microsoft's dedicated website, sign in with their Office 365 or Entra ID credentials, and change their password. It's also possible to change application passwords, multifactor authentication settings and private information from this webpage. If your organization uses vendors to manage credentials such as Okta, OneLogin or Ping, the end user may need to change their password on an internal website or system.

Chris Twiest works as a technology officer at RawWorks in the Netherlands, focusing on the future Workspace and Cloud technologies for the end user.