Windows Server

RDP users are unable to change passwords on first logon or after expiration: You must change your password before logging on the first time, please update your password


A password is a string of characters used to verify the identity of a user during the authentication process. A password is sometimes called a passphrase, when the password uses more than one word, or passcode or passkey, when the password uses only numbers, such as a personal identification number (PIN). Kindly refer to the following guides on how to perform these related tasks: How to create a desktop shortcut in Windows 10 to switch User Accounts: Fast user switching (Session Disconnection Utility), How to enable or disable Fast User Switching in Windows 10, and how to disable or enable automatic login from the sign-in screen in Windows., and how to determine your AD user account or service account password? How to run an App as a different User and switch Users in Windows

Your password has expired and you have to logon to change you password, but you cannot logon until you’ve changed you password.

Note: If you have access to a “normal” network connected Windows PC, you can change your password easily this way, but what if you only have RDP access? If you have the right settings in place, you may want to how to change expired password via RDP: How to change a password on a Remote Desktop session.

Issue 1: Remote Desktop Users (RDS users) are unable to change their passwords upon first log in or after password expiration if their AD accounts have the “User must change password at next logon” option enabled as shown below.
– You may want to uncheck this for remote users. To do this, see issue 2 below.


Issue 2: Also when the Users cannot change the password on the account tab as shown below. This is because “User must change password at next logon” was selected in their AD account.
– Please uncheck this for the RDS user.


Solution: We will need to launch Active Directory Users and Computers as shown below via the Server Manager or
– Alternatively from the “Windows Search” or “Run” command and type dsa.msc, or
– Control Panel\System and Security\Administrative Tools and click on Active Directory Users and Computers


Locate the OU that has the user and right-click on the User Account.
– In order to resolve this issue for this specific RDP user, we will need to uncheck the “User” must change password at the next logon. In this way, the user will be able to connect to the remote device.
– This will ensure that the account can be reset and not grayed out


Note: I do not recommend checking the option "Users cannot change password" or password never expires for security best practice! These settings are there just for a different purpose.

Note: You cannot select "User must change password at next logon" + "User cannot change password" at the same time.
- If you select, "User must change password at next logon", you must uncheck "Password Never expires". Else a warning sign will be prompted!

Note: If you select user cannot change password, the option will be grayed out when resetting the password and this will mitigate the issue.


But I do not recommend selecting the option “Users cannot change password”. Your organization will have to define a policy for this.

Now, Remote Desktop Users should be able to log on to their devices without having to change their password. Here are some related guides that might be interesting to you. How to reset your lost or forgotten Windows 10 Password, and how to reset your built-in (Local) Administrator’s password in Windows 10.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x