[cifs-protocol] Remote pwd change when "must change at next logon" is set? - TrackingID#2104090040000113

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Apr 9 05:45:06 UTC 2021

Hi Obaid,

a colleague of mine has a Windows 2019 terminal server. For licensing
reasons, this Windows 2019 machine is not a domain member, and that is
fine for us. The fact that this is a terminal server from my point of
view should be irrelevant, it could be just a standalone non-domain
file server.

He created local accounts for all team members that need it with
initial passwords that the team members must change at their first

The question is -- how can we remotely change the initial password? We
(Samba) modeled our remote password change on the network after what
he Windows password change dialogue does, which does not work in
this case.

The Windows password change dialogue can be reached by pressing
ctrl-alt-del on a Windows machine (not the server in question). There
you get an option to change a password. If you then enter
'server-ip-address\username' into the username field of the password
change dialogue, enter old and new passwords, a Windows client
normally changes a remote samr password. The trace I sent is a sniff
of this dialogue coming from a Windows 2012 client machine, but
Windows 2019 as a client behaves exactly the same. The smbpasswd
utility we ship with Samba also does the same, and it fails exactly
the same way.

I've contacted dochelp because I think it's a protocol question:
Changing a remote sam password for a user with MUST_CHANGE on a
Windows 2019 machine should be a scenario covered by the Microsoft
Protocol suite I guess, but I could not find hints how to do this in
the docs.



On Fri, Apr 09, 2021 at 12:49:10AM +0000, Obaid Farooqi wrote:
> Hi Volker:
> It is not clear from your description as to what exactly is happening.
> Can you please provide detailed steps so that I can understand this issue?
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> -----Original Message-----
> From: Volker Lendecke <Volker.Lendecke at SerNet.DE> 
> Sent: Thursday, April 8, 2021 4:13 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: [EXTERNAL] Remote pwd change when "must change at next logon" is set?
> Hi, dochelp!
> I've got a Windows 2019 Terminal Server with local users. There's a newly created user that has "must change password at next logon" (see frame 53 in the attached pcap). How can I change the password initially? The attached pcap is a listing of a Windows 2012 DC where I pressed ctrl-alt-del, "change pwd" and then I typed
> into the user field. The Windows 2012 machine I'm coming from now tries to connect anonymously to SAMR, which fails with NT_STATUS_ACCESS_DENIED. Just checked with a Windows 2019 client: Same thing.
> Question -- how can I remotely change a password for a local Windows
> 2019 user that has "must change at next logon"?
> Thanks,
> Volker

More information about the cifs-protocol mailing list