[cifs-protocol] Remote pwd change when "must change at next logon" is set? - TrackingID#2104090040000113

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Apr 14 12:12:21 UTC 2021

Hi Obaid,

is there anything still missing? Or is this just not a dochelp case
from your point of view?

With best regards,

Volker Lendecke

SerNet GmbH - Bahnhofsallee 1b - 37081 Goettingen
phone: +49.551.3700000, mailto:contact at sernet.com
AG Goettingen: HR-B 2816 - https://www.sernet.com
Manag. Directors Johannes Loxen and Reinhild Jung
data privacy policy https://www.sernet.de/privacy

On Fri, Apr 09, 2021 at 07:45:06AM +0200, Volker Lendecke via cifs-protocol wrote:
> Hi Obaid,
> a colleague of mine has a Windows 2019 terminal server. For licensing
> reasons, this Windows 2019 machine is not a domain member, and that is
> fine for us. The fact that this is a terminal server from my point of
> view should be irrelevant, it could be just a standalone non-domain
> file server.
> He created local accounts for all team members that need it with
> initial passwords that the team members must change at their first
> logon.
> The question is -- how can we remotely change the initial password? We
> (Samba) modeled our remote password change on the network after what
> he Windows password change dialogue does, which does not work in
> this case.
> The Windows password change dialogue can be reached by pressing
> ctrl-alt-del on a Windows machine (not the server in question). There
> you get an option to change a password. If you then enter
> 'server-ip-address\username' into the username field of the password
> change dialogue, enter old and new passwords, a Windows client
> normally changes a remote samr password. The trace I sent is a sniff
> of this dialogue coming from a Windows 2012 client machine, but
> Windows 2019 as a client behaves exactly the same. The smbpasswd
> utility we ship with Samba also does the same, and it fails exactly
> the same way.
> I've contacted dochelp because I think it's a protocol question:
> Changing a remote sam password for a user with MUST_CHANGE on a
> Windows 2019 machine should be a scenario covered by the Microsoft
> Protocol suite I guess, but I could not find hints how to do this in
> the docs.
> Thanks,
> Volker
> On Fri, Apr 09, 2021 at 12:49:10AM +0000, Obaid Farooqi wrote:
> > Hi Volker:
> > It is not clear from your description as to what exactly is happening.
> > Can you please provide detailed steps so that I can understand this issue?
> > 
> > Regards,
> > Obaid Farooqi
> > Escalation Engineer | Microsoft
> > 
> > -----Original Message-----
> > From: Volker Lendecke <Volker.Lendecke at SerNet.DE> 
> > Sent: Thursday, April 8, 2021 4:13 AM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > Cc: cifs-protocol at lists.samba.org
> > Subject: [EXTERNAL] Remote pwd change when "must change at next logon" is set?
> > 
> > Hi, dochelp!
> > 
> > I've got a Windows 2019 Terminal Server with local users. There's a newly created user that has "must change password at next logon" (see frame 53 in the attached pcap). How can I change the password initially? The attached pcap is a listing of a Windows 2012 DC where I pressed ctrl-alt-del, "change pwd" and then I typed
> > 
> >\vlendec
> > 
> > into the user field. The Windows 2012 machine I'm coming from now tries to connect anonymously to SAMR, which fails with NT_STATUS_ACCESS_DENIED. Just checked with a Windows 2019 client: Same thing.
> > 
> > Question -- how can I remotely change a password for a local Windows
> > 2019 user that has "must change at next logon"?
> > 
> > Thanks,
> > 
> > Volker
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol

More information about the cifs-protocol mailing list